Solved: Source guard without DHCP Snooping

snarayanaraju · ‎07-31-2009

Hi Experts,

I am practising SOURCE GAURD using command "ip verify source".

I am aware that "source guard" feature will be used with DHCP snooping to verify IP Address. Also, "ip verify source port-security" can be enabled to verify the MAC Address.

If i donot have DHCP scenario, and if i want to enable source guard, how to do ?. where I have to configure the static IP Address mapping?

can anyone help me

sairam

Peter Paluch · ‎07-31-2009

Hello Sairam,

It is possible to run IP Source Guard without DHCP, however, setting up the mappings between the MACs and IPs can be tedious.

Check this document:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swdhcp82.html

Specifically, you are looking for the command "ip source binding". It is described in the above document - check it up.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎07-31-2009

Hello Sairam,

It is possible to run IP Source Guard without DHCP, however, setting up the mappings between the MACs and IPs can be tedious.

Check this document:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swdhcp82.html

Specifically, you are looking for the command "ip source binding". It is described in the above document - check it up.

Best regards,

Peter

kerstin-534 · ‎08-04-2009

Hi Sairam

if you do dot have a DHCP scenario, you have also to activate DHCP snooping for IP Source Guard to work. You have also to configure the port for "ip dhcp snooping untrusted".

If you use IP Source Guard with L2-Address verification, you have to to use dhcp snooping with option 82.

(the last one i have never seen working :-)

lg Herbert

kerstin-534 · ‎08-04-2009

the static mappings are configured like this

ip source binding 0014.3813.E877 vlan 1 10.1.20.200 interface Fa0/7