Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

ip source guard and no dhcp binding

Hi everybody.

Ip source guard uses dhcp binding table or static binding to dynamically create acl.

h1-------f1/1sw-------dhcp server

sw is configured with ip source guard  on its port f1/1

h1 just powers up and needs an ip address so it sends an  broadcast looking for dhcp server. The switch receives the broadcast frame from h1.How will switch react?( keep in mind,  there is no dhcp binding as it is the very first frame from h1. Also src ip in received frame from h1, is blank i.e 0.0.0.0)

thanks and have a great weekend.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Super Bronze

ip source guard and no dhcp binding

Hi Sarah,

From the config guide:

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives

an IP address from the DHCP server, or after static IP source binding is configured by the administrator,

all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied.

This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

IP Source Guard is a port-based feature that automatically creates an implicit port access control list

Here is the link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.pdf

HTH

Have a nice weekend

1 REPLY
VIP Super Bronze

ip source guard and no dhcp binding

Hi Sarah,

From the config guide:

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives

an IP address from the DHCP server, or after static IP source binding is configured by the administrator,

all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied.

This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

IP Source Guard is a port-based feature that automatically creates an implicit port access control list

Here is the link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.pdf

HTH

Have a nice weekend

286
Views
0
Helpful
1
Replies