IP to MAC address binding in 3560G Switch

Unanswered Question
May 12th, 2009
User Badges:

Dear All,


I have a core switch Cisco 3560G and configured vlans on it 2-11..


Linksys switches are connected with Vlans and users are connected via linksys switches,


I applied an ACL in the Router to give Internet access to only selected users,


other users are getting IPs dynamically via DHCP configured on the switch..


Users having Internet Access are configured with Static IPs..


Some users are trying to enter the permitted IP address and using Internet,


I want to bind permitted IP with the MAC address of User PC on the core switch..


to do so,,i found a configuration on cisco website but,, its not working,


Switch# configure terminal

Switch(config)# interface gigabitethernet0/23


Switch(config-if)# ip verify source port-security


Switch(config-if)# exit


Switch(config)# ip source binding 0013.2074.144c vlan 10 192.168.10.5 interface

gigabitethernet0/23


The author also wrote:


When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface.


when I enable port security using

(config-if)# switchport port-security


it disables the interface,, when i shut the interface and no shut the interface,, it starts in amber then off...


seconly,

DHCP snooping option is not available in vlan 10 interface


(config)#int vlan 10

(config-if)# ?????? dhcp snooping is not available.....


Please Advise



Regards,

Junaid

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 05/12/2009 - 22:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Junaid,


see


When you enable both IP Source Guard and Port Security by using the ip verify source port-security interface configuration command, there are two caveats:


•The DHCP server must support option 82, or the client is not assigned an IP address.


•The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1180910


and:


When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned until the host is granted a lease. When forwarding packets from the server to the host, DHCP snooping uses the option-82 data to identify the host port.


About enabling ip dhcp snooping on a vlan basis the commands are given in global config mode see the following example from the same doc:


Switch(config)# ip dhcp snooping


>>>Switch(config)# ip dhcp snooping vlan 10


Switch(config)# ip dhcp snooping information option


you need to trust the port where the server is connected and to enable option 82 globally with the command above.


Hope to help

Giuseppe


Actions

This Discussion