IP Source Guard config - FLG

wave

Hi everyone,

I've been reading about IP Source Guard configuration in the SWITH FLG (p.370 - 371). I fired up a 3550, then a 3560, looking for the command #ip verify source vlan dhcp-snooping and all that seems to be supported is #ip verify source port-security. So I did some research and it appears that the "vlan dhcp-snooping" command set is only available on the 6500. Why on earth has this been included in the FLG is beyond me.

I'm assuming if I learn the commands that are available e.g. #ip verify source port-security I should be safe right?

#switchport port-security limit rate isn't available either.

Here is some great documentation on these topics:

IPSG on 6500: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.pdf
IPSG + DHCP Snooping on 2960: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_52_se/configuration/guide/swdhcp82.pdf

dead_p00l

Is it possibly the IOS version you're running. I'm running dhcp snooping on 3750's and 3560's but the command structure is slightly different that what you have.

wave

What command structure do you see? After some further digging it looks like I have the two options for IPSG, either:

Enable IP source guard with source IP address filtering. #ip verify source
Enable IP source guard with source IP and MAC address filtering. #ip verify source port-security

The 6500 seems to use this:

Router(config-if)# ip verify source vlan dhcp-snooping [port-security]

Enables IP Source Guard, source IP address filtering on
the port. The following are the command parameters:

• vlan applies the feature to only specific VLANs on
the interface. The dhcp-snooping option applies the
feature to all VLANs on the interface that have
DHCP snooping enabled.

• port-security enables MAC address filtering. This
feature is currently not supported.

georgemc

Try something like this instead:

Cat3550(config)# ip dhcp snooping vlan 1,100,200-210

if you want to enable dhcp snooping on a 3550, and then set up your trusted ports.

What level/version of IOS are you using?

wave

georgemc wrote: »

Try something like this instead:

Cat3550(config)# ip dhcp snooping vlan 1,100,200-210

if you want to enable dhcp snooping on a 3550, and then set up your trusted ports.

What level/version of IOS are you using?

That command is available to me, just not #ip verify source vlan dhcp-snooping or #switchport port-security limit rate as used in the authors' config example. They obviously had the luxury of having a 6500 laying around :P

Using:
c3750-ipservicesk9-mz.122-55.SE5.bin
c3550-ipservicesk9-mz.122-44.SE6.bin

Can't tell you the 3560 IOS version because it's from an online lab and my session just ended.

I think I'm good now, thanks guys!