IP Source Guard on Trunk Port

Unanswered Question
Dec 3rd, 2008
User Badges:

Hello to all,

I've a strange behaviour with IP SG on 802.1Q trunk ports and I would like to know if this is normal or not since on CCO I'vent found an answer and how to solve it leaving the feature active.

On the distribution L3 switches I've configured Port-security, DHCP Snooping, IP SourceGuard and DynARP Inspection on the L2 ports which are setup as Access Ports and all is working fine.

Now I've to configure on these L2 ports a new VLAN so as first step I've configured 802.1Q and then added the VLANs. The problem is that on this VLAN I don't have to implement security feature and moreover this has deiveces only with IP static Addresses…after spending some time I find out that the problem was the IP SG configured on the port since DHCP Snooping, DynARP Inspection is not configured on the switch but the IP SG is active on the port…are there any chance to deactiveted IP SG only for this VLAN???

Thx a lot the precious helps



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Wed, 12/03/2008 - 06:46
User Badges:
  • Purple, 4500 points or more

I don't think you can do it per vlan (although others may know of other ways). You may be able to do it by ports that are attached to the vlan though. I've never tried it, but you could try:

int range g1/1 - g1/5

no ip verify source

The g1/1 - g1/5 are the ports that are appropriate for the vlan that you're wanting to disable. The only problem that I see with this is that it will disable these ports for any other vlan that they may be a member of. If they're only access ports, then it should work.




This Discussion