Configure Port IP Source Guard Function Based on Static Entries
Network Requirements
- PC1 and PC2 are connected to IP Network via Device.
- Configure the effective port IP Source Guard function based on static entries, so that PC2 can access IP Network normally and PC2 cannot access IP Network.
Network Topology
Figure 4–2 Networking of configuring effective port IP Source Guard function based on static entries
Configuration Steps
Step 1: On Device, configure VLAN and port link type.
# Create VLAN2.
|
Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit
|
#Configure the link type of port gigabitethernet0/1 as Access, permitting the services of VLAN2 to pass.
|
Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#switchport mode access
Device(config-if-gigabitethernet0/1)#switchport access vlan 2
Device(config-if-gigabitethernet0/1)#exit
|
Step 2: On Device, configure the IP Source Guard function of the port.
#On port gigabitethernet0/1, enable the IP Source Guard function based on MAC+VLAN filtering mode, and configure IP address as 1.0.0.1, and port IP Source Guard binding entries of VLAN2.
|
Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#ip verify source
Device(config-if-gigabitethernet0/1)#ip source binding ip-address 1.0.0.1 vlan 2
Device(config-if-gigabitethernet0/1)#exit
|
Step 3: Check the result.
#View the configuration information of IP Source Guard.
Device#show ip source guard
---------------------------------------------------------
IP source guard interfaces on slot 0 :
Total number of enabled interfaces : 1
--------------------------------------------------------------
Interface Name Status Verify Type L2 Status
--------------------------------------------------------------
gi0/1 Enabled IP Disabled
gi0/2 Disabled IP Disabled
gi0/3 Disabled IP Disabled
gi0/4 Disabled IP Disabled
……
You can see that port gigabitethernet0/1 is enabled with the IP Source Guard function. The static IP Source Guard entries take effect according to the configured IP+VLAN entries, not related with the Verify Type value. Therefore, in the above example, the dynamic entries take effect based on ip+vlan.
#View the IP Source Guard bound entries of the port.
Device #show ip binding table
-------------------------------
IP Source Guard binding table on slot 0
Total binding entries : 1
Static binding entries : 1
Dynamic binding entries : 0
Dynamic not write entries : 0
PCE writing entries : 1
---------------------------------------------------------
Interface-Name MAC-Address IP-Address VLAN-ID Type-Flag Writing-Flag L2-Flag
---------------------------------------------------------
gi0/1 --- 1.0.0.1 2 Static Write Not Write
#PC1 can access IP Network normally, and PC2 cannot access IP Network.
Switch
.png){kind=icon}
.png){kind=logo}
