Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP Snooping and IP Source Guard

Can these two Cisco switch security features affectively prevent a host with a statically assigned IP address from accessing the network?

Thanks

  • LAN Switching and Routing
2 REPLIES
Silver

Re: DHCP Snooping and IP Source Guard

IP Source Guard needs the DHCP snooping database which is built upon receiving DHCP dicoveries from the host. Since the host won't ask for an IP, there is not going to be an entry in the snooping database so all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port. Again, no DHCP process initiated by the host so all non-DHCP traffic will be blocked.

Switch(config)# ip dhcp snooping

Switch(config)# interface fa6/1

Switch(config-if)# no ip dhcp snooping trust

Switch(config-if)# ip verify source vlan dhcp-snooping

You can also enable arp inspection (but is only possible on the whole vlan) to prevent this host from sending arp replies so no one will be able to communicate with him.

New Member

Re: DHCP Snooping and IP Source Guard

Thanks

184
Views
0
Helpful
2
Replies
This widget could not be displayed.