Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2167
Views
0
Helpful
1
Replies

IP to MAC address binding in 3560G Switch

junshah22
Level 1
Level 1

‎05-12-2009 08:50 PM - edited ‎03-06-2019 05:41 AM

Dear All,

I have a core switch Cisco 3560G and configured vlans on it 2-11..

Linksys switches are connected with Vlans and users are connected via linksys switches,

I applied an ACL in the Router to give Internet access to only selected users,

other users are getting IPs dynamically via DHCP configured on the switch..

Users having Internet Access are configured with Static IPs..

Some users are trying to enter the permitted IP address and using Internet,

I want to bind permitted IP with the MAC address of User PC on the core switch..

to do so,,i found a configuration on cisco website but,, its not working,

Switch# configure terminal

Switch(config)# interface gigabitethernet0/23

Switch(config-if)# ip verify source port-security

Switch(config-if)# exit

Switch(config)# ip source binding 0013.2074.144c vlan 10 192.168.10.5 interface

gigabitethernet0/23

The author also wrote:

When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface.

when I enable port security using

(config-if)# switchport port-security

it disables the interface,, when i shut the interface and no shut the interface,, it starts in amber then off...

seconly,

DHCP snooping option is not available in vlan 10 interface

(config)#int vlan 10

(config-if)# ?????? dhcp snooping is not available.....

Please Advise

Regards,

Junaid

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-12-2009 10:54 PM

Hello Junaid,

see

When you enable both IP Source Guard and Port Security by using the ip verify source port-security interface configuration command, there are two caveats:

•The DHCP server must support option 82, or the client is not assigned an IP address.

•The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1180910

and:

When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned until the host is granted a lease. When forwarding packets from the server to the host, DHCP snooping uses the option-82 data to identify the host port.

About enabling ip dhcp snooping on a vlan basis the commands are given in global config mode see the following example from the same doc:

Switch(config)# ip dhcp snooping

>>>Switch(config)# ip dhcp snooping vlan 10

Switch(config)# ip dhcp snooping information option

you need to trust the port where the server is connected and to enable option 82 globally with the command above.

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card