IP Source Guard needs the DHCP snooping database which is built upon receiving DHCP dicoveries from the host. Since the host won't ask for an IP, there is not going to be an entry in the snooping database so all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port. Again, no DHCP process initiated by the host so all non-DHCP traffic will be blocked.
Switch(config)# ip dhcp snooping
Switch(config)# interface fa6/1
Switch(config-if)# no ip dhcp snooping trust
Switch(config-if)# ip verify source vlan dhcp-snooping
You can also enable arp inspection (but is only possible on the whole vlan) to prevent this host from sending arp replies so no one will be able to communicate with him.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...