IP to MAC address binding in 3560G Switch

Unanswered Question
May 12th, 2009

Dear All,

I have a core switch Cisco 3560G and configured vlans on it 2-11..

Linksys switches are connected with Vlans and users are connected via linksys switches,

I applied an ACL in the Router to give Internet access to only selected users,

other users are getting IPs dynamically via DHCP configured on the switch..

Users having Internet Access are configured with Static IPs..

Some users are trying to enter the permitted IP address and using Internet,

I want to bind permitted IP with the MAC address of User PC on the core switch..

to do so,,i found a configuration on cisco website but,, its not working,

Switch# configure terminal

Switch(config)# interface gigabitethernet0/23

Switch(config-if)# ip verify source port-security

Switch(config-if)# exit

Switch(config)# ip source binding 0013.2074.144c vlan 10 interface


The author also wrote:

When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface.

when I enable port security using

(config-if)# switchport port-security

it disables the interface,, when i shut the interface and no shut the interface,, it starts in amber then off...


DHCP snooping option is not available in vlan 10 interface

(config)#int vlan 10

(config-if)# ?????? dhcp snooping is not available.....

Please Advise



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 05/12/2009 - 22:54

Hello Junaid,


When you enable both IP Source Guard and Port Security by using the ip verify source port-security interface configuration command, there are two caveats:

•The DHCP server must support option 82, or the client is not assigned an IP address.

•The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.



When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned until the host is granted a lease. When forwarding packets from the server to the host, DHCP snooping uses the option-82 data to identify the host port.

About enabling ip dhcp snooping on a vlan basis the commands are given in global config mode see the following example from the same doc:

Switch(config)# ip dhcp snooping

>>>Switch(config)# ip dhcp snooping vlan 10

Switch(config)# ip dhcp snooping information option

you need to trust the port where the server is connected and to enable option 82 globally with the command above.

Hope to help



This Discussion