Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Running IP Source Guard without DHCP Snooping

I'm trying to determine the behavior of IP Source Guard in an IOS 6500 when DHCP snooping is not enabled.

In the documentation for Cat 6500 12.2SXH "Configuring IP Source Guard", the example for a port in a VLAN not configured for DHCP snooping appears to indicate no filtering is performed. Packets are permitted to pass.

Am I interpreting the output correctly?

Does the behavior change if I have static bindings defined (using the IP SOURCE BINDING command)?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Running IP Source Guard without DHCP Snooping

Hi John,

Sorry, I have to correct myself:

DHCP snooping must be enabled for the vlan where the port is located when you use the ip source guard feature.

Beside this, the ip source guard will work as I described earlier.

Thank you:

Istvan

4 REPLIES

Re: Running IP Source Guard without DHCP Snooping

Hi John,

Yes, the behavior changes.

IP source guard uses the DHCP snooping database or static bindings to perform filtering.

Usually, you can configure a static binding with the "ip source binding" command if you have a host on a port that uses a static IP address (a server for example), so no DHCP snooping data is available.

IP source guard will then automatically create a per-port VLAN acl for filtering traffic accordingly.

Cheers:

Istvan

New Member

Re: Running IP Source Guard without DHCP Snooping

Thank you Istvan for the prompt response. So if I have a port enabled with source guard but the port does not have a valid static binding (either missing or not matching), the port is filtered - even if dhcp snooping is not enabled.

Am I interpreting that correctly?

Re: Running IP Source Guard without DHCP Snooping

Yes, correct.

Enabling DHCP snooping is needed if you want to make use of the DHCP snooping database.

If you configure only static bindings it should filter traffic as well.

If you enable ip source guard on a port with no static bindings configured, then by default it will deny all traffic (as acls do normally).

Cheers:

Istvan

Re: Running IP Source Guard without DHCP Snooping

Hi John,

Sorry, I have to correct myself:

DHCP snooping must be enabled for the vlan where the port is located when you use the ip source guard feature.

Beside this, the ip source guard will work as I described earlier.

Thank you:

Istvan

159
Views
0
Helpful
4
Replies