Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
4
Replies

Running IP Source Guard without DHCP Snooping

Go to solution
jkaras
Level 1
Level 1

‎04-28-2008 12:22 PM - edited ‎03-05-2019 10:39 PM

I'm trying to determine the behavior of IP Source Guard in an IOS 6500 when DHCP snooping is not enabled.

In the documentation for Cat 6500 12.2SXH "Configuring IP Source Guard", the example for a port in a VLAN not configured for DHCP snooping appears to indicate no filtering is performed. Packets are permitted to pass.

Am I interpreting the output correctly?

Does the behavior change if I have static bindings defined (using the IP SOURCE BINDING command)?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Istvan_Rabai
Level 7
Level 7
In response to Istvan_Rabai

‎04-28-2008 08:36 PM

Hi John,

Sorry, I have to correct myself:

DHCP snooping must be enabled for the vlan where the port is located when you use the ip source guard feature.

Beside this, the ip source guard will work as I described earlier.

Thank you:

Istvan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Istvan_Rabai
Level 7
Level 7

‎04-28-2008 12:40 PM

Hi John,

Yes, the behavior changes.

IP source guard uses the DHCP snooping database or static bindings to perform filtering.

Usually, you can configure a static binding with the "ip source binding" command if you have a host on a port that uses a static IP address (a server for example), so no DHCP snooping data is available.

IP source guard will then automatically create a per-port VLAN acl for filtering traffic accordingly.

Cheers:

Istvan

0 Helpful

Go to solution
jkaras
Level 1
Level 1
In response to Istvan_Rabai

‎04-28-2008 01:05 PM

Thank you Istvan for the prompt response. So if I have a port enabled with source guard but the port does not have a valid static binding (either missing or not matching), the port is filtered - even if dhcp snooping is not enabled.

Am I interpreting that correctly?

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7
In response to jkaras

‎04-28-2008 01:18 PM

Yes, correct.

Enabling DHCP snooping is needed if you want to make use of the DHCP snooping database.

If you configure only static bindings it should filter traffic as well.

If you enable ip source guard on a port with no static bindings configured, then by default it will deny all traffic (as acls do normally).

Cheers:

Istvan

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7
In response to Istvan_Rabai

‎04-28-2008 08:36 PM

Hi John,

Sorry, I have to correct myself:

DHCP snooping must be enabled for the vlan where the port is located when you use the ip source guard feature.

Beside this, the ip source guard will work as I described earlier.

Thank you:

Istvan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card