Running IP Source Guard without DHCP Snooping

Answered Question
Apr 28th, 2008

I'm trying to determine the behavior of IP Source Guard in an IOS 6500 when DHCP snooping is not enabled.

In the documentation for Cat 6500 12.2SXH "Configuring IP Source Guard", the example for a port in a VLAN not configured for DHCP snooping appears to indicate no filtering is performed. Packets are permitted to pass.

Am I interpreting the output correctly?

Does the behavior change if I have static bindings defined (using the IP SOURCE BINDING command)?

I have this problem too.
0 votes
Correct Answer by Istvan_Rabai about 8 years 7 months ago

Hi John,

Sorry, I have to correct myself:

DHCP snooping must be enabled for the vlan where the port is located when you use the ip source guard feature.

Beside this, the ip source guard will work as I described earlier.

Thank you:

Istvan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Istvan_Rabai Mon, 04/28/2008 - 12:40

Hi John,

Yes, the behavior changes.

IP source guard uses the DHCP snooping database or static bindings to perform filtering.

Usually, you can configure a static binding with the "ip source binding" command if you have a host on a port that uses a static IP address (a server for example), so no DHCP snooping data is available.

IP source guard will then automatically create a per-port VLAN acl for filtering traffic accordingly.

Cheers:

Istvan

jkaras Mon, 04/28/2008 - 13:05

Thank you Istvan for the prompt response. So if I have a port enabled with source guard but the port does not have a valid static binding (either missing or not matching), the port is filtered - even if dhcp snooping is not enabled.

Am I interpreting that correctly?

Istvan_Rabai Mon, 04/28/2008 - 13:18

Yes, correct.

Enabling DHCP snooping is needed if you want to make use of the DHCP snooping database.

If you configure only static bindings it should filter traffic as well.

If you enable ip source guard on a port with no static bindings configured, then by default it will deny all traffic (as acls do normally).

Cheers:

Istvan

Correct Answer
Istvan_Rabai Mon, 04/28/2008 - 20:36

Hi John,

Sorry, I have to correct myself:

DHCP snooping must be enabled for the vlan where the port is located when you use the ip source guard feature.

Beside this, the ip source guard will work as I described earlier.

Thank you:

Istvan

Actions

This Discussion