jbrenesj Thu, 08/13/2009 - 08:54

IP Source Guard needs the DHCP snooping database which is built upon receiving DHCP dicoveries from the host. Since the host won't ask for an IP, there is not going to be an entry in the snooping database so all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port. Again, no DHCP process initiated by the host so all non-DHCP traffic will be blocked.

Switch(config)# ip dhcp snooping

Switch(config)# interface fa6/1

Switch(config-if)# no ip dhcp snooping trust

Switch(config-if)# ip verify source vlan dhcp-snooping

You can also enable arp inspection (but is only possible on the whole vlan) to prevent this host from sending arp replies so no one will be able to communicate with him.


This Discussion