10-14-2010 07:47 AM - edited 03-04-2019 10:07 AM
Hi All ,
we want to use the ip source binding, ON cisco WS-C3750-48P 12.2(53)SE2 C3750-IPSERVICESK9-M
Now i have find a problem about the 2 x ip address in same interface+vlan
SW#config t
SW(config)#ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.88 interface Fa2/0/17
SW(config)#ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.89 interface Fa2/0/17
SW(config)#ip source binding 6CF0.4948.48F9 vlan 20 88.88.88.99 interface Fa2/0/17
SW(config)#do sh run | inc Fa2/0/17
ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.89 interface Fa2/0/17
ip source binding 6CF0.4948.48F9 vlan 20 88.88.88.99 interface Fa2/0/17
but i add different vlan in same interface is ok !!
I try many many time , why i can't add the different ip address SAME VLAN in same interface ? it is bug ?
because we need to use the DAI(ip arp inspection ) protect in our network.
now 1 x pc with 1 x ip working fine , but 1 x pc 2 x ip not work . we want to LOCK the src mac / ip address .
Thanks your help ^^
PatrickPo
Solved! Go to Solution.
10-14-2010 12:44 PM
Hello Patrick,
You are configuring a static mapping for IP Source Guard (IPSG) instead an static Dynamic ARP Inspection entry. The DAI entries are statically configured as follows:
arp access-list static-hosts
permit ip host 88.88.88.88 mac host 6CF0.4948.48F9
permit ip host 88.88.88.89 mac host 6CF0.4948.48F9
ip arp inspection filter static-hosts vlan 19
ip arp inspection filter static-hosts vlan 20
Please note that once you decide to perform the DAI, you will have to run the DHCP and DHCP Snooping to let the DAI verify the non-static entries against the DHCP Snooping database, or to explicitly declare all possible mappings in this ACL. All ARP that are not explicitly matched in the ARP access-list will be verified against the DHCP Snooping database, and if they are not found there, they will be dropped.
For your information, the IPSG static entries you were trying to configure originally do not allow mapping several IPs on the same MAC address. The Command Reference for 3750 Catalyst switches puts it down explicitly:
If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.
See the following link for more information.
Best regards,
Peter