Friday, 19 May 2017

IP Source Gaurd

In IP source gaurd,  only on protected ports DHCP traffic is allowed and will block all the rest of the traffic. Whenever switch receives any packet, it allows only if the source is in the DHCP snopping table or static binding.

IP source is a port based feature which automatically creates implicit port access control list(PACL).

Important point:-

1. In case of port-channel, IP source gaurd must be enabled on port-channel rather than on member interfaces.
2. IP source gaurd in not supported on trunk ports.
3. Only supported on layer2 ports.
4. Mac filtering is not supported
5. PVLAn is not supported
6. Only applied to hardware and cannot verify the packets processed by software.

Configuration:-

Router(config-if)# ip verify source vlan dhcp-snooping

Static binding:-

Router(config)# ip source binding mac-address vlan vlan-id ip-address interface interface-name

Verification:-
show ip verify source interface fa0/1

No comments:

Post a Comment