05-12-2009 08:50 PM - edited 03-06-2019 05:41 AM
Dear All,
I have a core switch Cisco 3560G and configured vlans on it 2-11..
Linksys switches are connected with Vlans and users are connected via linksys switches,
I applied an ACL in the Router to give Internet access to only selected users,
other users are getting IPs dynamically via DHCP configured on the switch..
Users having Internet Access are configured with Static IPs..
Some users are trying to enter the permitted IP address and using Internet,
I want to bind permitted IP with the MAC address of User PC on the core switch..
to do so,,i found a configuration on cisco website but,, its not working,
Switch# configure terminal
Switch(config)# interface gigabitethernet0/23
Switch(config-if)# ip verify source port-security
Switch(config-if)# exit
Switch(config)# ip source binding 0013.2074.144c vlan 10 192.168.10.5 interface
gigabitethernet0/23
The author also wrote:
When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface.
when I enable port security using
(config-if)# switchport port-security
it disables the interface,, when i shut the interface and no shut the interface,, it starts in amber then off...
seconly,
DHCP snooping option is not available in vlan 10 interface
(config)#int vlan 10
(config-if)# ?????? dhcp snooping is not available.....
Please Advise
Regards,
Junaid
05-12-2009 10:54 PM
Hello Junaid,
see
When you enable both IP Source Guard and Port Security by using the ip verify source port-security interface configuration command, there are two caveats:
â¢The DHCP server must support option 82, or the client is not assigned an IP address.
â¢The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.
and:
When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned until the host is granted a lease. When forwarding packets from the server to the host, DHCP snooping uses the option-82 data to identify the host port.
About enabling ip dhcp snooping on a vlan basis the commands are given in global config mode see the following example from the same doc:
Switch(config)# ip dhcp snooping
>>>Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ip dhcp snooping information option
you need to trust the port where the server is connected and to enable option 82 globally with the command above.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide