IP Source Guard config - FLG
Hi everyone,
I've been reading about IP Source Guard configuration in the SWITH FLG (p.370 - 371). I fired up a 3550, then a 3560, looking for the command #ip verify source vlan dhcp-snooping and all that seems to be supported is #ip verify source port-security. So I did some research and it appears that the "vlan dhcp-snooping" command set is only available on the 6500. Why on earth has this been included in the FLG is beyond me.
I'm assuming if I learn the commands that are available e.g. #ip verify source port-security I should be safe right?
#switchport port-security limit rate isn't available either.
Here is some great documentation on these topics:
IPSG on 6500: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.pdf
IPSG + DHCP Snooping on 2960: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_52_se/configuration/guide/swdhcp82.pdf
I've been reading about IP Source Guard configuration in the SWITH FLG (p.370 - 371). I fired up a 3550, then a 3560, looking for the command #ip verify source vlan dhcp-snooping and all that seems to be supported is #ip verify source port-security. So I did some research and it appears that the "vlan dhcp-snooping" command set is only available on the 6500. Why on earth has this been included in the FLG is beyond me.
I'm assuming if I learn the commands that are available e.g. #ip verify source port-security I should be safe right?
#switchport port-security limit rate isn't available either.
Here is some great documentation on these topics:
IPSG on 6500: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.pdf
IPSG + DHCP Snooping on 2960: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_52_se/configuration/guide/swdhcp82.pdf
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP
Comments
-
dead_p00l
Member Posts: 136
Is it possibly the IOS version you're running. I'm running dhcp snooping on 3750's and 3560's but the command structure is slightly different that what you have.This is our world now... the world of the electron and the switch, the
beauty of the baud. -
wave
Member Posts: 342
What command structure do you see? After some further digging it looks like I have the two options for IPSG, either:
Enable IP source guard with source IP address filtering. #ip verify source
Enable IP source guard with source IP and MAC address filtering. #ip verify source port-security
The 6500 seems to use this:
Router(config-if)# ip verify source vlan dhcp-snooping [port-security]
Enables IP Source Guard, source IP address filtering on
the port. The following are the command parameters:
• vlan applies the feature to only specific VLANs on
the interface. The dhcp-snooping option applies the
feature to all VLANs on the interface that have
DHCP snooping enabled.
• port-security enables MAC address filtering. This
feature is currently not supported.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
georgemc
Member Posts: 429
Try something like this instead:
Cat3550(config)# ip dhcp snooping vlan 1,100,200-210
if you want to enable dhcp snooping on a 3550, and then set up your trusted ports.
What level/version of IOS are you using?WGU BS: Business - Information Technology Management
Start Date: 01 October 2012
QFT1,PFIT in progress.
TRANSFERRED/COMPLETED: AGC1,BBC1,LAE1,QBT1,LUT1,QLC1,QMC1,QLT1,IWC1,INC1,INT1,BVC1,CLC1,MGC1, CWV1 BNC1, LIT1,LWC1,QAT1,WFV1,EST1,EGC1,EGT1,IWT1,MKC1,MKT1,RWT1,FNT1,FNC1, BDC1,TPV1 REQUIRED: -
wave
Member Posts: 342
Try something like this instead:
Cat3550(config)# ip dhcp snooping vlan 1,100,200-210
if you want to enable dhcp snooping on a 3550, and then set up your trusted ports.
What level/version of IOS are you using?
That command is available to me, just not #ip verify source vlan dhcp-snooping or #switchport port-security limit rate as used in the authors' config example. They obviously had the luxury of having a 6500 laying around :P
Using:
c3750-ipservicesk9-mz.122-55.SE5.bin
c3550-ipservicesk9-mz.122-44.SE6.bin
Can't tell you the 3560 IOS version because it's from an online lab and my session just ended.
I think I'm good now, thanks guys!
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP