Guest

Cisco Catalyst 3550 Series Switches

Documentation Updates for the for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA

  • Viewing Options

  • PDF (846.7 KB)
  • Feedback
Documentation Updates for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA

Table Of Contents

Documentation Updates for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA

Contents

Updates to the Catalyst 3550 Multilayer Switch Software Configuration Guide

Configuring DHCP Snooping Binding Database

Cisco IOS DHCP Server Database

DHCP Snooping Binding Database

Enabling the Cisco IOS DHCP Server Database

Enabling the DHCP Snooping Binding Database Agent

DHCP Snooping Enhancement

Enabling DHCP Snooping and Option 82

Configuring Dynamic ARP Inspection

Understanding Dynamic ARP Inspection

Configuring Dynamic ARP Inspection

Displaying Dynamic ARP Inspection Information

IfIndex Persistence

SNMP ifIndex MIB Object Values

IGMP Snooping Querier

Understanding the IGMP Snooping Querier

IGMP Snooping Querier Configuration Guidelines and Restrictions

Configuring the IGMP Snooping Querier

Configuring IP Source Guard

Understanding IP Source Guard

Configuring IP Source Guard

Displaying IP Source Guard Information

SmartPort Enhancements

Deleting SVIs

Configuring Router ACLs

Unsupported CLI Commands

Configuring a System Name and Prompt

Updates to the Catalyst 3550 Multilayer Switch Command Reference

arp access-list

clear ip arp inspection log

clear ip arp inspection statistics

debug platform ip arp inspection

debug ip verify source packet

deny (ARP access-list configuration)

errdisable detect cause

errdisable recovery

ip arp inspection filter vlan

ip arp inspection limit

ip arp inspection log-buffer

ip arp inspection trust

ip arp inspection validate

ip arp inspection vlan

ip arp inspection vlan logging

ip dhcp snooping database

ip dhcp snooping information option allowed-untrusted

ip igmp snooping querier

ip source binding

ip verify source

permit (ARP access-list configuration)

show arp access-list

show errdisable detect

show ip arp inspection

show ip dhcp snooping database

show ip igmp snooping querier detail

show ip source binding

show ip verify source

Related Documentation

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Documentation Updates for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA


January 2005

These documentation updates are for Catalyst 3550 switches running Cisco IOS Release 12.2(25)SEA. Use this document with the information in the Release Notes for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA.

This document provides updates to the Catalyst 3550 product documentation. These changes will be included in the next revision of the documentation.

"Updates to the Catalyst 3550 Multilayer Switch Software Configuration Guide" section

"Updates to the Catalyst 3550 Multilayer Switch Command Reference" section

For more information about the Catalyst 3550 switches, see the "Related Documentation" section.

Contents

This information is in the release notes:

"Updates to the Catalyst 3550 Multilayer Switch Software Configuration Guide" section

"Updates to the Catalyst 3550 Multilayer Switch Command Reference" section

"Related Documentation" section

"Obtaining Documentation" section

"Documentation Feedback" section

"Cisco Product Security Overview" section

"Obtaining Technical Assistance" section

"Obtaining Additional Publications and Information" section

Updates to the Catalyst 3550 Multilayer Switch Software Configuration Guide

This section contains these updates to the Catalyst 3550 Software Configuration Guide:

"Configuring DHCP Snooping Binding Database" section

"DHCP Snooping Enhancement" section

"Configuring Dynamic ARP Inspection" section

"IfIndex Persistence" section

"IGMP Snooping Querier" section

"Configuring IP Source Guard" section

"SmartPort Enhancements" section

"Deleting SVIs" section

"Unsupported CLI Commands" section

"Configuring Router ACLs" section

Configuring DHCP Snooping Binding Database

This release supports the DHCP Snooping Binding Database feature. Use this information with the "Configuring DHCP Features" chapter:

Cisco IOS DHCP Server Database

DHCP Snooping Binding Database

Enabling the Cisco IOS DHCP Server Database

Enabling the DHCP Snooping Binding Database Agent

Cisco IOS DHCP Server Database

During the DHCP-based autoconfiguration process, the designated DHCP server uses the Cisco IOS DHCP server database. It has IP addresses, address bindings, and configuration parameters, such as the boot file.

An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool. For more information about manual and automatic address bindings, see the "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide,
Release 12.2
.

DHCP Snooping Binding Database

When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings.

Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. A checksum value, the end of each entry, is the number of bytes from the start of the file to end of the entry. Each entry is 72 bytes, followed by a space and then the checksum value.

To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DCHP spoofing attacks.

The database agent stores the bindings in a file at a configured location. When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch keeps the file current by updating it when the database changes.

When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. The switch also updates the entries in the binding file. The frequency at which the file is updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.

This is the format of the file that has the bindings:

<initial-checksum> 
TYPE DHCP-SNOOPING 
VERSION 1 
BEGIN 
<entry-1> <checksum-1> 
<entry-2> <checksum-1-2> 
... 
... 
<entry-n> <checksum-1-2-..-n> 
END 

Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file. The initial-checksum entry on the first line distinguishes entries associated with the latest file update from entries associated with a previous file update.

This is an example of a binding file:

2bb4c2a1
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.1.168.1 3 0003.47d8.c91f 2BB6488E Fa0/4 21ae5fbb
192.1.168.3 3 0003.44d6.c52f 2BB648EB Fa0/4 1bdb223f
192.1.168.2 3 0003.47d9.c8f1 2BB648AB Fa0/4 584a38f0
END

When the switch starts and the calculated checksum value equals the stored checksum value, the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database. The switch ignores an entry when one of these situations occurs:

The switch reads the entry and the calculated checksum value does not equal the stored checksum value. The entry and the ones following it are ignored.

An entry has an expired lease time (the switch might not remove a binding entry when the lease time expires).

The interface in the entry no longer exists on the system.

The interface is a routed interface or a DHCP snooping-trusted interface.

Enabling the Cisco IOS DHCP Server Database

For procedures to enable and configure the Cisco IOS DHCP server database, see the "DHCP Configuration Task List" section in the "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.2.

Enabling the DHCP Snooping Binding Database Agent

Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip dhcp snooping database {flash:/filename | ftp://user:password@host/filename |http://[[username:password]@]{hostname | host-ip}[/directory]
/image-name.tar
rcp://
user@host/filename}| tftp://host/filename

Specify the URL for the database agent or the binding file by using one of these forms:

flash:/filename

ftp://user:password@host/filename

http://[[username:password]@]{hostname | host-ip}[/directory]
/image-name.tar

rcp://user@host/filename

tftp://host/filename

Step 3 

ip dhcp snooping database timeout seconds

Specify when to stop the database transfer process after the binding database changes.

The range is from 0 to 86400. Use 0 for an infinite duration. The default is 300 seconds (5 minutes).

Step 4 

ip dhcp snooping database write-delay seconds

Specify the duration for which the transfer should be delayed after the binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes).

Step 5 

end

Return to privileged EXEC mode.

Step 6 

ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds

(Optional) Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.

Enter this command for each entry that you add.

Note Use this command when you are testing or debugging the switch.

Step 7 

show ip dhcp snooping database [detail]

Display the status and statistics of the DHCP snooping binding database agent.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To stop using the database agent or binding files, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds interface configuration command.

To clear the statistics of the DHCP snooping binding database agent, use the clear ip dhcp snooping database statistics privileged EXEC command. To renew the database, use the renew ip dhcp snooping database privileged EXEC command.

To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you delete.

DHCP Snooping Enhancement

If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.

When option-82 information is inserted by an edge switch in software releases earlier than Cisco IOS Release 12.2(25)SEA, you cannot configure DHCP snooping on an aggregation switch because the DHCP snooping bindings database will not be properly populated. You also cannot configure IP source guard and dynamic Address Resolution Protocol (ARP) inspection on the switch unless you use static bindings or ARP access control lists (ACLs).

In Cisco IOS Release 12.1(22)EA3 or in Cisco IOS Release 12.2(25)SEA or later, when an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allowed-trust global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on ingress untrusted interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.


Note Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.


Enabling DHCP Snooping and Option 82

Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch.


Note Step 5 was added in Cisco IOS Release 12.1(22)EA3 and Cisco IOS Release 12.2(25)SEA or later.


 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip dhcp snooping

Enable DHCP snooping globally.

Step 3 

ip dhcp snooping vlan vlan-range

Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.

You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.

Step 4 

ip dhcp snooping information option

Enable the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server.

The default is enabled.

Step 5 

ip dhcp snooping information option allowed-untrusted

(Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch.

The default is disabled.

Note You must enter this command only on aggregation switches that are connected to trusted devices.

Step 6 

interface interface-id

Enter interface configuration mode, and specify the interface to be configured.

Step 7 

ip dhcp snooping trust

(Optional) Configure the interface as trusted or untrusted. You can use the no keyword to configure an interface to receive messages from an untrusted client. The default is untrusted.

Step 8 

ip dhcp snooping limit rate rate

(Optional) Configure the number of DHCP packets per second than an interface can receive. The range is 1 to 2048. The default is no rate limit configured.

Note We recommend an untrusted rate limit of not more than 100 packets per second. If you configure rate limiting for trusted interfaces, you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN on which DHCP snooping is enabled.

Step 9 

exit

Return to global configuration mode.

Step 10 

ip dhcp snooping verify mac-address

(Optional) Configure the switch to verify that the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet. The default is to verify that the source MAC address matches the client hardware address in the packet.

Step 11 

end

Return to privileged EXEC mode.

Step 12 

show running-config

Verify your entries.

Step 13 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable 
DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global 
configuration command. To disable the insertion and removal of the option-82 field, use the no ip 
dhcp snooping information option global configuration command. To configure an aggregation 
switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use 
the no ip dhcp snooping information option allowed-untrusted global configuration command.

Configuring Dynamic ARP Inspection

This section describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3550 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.


Note This is a new chapter to be used with the Catalyst 3550 Multilayer Switch Software Configuration Guide.


To use this feature, you must have the enhanced multilayer image (EMI) installed on your switch.


Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.


This section consists of these topics:

"Understanding Dynamic ARP Inspection" section

"Configuring Dynamic ARP Inspection" section

"Displaying Dynamic ARP Inspection Information" section

Understanding Dynamic ARP Inspection

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host.

A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 1 shows an example of ARP cache poisoning.

Figure 1 ARP Cache Poisoning

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.

Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middle attack.

Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

Intercepts all ARP requests and responses on untrusted ports

Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

Drops invalid ARP packets

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. For configuration information, see the "Configuring Dynamic ARP Inspection in DHCP Environments" section.

In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP ACL by using the arp access-list acl-name global configuration command. For configuration information, see the "Configuring ARP ACLs for Non-DHCP Environments" section. The switch logs dropped packets. For more information about the log buffer, see the "Logging of Dropped Packets" section.

You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the "Performing Validation Checks" section.

Interface Trust States and Network Security

Dynamic ARP inspection associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted interfaces undergo the dynamic ARP inspection validation process.

In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. No other validation is needed at any other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command.


Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.

In Figure 2, assume that both Switch A and Switch B are running dynamic ARP inspection on the VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity between Host 1 and Host 2 is lost.

Figure 2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection.

Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.

In cases in which some switches in a VLAN run dynamic ARP inspection and other switches do not, configure the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from nondynamic ARP inspection switches, configure the switch running dynamic ARP inspection with ARP ACLs. When you cannot determine such bindings, at Layer 3, isolate switches running dynamic ARP inspection from switches not running dynamic ARP inspection switches. For configuration information, see the "Configuring ARP ACLs for Non-DHCP Environments" section.


Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP packet on all switches in the VLAN.


Rate Limiting of ARP Packets

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can change this setting by using the ip arp inspection limit interface configuration command.

When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you change it. You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period.

For configuration information, see the "Limiting the Rate of Incoming ARP Packets" section.

Relative Priority of ARP ACLs and DHCP Snooping Entries

Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.

ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you configure them by using the ip arp inspection filter vlan global configuration command. The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.

Logging of Dropped Packets

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command. For configuration information, see the "Configuring the Log Buffer" section.

Configuring Dynamic ARP Inspection

These sections describe how to configure dynamic ARP inspection on your switch:

Default Dynamic ARP Inspection Configuration

Dynamic ARP Inspection Configuration Guidelines

Configuring Dynamic ARP Inspection in DHCP Environments (required in DHCP environments)

Configuring ARP ACLs for Non-DHCP Environments (required in non-DHCP environments)

Limiting the Rate of Incoming ARP Packets (optional)

Performing Validation Checks (optional)

Configuring the Log Buffer (optional)

Default Dynamic ARP Inspection Configuration

Table 1 shows the default dynamic ARP inspection configuration.

Table 1 Default Dynamic ARP Inspection Configuration 

Feature
Default Setting

Dynamic ARP inspection

Disabled on all VLANs.

Interface trust state

All interfaces are untrusted.

Rate limit of incoming ARP packets

The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all trusted interfaces.

The burst interval is 1 second.

ARP ACLs for non-DHCP environments

No ARP ACLs are defined.

Validation checks

No checks are performed.

Log buffer

When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged.

The number of entries in the log is 32.

The number of system messages is limited to 5 per second.

The logging-rate interval is 1 second.

Per-VLAN logging

All denied or dropped ARP packets are logged.


Dynamic ARP Inspection Configuration Guidelines

These are the dynamic ARP inspection configuration guidelines:

Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.

Dynamic ARP inspection is not effective for hosts connected to switches that do not support dynamic ARP inspection or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with dynamic ARP inspection checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for dynamic ARP inspection.

Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For configuration information, see the "Configuring DHCP Features and IP Source Guard" chapter in the software configuration guide.

When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny packets.

Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match. Otherwise, the physical port remains suspended in the port channel. A port channel inherits its trust state from the first physical port that joins the channel. Consequently, the trust state of the first physical port need not match the trust state of the channel.

Conversely, when you change the trust state on the port channel, the switch configures a new trust state on all the physical ports that comprise the channel.

The rate limit is calculated separately on each switch in a switch stack. For a cross-stack EtherChannel, this means that the actual rate limit might be higher than the configured value. For example, if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled.

The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members.

The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports.

If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.

Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher rates to reflect their aggregation and to handle packets across multiple dynamic ARP inspection-enabled VLANs. You also can use the ip arp inspection limit none interface configuration command to make the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs when the software places the port in the error-disabled state.

Configuring Dynamic ARP Inspection in DHCP Environments

This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 2. Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Therefore, Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2.


Note Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For configuration information, see the "Configuring DHCP Features and IP Source Guard" chapter in the software configuration guide.


For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the "Configuring ARP ACLs for Non-DHCP Environments" section.

Beginning in privileged EXEC mode, follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches. This procedure is required.

 
Command
Purpose

Step 1 

show cdp neighbors

Verify the connection between the switches.

Step 2 

configure terminal

Enter global configuration mode.

Step 3 

ip arp inspection vlan vlan-range

Enable dynamic ARP inspection on a per-VLAN basis. By default, dynamic ARP inspection is disabled on all VLANs.

For vlan-range, specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

Specify the same VLAN ID for both switches.

Step 4 

interface interface-id

Specify the interface connected to the other switch, and enter interface configuration mode.

Step 5 

ip arp inspection trust

Configure the connection between the switches as trusted.

By default, all interfaces are untrusted.

The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command. For more information, see the "Configuring the Log Buffer" section.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show ip arp inspection interfaces

show ip arp inspection vlan vlan-range

Verify the dynamic ARP inspection configuration.

Step 8 

show ip dhcp snooping binding

Verify the DHCP bindings.

Step 9 

show ip arp inspection statistics vlan vlan-range

Check the dynamic ARP inspection statistics.

Step 10 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface configuration command.

This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B:

Switch(config)# ip arp inspection vlan 1
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ip arp inspection trust

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 2 does not support dynamic ARP inspection or DHCP snooping.

If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of Host 2 is not static, (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.

Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

arp access-list acl-name

Define an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined.

Note At the end of the ARP access list, there is an implicit deny ip any mac any command.

Step 3 

permit ip host sender-ip mac host sender-mac [log]

Permit ARP packets from the specified host (Host 2).

For sender-ip, enter the IP address of Host 2.

For sender-mac, enter the MAC address of Host 2.

(Optional) Specify log to log a packet in the log buffer when it matches the access control entry (ACE). Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global configuration command. For more information, see the "Configuring the Log Buffer" section.

Step 4 

exit

Return to global configuration mode.

Step 5 

ip arp inspection filter arp-acl-name vlan vlan-range [static]

Apply the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN.

For arp-acl-name, specify the name of the ACL created in Step 2.

For vlan-range, specify the VLAN that the switches and hosts are in. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

(Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used.

If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.

ARP packets containing only IP-to-MAC address bindings are compared against the ACL. Packets are permitted only if the access list permits them.

Step 6 

interface interface-id

Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode.

Step 7 

no ip arp inspection trust

Configure the Switch A interface that is connected to Switch B as untrusted.

By default, all interfaces are untrusted.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command. For more information, see the "Configuring the Log Buffer" section.

Step 8 

end

Return to privileged EXEC mode.

Step 9 

show arp access-list [acl-name]

show ip arp inspection vlan vlan-range

show ip arp inspection interfaces

Verify your entries.

Step 10 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command.

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and to configure port 1 on Switch A as untrusted:

Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# no ip arp inspection trust

Limiting the Rate of Incoming ARP Packets

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.

When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you intervene, unless you enable error-disable recovery so that ports automatically emerge from this state after a specified timeout period.


Note Unless you configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.


For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the "Dynamic ARP Inspection Configuration Guidelines" section.

Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the interface to be rate-limited, and enter interface configuration mode.

Step 3 

ip arp inspection limit {rate pps [burst interval seconds] | none}

Limit the rate of incoming ARP requests and responses on the interface.

The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces. The burst interval is 1 second.

The keywords have these meanings:

For rate pps, specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 pps.

(Optional) For burst interval seconds, specify the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15.

For rate none, specify no upper limit for the rate of incoming ARP packets that can be processed.

Step 4 

exit

Return to global configuration mode.

Step 5 

errdisable recovery cause arp-inspection interval interval

(Optional) Enable error recovery from the dynamic ARP inspection error-disable state.

By default, recovery is disabled, and the recovery interval is 300 seconds.

For interval interval, specify the time in seconds to recover from the error-disable state. The range is 30 to 86400.

Step 6 

exit

Return to privileged EXEC mode.

Step 7 

show ip arp inspection interfaces

show errdisable recovery

Verify your settings.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command.

Performing Validation Checks

Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.

Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Perform a specific check on incoming ARP packets. By default, no checks are performed.

The keywords have these meanings:

For src-mac, check the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

For dst-mac, check the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

For ip, check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.

Step 3 

exit

Return to privileged EXEC mode.

Step 4 

show ip arp inspection vlan vlan-range

Verify your settings.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command.

Configuring the Log Buffer

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.

Beginning in privileged EXEC mode, follow these steps to configure the log buffer. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip arp inspection log-buffer {entries number | logs number interval seconds}

Configure the dynamic ARP inspection logging buffer.

By default, when dynamic ARP inspection is enabled, denied or dropped ARP packets are logged. The number of log entries is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second.

The keywords have these meanings:

For entries number, specify the number of entries to be logged in the buffer. The range is 0 to 1024.

For logs number interval seconds, specify the number of entries to generate system messages in the specified interval.

For logs number, the range is 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated.

For interval seconds, the range is 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty).

An interval setting of 0 overrides a log setting of 0.

The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds.

Step 3 

ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}}

Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.

The keywords have these meanings:

For vlan-range, specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

For acl-match matchlog, log packets based on the ACE logging configuration. If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access-list configuration command, ARP packets permitted or denied by the ACL are logged.

For acl-match none, do not log packets that match ACLs.

For dhcp-bindings all, log all packets that match DHCP bindings.

For dhcp-bindings none, do not log packets that match DHCP bindings.

For dhcp-bindings permit, log DHCP-binding permitted packets.

Step 4 

exit

Return to privileged EXEC mode.

Step 5 

show ip arp inspection log

Verify your settings.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return to the default log buffer settings, use the no ip arp inspection log-buffer {entries | logs} global configuration command. To return to the default VLAN log settings, use the no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings} global configuration command. To clear the log buffer, use the clear ip arp inspection log privileged EXEC command.

Displaying Dynamic ARP Inspection Information

To display dynamic ARP inspection information, use the privileged EXEC commands described in Table 2:

Table 2 Commands for Displaying Dynamic ARP Inspection Information 

Command
Description

show arp access-list [acl-name]

Displays detailed information about ARP ACLs.

show ip arp inspection interfaces [interface-id]

Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.

show ip arp inspection vlan vlan-range

Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active).


To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 3:

Table 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics 

Command
Description

clear ip arp inspection statistics

Clears dynamic ARP inspection statistics.

show ip arp inspection statistics [vlan vlan-range]

Displays statistics for forwarded, dropped, MAC validation failure, IP validation failure, ACL permitted and denied, and DHCP permitted and denied packets for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active).


For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of ACL or DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.

To clear or display dynamic ARP inspection logging information, use the privileged EXEC commands in Table 4:

Table 4 Commands for Clearing or Displaying Dynamic ARP Inspection Logging Information 

Command
Description

clear ip arp inspection log

Clears the dynamic ARP inspection log buffer.

show ip arp inspection log

Displays the configuration and contents of the dynamic ARP inspection log buffer.


For more information about commands that support this features, see these sections:

"arp access-list" section

"clear ip arp inspection log" section

"clear ip arp inspection statistics" section

"debug platform ip arp inspection" section

"deny (ARP access-list configuration)" section

"errdisable detect cause" section

"errdisable recovery" section

"ip arp inspection filter vlan" section

"ip arp inspection limit" section

"ip arp inspection log-buffer" section

"ip arp inspection trust" section

"ip arp inspection validate" section

"ip arp inspection vlan" section

"ip arp inspection vlan logging" section

"permit (ARP access-list configuration)" section

"show arp access-list" section

"show ip arp inspection" section

IfIndex Persistence

This release supports the ifIndex Persistence feature. Use this information with the "Configuring SNMP" chapter:

SNMP ifIndex MIB Object Values

In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface. For example, if the switch assigns a port 2 an ifIndex value of 10003, this value is the same after the switch reboots.

Use the snmp-server ifindex persist global configuration command to enable ifindex persistence on the switch.

IGMP Snooping Querier

This release support the IGMP snooping querier feature. Use this information with the "Configuring IGMP Snooping" chapter:

This section contains these topics about IGMP snooping querier feature:

"Understanding the IGMP Snooping Querier" section

"IGMP Snooping Querier Configuration Guidelines and Restrictions" section

"Configuring the IGMP Snooping Querier" section

Understanding the IGMP Snooping Querier

You can configure an IGMP snooping querier to support IGMP snooping in subnets without multicast interfaces because the multicast traffic does not need to be routed. For more information about the IGMP snooping querier, see the "Configuring the IGMP Snooping Querier" section.

IGMP Snooping Querier Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring the IGMP snooping querier:

The IGMP snooping querier is disabled by default.

Configure the VLAN in global configuration mode.

Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP address as the query source address.

If there is no IP address configured on the VLAN interface, the IGMP snooping querier tries to use the configured global IP address for the IGMP querier. If there is no global IP address specified, the IGMP querier tries to use the VLAN switch virtual interface (SVI) IP address (if one exists). If there is no SVI IP address, the switch uses the first available IP address configured on the switch. The first IP address available can be seen in the output of the show ip interface privileged EXEC command. The IGMP snooping querier will not generate a IGMP general query if it cannot find an available IP address on the switch.

The IGMP snooping querier supports IGMP Versions 1 and 2.

When administratively enabled, the IGMP snooping querier moves to the non-querier state if it detects the presence of a multicast router in the network.

When it is administratively enabled, the IGMP snooping querier moves to the operationally-disabled state under these conditions:

IGMP snooping is disabled in the VLAN.

PIM is enabled on the SVI of the corresponding VLAN.

Configuring the IGMP Snooping Querier

To enable the IGMP snooping querier feature in a VLAN, follow these steps:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip igmp snooping querier

Enable the IGMP snooping querier.

Step 3 

ip igmp snooping querier ip_address

(Optional) Specify an IP address for the IGMP snooping querier. If you do not specify an IP address, the querier tries to use the global IP address configured for the IGMP querier.

Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch.

Step 4 

ip igmp snooping querier query-interval interval-count

(Optional) Set the interval between IGMP queriers. The interval range is from 1 to 18000 seconds.

Step 5 

ip igmp snooping querier tcn query [count count | interval interval]

(Optional) Set the time (in seconds) between Topology Change Notification (TCN) queries. The count range is from 1 to 10. The interval range is from 1 to 255 seconds.

Step 6 

ip igmp snooping querier timer expiry timeout

(Optional) Set the length of time (in seconds) until the IGMP querier expires.The range is from 60 to 300 seconds."

Step 7 

ip igmp snooping querier version version

(Optional) Select the IGMP version number that the querier feature uses. Select 1 or 2.

Step 8 

end

Return to privileged EXEC mode.

Step 9 

show ip igmp snooping vlan vlan-id

(Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface.

Step 10 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to set the IGMP snooping querier source address to 10.0.0.64 and to verify the configuration:

Switch# configure terminal
Switch(config)# ip igmp snooping querier 10.0.0.64

Switch(config)# end

This example shows how to set the IGMP snooping querier maximum response time to 25 seconds and verify the configuration:

Switch# configure terminal
Switch(config)# ip igmp snooping querier query-interval 25
Switch(config)# end

This example shows how to set the IGMP snooping querier timeout to 60 seconds and to verify the configuration:

Switch# configure terminal
Switch(config)# ip igmp snooping querier timeout expiry 60
Switch(config)# end

This example shows how to set the IGMP snooping querier feature to version 2 and to verify the configuration:

Switch# configure terminal
Switch(config)# no ip igmp snooping querier version 2
Switch(config)# end

For more information about commands that support this feature, see these sections:

"ip igmp snooping querier" section

"show ip igmp snooping querier detail" section

Configuring IP Source Guard

This release supports the IP source guard feature. Use this information with the "Configuring DHCP Features" chapter:

Understanding IP Source Guard

Configuring IP Source Guard

Displaying IP Source Guard Information

Understanding IP Source Guard

IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.

You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IP source guard is enabled on an interface, the switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.

The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.

IP source guard is supported only on Layer 2 ports, including access and trunk ports.You can configure IP source guard with source IP address filtering or with source IP and MAC address filtering.

To use this feature, you must have the enhanced multilayer image (EMI) installed on your switch.

Source IP Address Filtering

When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.

When a DHCP snooping binding or static IP source binding is added, changed, or deleted on an interface, the switch modifies the port ACL with the IP source binding changes and re-applies the port ACL to the interface.

If you enable IP source guard on an interface on which IP source bindings (dynamically learned by DHCP snooping or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP traffic on the interface. If you disable IP source guard, the switch removes the port ACL from the interface.

Source IP and MAC Address Filtering

When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.

When IP source guard with source IP and MAC address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch drops all other types of packets except DHCP packets.

The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs.

Configuring IP Source Guard

This section describes how to configure IP source guard on your switch.

Default IP Source Guard Configuration

IP Source Guard Configuration Guidelines

Enabling IP Source Guard

Displaying IP Source Guard Information

Default IP Source Guard Configuration

By default, IP source guard is disabled.

IP Source Guard Configuration Guidelines

These are the configuration guides for IP source guard:

You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding mac-address vlan vlan-id ip-address interface interface-id global configuration command on a routed interface, this error message appears:

Static IP source binding can only be configured on switch port.

When IP source guard with source IP filtering is enabled on a VLAN, DHCP snooping must be enabled on the access VLAN to which the interface belongs.

If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is enabled on all the VLANs, the source IP address filter is applied on all the VLANs.


Note If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the trunk interface, the switch might not properly filter traffic.


When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface.

When configuring IP source guard on interfaces on which a private VLAN is configured, port security is not supported.

IP source guard is not supported on EtherChannels.

You can enable this feature when 802.1x port-based authentication is enabled.

If the number of ternary content addressable memory (TCAM) entries exceeds the maximum available, the CPU usage increases.

Enabling IP Source Guard

Beginning in privileged EXEC mode, follow these steps to enable and configure IP source guard on an interface.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Enter interface configuration mode, and specify the interface to be configured.

Step 3 

ip verify source

or

ip verify source port-security

Enable IP source guard with source IP address filtering.

Enable IP source guard with source IP and MAC address filtering.

Step 4 

exit

Return to global configuration mode.

Step 5 

ip source binding mac-address vlan vlan-id ip-address inteface interface-id

Add a static IP source binding.

Enter this command for each static binding.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show ip verify source [interface interface-id]

Display the IP source guard configuration for all interfaces or for a specific interface.

Step 8 

show ip source binding [ip-address] [mac-address] [dhcp-snooping | static] [interface interface-id] [vlan vlan-id]

Display the IP source bindings on the switch, on a specific VLAN, or on a specific interface.

Step 9 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable IP source guard with source IP address filtering, use the no ip verify source interface configuration command.

To delete a static IP source binding entry, use the no ip source global configuration command.

This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10
and 11:

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip verify source port-security
Switch(config-if)# exit
Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface 
gigabitethernet0/2
Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface 
gigabitethernet0/2
Switch(config)# end

Displaying IP Source Guard Information

To display the IP source guard information, use one or more of the privileged EXEC commands in Table 5:

Table 5 Commands for Displaying IP Source Guard Information

Command
Purpose

show ip source binding

Display the IP source bindings on a switch.

show ip verify source

Display the IP source guard configuration on the switch.


For more information about commands that support this features, see these sections:

"debug ip verify source packet" section

"ip source binding" section

"ip verify source" section

"show ip source binding" section

"show ip verify source" section

SmartPort Enhancements

This is an update to the "Configuring Smartports Macros" chapter:

In Cisco IOS Release 12.1(22)EA3 or later, the switch supports the default cisco-desktop Smartports macro that you use when connecting the switch and a wireless access point.

Deleting SVIs

In Chapter 10, "Configuring Interface Characteristics," this new information applies:

You cannot delete interface VLAN 1.

In previous releases, deleting the switch virtual interface (SVI) for VLAN 1was allowed, but the interface would reappear by default after the switch was reloaded.

Configuring Router ACLs

In Chapter 27, "Configuring Network Security with ACLs," configuration guidelines have been added for configuring input router ACLs. There can be a large increase in the number of TCAM entries when the input router ACLs are applied. If the number of TCAM entries exceeds the allocated resources, ACL filtering is done in software instead of hardware, which can have a negative impact on performance.

There are several ways to prevent excessive TCAM usage:

Use the sdm prefer access global configuration command to change the switch database management (SDM) template to allow more access lists.

Use output router ACLs instead of input router ACLs.

Minimize the TCAM usage of input router ACLs by configuring explicit permits or denies.

When an input router ACL is applied, it is automatically merged with an implicit ACL that matches against routing protocol packets and sends them to the protocol queue. This merge results in additional TCAM entries. To minimize the number of entries, you can configure router ACLs to explicitly permit or deny routing protocols, such as RIP, EIGRP, OSPF, BGP, and PIM, by configuring permit or deny ACEs at the beginning of the ACL.

This is an example of how to configure an input router ACL to minimize TCAM usage:

Switch(config)# access-list 100 [permit|deny] tcp any any eq bgp
Switch(config)# access-list 100 [permit|deny] eigrp any any
Switch(config)# access-list 100 [permit|deny] pim any any
Switch(config)# access-list 100 [permit|deny] ospf any any
Switch(config)# access-list 100 [permit|deny] udp any any eq rip
Switch(config)# access-list 100 ...... ACL 100's ACE(s)
Switch(config)# exit

Unsupported CLI Commands

In Appendix C, "Unsupported CLI Commands in Cisco IOS Release 12.2(25)SE", this fallback bridging priviledged EXEC command is not supported:

bridge bridge-group acquire

Configuring a System Name and Prompt

The "Configuring a System Name and Prompt" section and the "Configuring a System Prompt" section of the "Administering the Switch" chapter incorrectly state that you can manually configure the prompt global configuration command. The switch does not support this command. You should ignore this information in printed and online copies of the software configuration guide.

Updates to the Catalyst 3550 Multilayer Switch Command Reference

This section contains these updates to the Catalyst 3550 Multilayer Switch Command Reference:

"arp access-list" section

"clear ip arp inspection log" section

"clear ip arp inspection statistics" section

"debug ip verify source packet" section

"deny (ARP access-list configuration)" section

"errdisable detect cause" section

"errdisable recovery" section

"ip arp inspection filter vlan" section

"ip arp inspection limit" section

"ip arp inspection log-buffer" section

"ip arp inspection trust" section

"ip arp inspection validate" section

"ip arp inspection vlan" section

"ip arp inspection vlan logging" section

"ip dhcp snooping database" section

"ip igmp snooping querier" section

"ip igmp snooping querier" section

"ip source binding" section

"ip verify source" section

"permit (ARP access-list configuration)" section

"show arp access-list" section

"show ip arp inspection" section

"show ip dhcp snooping database" section

"show ip igmp snooping querier detail" section

"show ip source binding" section

"show ip verify source" section

arp access-list

Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.

arp access-list acl-name

no arp access-list acl-name

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

acl-name

Name of the ACL.


Defaults

No ARP access lists are defined.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:

default: returns a command to its default setting.

deny: specifies packets to reject. For more information, see the "deny (ARP access-list configuration)" section.

exit: exits ARP access-list configuration mode.

no: negates a command or returns to default settings.

permit: specifies packets to forward. For more information, see the "permit (ARP access-list configuration)" section.

Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.

When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).

Examples

This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcd
Switch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.

Related Commands

Command
Description

deny (ARP access-list configuration)

Denies an ARP packet based on matches compared against the DHCP bindings.

ip arp inspection filter vlan

Permits ARP requests and responses from a host configured with a static IP address.

permit (ARP access-list configuration)

Permits an ARP packet based on matches compared against the DHCP bindings.

show arp access-list

Displays detailed information about ARP access lists.


clear ip arp inspection log

Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.

clear ip arp inspection log

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Examples

This example shows how to clear the contents of the log buffer:

Switch# clear ip arp inspection log

You can verify that the log was cleared by entering the show ip arp inspection log privileged command.

Related Commands

Command
Description

arp access-list

Defines an ARP access control list (ACL).

ip arp inspection log-buffer

Configures the dynamic ARP inspection logging buffer.

ip arp inspection vlan logging

Controls the type of packets that are logged per VLAN.

show ip arp inspection log

Displays the configuration and contents of the dynamic ARP inspection log buffer.


clear ip arp inspection statistics

Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.

clear ip arp inspection statistics [vlan vlan-range]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

vlan vlan-range

(Optional) Clear statistics for the specified VLAN or VLANs.

You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.


Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Examples

This example shows how to clear the statistics for VLAN 1:

Switch# clear ip arp inspection statistics vlan 1

You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.

Related Commands

Command
Description

arp access-list

Defines an ARP access control list (ACL).

ip arp inspection log-buffer

Configures the dynamic ARP inspection logging buffer.

ip arp inspection vlan logging

Controls the type of packets that are logged per VLAN.

show ip arp inspection log

Displays the configuration and contents of the dynamic ARP inspection log buffer.


debug platform ip arp inspection

Use the debug platform ip arp inspection privileged EXEC command to debug dynamic Address Resolution Protocol (ARP) inspection events. Use the no form of this command to disable debugging.

debug platform ip arp inspection {all | error | event | packet | rpc}

no debug platform ip arp inspection {all | error | event | packet | rpc}

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

all

Display all dynamic ARP inspection debug messages.

error

Display dynamic ARP inspection error debug messages.

event

Display dynamic ARP inspection event debug messages.

packet

Display dynamic ARP inspection packet-related debug messages.

rpc

Display dynamic ARP inspection remote procedure call (RPC) request debug messages.


Defaults

Debugging is disabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The undebug platform ip arp inspection command is the same as the no debug platform ip arp inspection command.

Related Commands

Command
Description

show ip arp inspection

Displays the dynamic ARP inspection configuration and operating state.

show debugging

Displays information about the types of debugging that are enabled. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 > System Management > Troubleshooting and Fault Management.


debug ip verify source packet

Use the debug ip verify source packet privileged EXEC command to enable debugging of IP source guard. Use the no form of this command to disable debugging.

debug ip verify source packet

no debug ip verify source packet

Syntax Description

This command has no arguments or keywords.

Defaults

Debugging is disabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The undebug ip verify source packet command is the same as the no debug ip verify source packet command.

Related Commands

Command
Description

show debugging

Displays information about the types of debugging that are enabled. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 > System Management > Troubleshooting and Fault Management.


deny (ARP access-list configuration)

Use the deny Address Resolution Protocol (ARP) access-list configuration command to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.

deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

request

(Optional) Define a match for the ARP request. When request is not specified, matching is performed against all ARP packets.

ip

Specify the sender IP address.

any

Deny any IP or MAC address.

host sender-ip

Deny the specified sender IP address.

sender-ip sender-ip-mask

Deny the specified range of sender IP addresses.

mac

Deny the sender MAC address.

host sender-mac

Deny a specific sender MAC address.

sender-mac sender-mac-mask

Deny the specified range of sender MAC addresses.

response ip

Define the IP address values for the ARP responses.

host target-ip

Deny the specified target IP address.

target-ip target-ip-mask

Deny the specified range of target IP addresses.

mac

Deny the MAC address values for the ARP responses.

host target-mac

Deny the specified target MAC address.

target-mac target-mac-mask

Deny the specified range of target MAC addresses.

log

(Optional) Log a packet when it matches the ACE.


Defaults

There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command.

Command Modes

ARP access-list configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

You can add deny clauses to drop ARP packets based on matching criteria.

Examples

This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcd
Switch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.

Related Commands

Command
Description

arp access-list

Defines an ARP access control list (ACL).

ip arp inspection filter vlan

Permits ARP requests and responses from a host configured with a static IP address.

permit (ARP access-list configuration)

Permits an ARP packet based on matches against the DHCP bindings.

show arp access-list

Displays detailed information about ARP access lists.


errdisable detect cause

Use the errdisable detect cause global configuration command to enable error-disabled detection for a specific cause or all causes. Use the no form of this command to disable the error-disabled detection feature.

errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap}

no errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap}

Syntax Description

all

Enable error detection for all error-disable causes.

arp-inspection

Enable error detection for dynamic Address Resolution Protocol (ARP) inspection.

dhcp-rate-limit

Enable error detection for DHCP snooping.

dtp-flap

Enable error detection for the Dynamic Trunking Protocol (DTP) flapping.

gbic-invalid

Enable error detection for an invalid Gigabit Interface Converter (GBIC) module.

l2ptguard

Enable error detection for a Layer 2 protocol-tunnel error-disable cause.

link-flap

Enable error detection for link-state flapping.

loopback

Enable error detection for detected loopbacks.

pagp-flap

Enable error detection for the Port Aggregation Protocol (PAgP) flap error-disabled cause.


Defaults

Detection is enabled for all causes.

Command Modes

Global configuration

Command History

Release
Modification

12.1(4)EA1

This command was introduced.

12.1(8)EA1

The bpduguard, rootguard, and udld keywords were removed.

12.1(9)EA1

The l2ptguard and gbic-invalid keywords were added.

12.1(19)EA1

The dhcp-rate-limit and loopback keywords were added.

12.2(25)SEA

The arp-inspection keyword was added.


Usage Guidelines

A cause (all, dhcp-rate-limit, and so forth) is the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state, an operational state that is similar to a link-down state.

If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.

Examples

This example shows how to enable error-disabled detection for the link-flap error-disable cause:

Switch(config)# errdisable detect cause link-flap

You can verify your setting by entering the show errdisable detect privileged EXEC command.

Related Commands

Command
Description

show errdisable detect

Displays errdisable detection information.

show interfaces status err-disabled

Displays interface status or a list of interfaces in the error-disabled state.


errdisable recovery

Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.

errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps} | {interval interval}

no errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps} | {interval interval}

Syntax Description

cause

Enable error-disabled to recover from a specific cause.

all

Enable the timer to recover from all error-disabled causes.

bpduguard

Enable the timer to recover from the bridge protocol data unit (BPDU) guard error-disable state.

arp-inspection

Enable the timer to recover from the Address Resolution Protocol (ARP) inspection error-disable state.

channel-misconfig

Enable the timer to recover from the EtherChannel misconfiguration error-disable state.

dhcp-rate-limit

Enable the timer to recover from the DHCP snooping error-disable state.

dtp-flap

Enable the timer to recover from the Dynamic Trunking Protocol (DTP) flap error-disable state.

gbic-invalid

Enable the timer to recover from an invalid Gigabit Interface Converter (GBIC) module error-disable state.

l2ptguard

Enable the timer to recover from a Layer 2 protocol tunnel error-disabled state.

link-flap

Enable the timer to recover from the link-flap error-disabled state.

loopback

Enable the timer to recover from a loopback error-disabled state.

pagp-flap

Enable the timer to recover from the Port Aggregation Protocol (PAgP)-flap error-disabled state.

psecure-violation

Enable the timer to recover from a port security violation disabled state.

security-violation

Enable the timer to recover from an 802.1x-violation disabled state

udld

Enable the timer to recover from the UniDirectional Link Detection (UDLD) error-disabled state.

vmps

Enable the timer to recover from the VLAN Membership Policy Server (VMPS) error-disabled state.

interval interval

Specify the time to recover from the specified error-disabled state. The range is 30 to 86400 seconds. The same interval is applied to all causes. The default interval is 300 seconds.

Note The error-disabled recovery timer is initialized at a random differential from the configured interval value. The difference between the actual timeout value and the configured value can be up to 15 percent of the configured interval.



Note Though visible in the command-line help strings, the ilpower, storm-control, and unicast-flood keywords are not supported.


Defaults

Recovery is disabled for all causes.

The default recovery interval is 300 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.1(11)AX

This command was introduced.

12.1(14)EA1

The security-violation keyword was added. The gbic-invalid keyword is supported for SFP module ports.

12.1(19)EA1

The dhcp-rate-limit keyword was added.

12.1(19)EA1

This command was introduced.

12.2(18)SE

The channel-misconfig keyword was added.

12.2(25)SE

The l2ptguard keyword was added.

12.2(25)SEA

The arp-inspection keyword was added.


Usage Guidelines

A cause (all, bpduguard and so forth) is defined as the reason that the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable error-disabled recovery for the cause, the interface stays in the error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.

Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state.

Examples

This example shows how to enable the recovery timer for the BPDU guard error-disable cause:

Switch(config)# errdisable recovery cause bpduguard

This example shows how to set the timer to 500 seconds:

Switch(config)# errdisable recovery interval 500

You can verify your settings by entering the show errdisable recovery privileged EXEC command.

Related Commands

Command
Description

show errdisable recovery

Displays errdisable recovery timer information.

show interfaces status err-disabled

Displays interface status or a list of interfaces in error-disabled state.


ip arp inspection filter vlan

Use the ip arp inspection filter vlan global configuration command to permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled. Use the no form of this command to return to the default settings.

ip arp inspection filter arp-acl-name vlan vlan-range [static]

no ip arp inspection filter arp-acl-name vlan vlan-range [static]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

arp-acl-name

ARP access control list (ACL) name.

vlan-range

VLAN number or range.

You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

static

(Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used.

If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.


Defaults

No defined ARP ACLs are applied to any VLAN.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation.

If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static, which means that packets are not compared against the bindings).

Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list.

Examples

This example shows how to apply the ARP ACL static-hosts to VLAN 1 for dynamic ARP inspection:

Switch(config)# ip arp inspection filter static-hosts vlan 1

You can verify your settings by entering the show ip arp inspection vlan 1 privileged EXEC command.

Related Commands

Command
Description

arp access-list

Defines an ARP ACL.

deny (ARP access-list configuration)

Denies an ARP packet based on matches against the DHCP bindings.

permit (ARP access-list configuration)

Permits an ARP packet based on matches against the DHCP bindings.

show arp access-list

Displays detailed information about ARP access lists.

show ip arp inspection vlan vlan-range

Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.


ip arp inspection limit

Use the ip arp inspection limit interface configuration command to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service occurs. Use the no form of this command to return to the default settings.

ip arp inspection limit {rate pps [burst interval seconds] | none}

no ip arp inspection limit

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

rate pps

Specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 packets per second (pps).

burst interval seconds

(Optional) Specify the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15 seconds.

none

Specify no upper limit for the rate of incoming ARP packets that can be processed.


Defaults

The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all trusted interfaces.

The burst interval is 1 second.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited.

After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.

Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.

You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.

The rate of incoming ARP packets on EtherChannel ports equals to the sum of the incoming rate of ARP packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all the channel members.

Examples

This example shows how to limit the rate of incoming ARP requests on a port to 25 pps and to set the interface monitoring interval to 5 consecutive seconds:

Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ip arp inspection limit rate 25 burst interval 5

You can verify your settings by entering the show ip arp inspection interfaces interface-id privileged EXEC command.

Related Commands

Command
Description

show ip arp inspection interfaces

Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.


ip arp inspection log-buffer

Use the ip arp inspection log-buffer global configuration command to configure the dynamic Address Resolution Protocol (ARP) inspection logging buffer. Use the no form of this command to return to the default settings.

ip arp inspection log-buffer {entries number | logs number interval seconds}

no ip arp inspection log-buffer {entries | logs}

Syntax Description

entries number

Number of entries to be logged in the buffer. The range is 0 to 1024.

logs number interval seconds

Number of entries needed in the specified interval to generate system messages.

For logs number, the range is 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated.

For interval seconds, the range is 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty).


Defaults

When dynamic ARP inspection is enabled, denied or dropped ARP packets are logged.

The number of log entries is 32.

The number of system messages is limited to 5 per second.

The logging-rate interval is 1 second.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

A value of 0 is not allowed for both the logs and the interval keywords.

The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. For example, if the logs number is 20 and the interval seconds is 4, the switch generates system messages for five entries every second while there are entries in the log buffer.

A log buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a system message as a single entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the output display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate.

Examples

This example shows how to configure the logging buffer to hold up to 45 entries:

Switch(config)# ip arp inspection log-buffer entries 45

This example shows how to configure the logging rate to 20 log entries per 4 seconds. With this configuration, the switch generates system messages for five entries every second while there are entries in the log buffer.

Switch(config)# ip arp inspection log-buffer logs 20 interval 4

You can verify your settings by entering the show ip arp inspection log privileged EXEC command.

Related Commands

Command
Description

arp access-list

Defines an ARP access control list (ACL).

clear ip arp inspection log

Clears the dynamic ARP inspection log buffer.

ip arp inspection vlan logging

Controls the type of packets that are logged per VLAN.

show ip arp inspection log

Displays the configuration and contents of the dynamic ARP inspection log buffer.


ip arp inspection trust

Use the ip arp inspection trust interface configuration command to configure an interface trust state that determines which incoming Address Resolution Protocol (ARP) packets are inspected. Use the no form of this command to return to the default setting.

ip arp inspection trust

no ip arp inspection trust

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

This command has no arguments or keywords.

Defaults

The interface is untrusted.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The switch does not check ARP packets that it receives on the trusted interface; it simply forwards the packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.

Examples

This example shows how to configure a port to be trusted:

Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ip arp inspection trust 

You can verify your setting by entering the show ip arp inspection interfaces interface-id privileged EXEC command.

Related Commands

Command
Description

ip arp inspection log-buffer

Configures the dynamic ARP inspection logging buffer.

show ip arp inspection interfaces

Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.

show ip arp inspection log

Displays the configuration and contents of the dynamic ARP inspection log buffer.


ip arp inspection validate

Use the ip arp inspection validate global configuration command to perform specific checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this command to return to the default settings.

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

no ip arp inspection validate [src-mac] [dst-mac] [ip]

Syntax Description

src-mac

Compare the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses.

When enabled, packets with different MAC addresses are classified as invalid and are dropped.

dst-mac

Compare the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses.

When enabled, packets with different MAC addresses are classified as invalid and are dropped.

ip

Compare the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

Sender IP addresses are compared in all ARP requests and responses. Target IP addresses are compared only in ARP responses.


Defaults

No checks are performed.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.

If you first specify the src-mac keyword, you also can specify the dst-mac and ip keywords. If you first specify the ip keyword, no other keywords can be specified.

The no form of the command disables only the specified checks. If none of the options are enabled, all checks are disabled.

Examples

This example show how to enable source MAC validation:

Switch(config)# ip arp inspection validate src-mac 

You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command
Description

show ip arp inspection vlan vlan-range

Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.


ip arp inspection vlan

Use the ip arp inspection vlan global configuration command to enable dynamic Address Resolution Protocol (ARP) inspection on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip arp inspection vlan vlan-range

no ip arp inspection vlan vlan-range

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

vlan-range

VLAN number or range.

You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.


Defaults

ARP inspection is disabled on all VLANs.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

You must specify the VLANs on which to enable dynamic ARP inspection.

Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Examples

This example shows how to enable dynamic ARP inspection on VLAN 1:

Switch(config)# ip arp inspection vlan 1

You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command
Description

arp access-list

Defines an ARP access control list (ACL).

show ip arp inspection vlan vlan-range

Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.


ip arp inspection vlan logging

Use the ip arp inspection vlan logging global configuration command to control the type of packets that are logged per VLAN. Use the no form of this command to disable this logging control.

ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}}

no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}

Syntax Description

vlan-range

Specify the VLANs configured for logging.

You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

acl-match {matchlog | none}

Specify that the logging of packets is based on access control list (ACL) matches.

The keywords have these meanings:

matchlog—Log packets based on the logging configuration specified in the access control entries (ACE). If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access-list configuration command, Address Resolution Protocol (ARP) packets permitted or denied by the ACL are logged.

none—Do not log packets that match ACLs.

dhcp-bindings {permit | all | none}

Specify the logging of packets is based on Dynamic Host Configuration Protocol (DHCP) binding matches.

The keywords have these meanings:

all—Log all packets that match DHCP bindings.

none—Do not log packets that match DHCP bindings.

permit—Log DHCP-binding permitted packets.


Defaults

All denied or all dropped packets are logged.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The term logged means that the entry is placed into the log buffer and that a system message is generated.

The acl-match and dhcp-bindings keywords merge with each other; that is, when you configure an ACL match, the DHCP bindings configuration is not disabled. Use the no form of the command to reset the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log when Address Resolution Protocol (ARP) packets are denied. These are the options:

acl-match—Logging on ACL matches is reset to log on deny.

dhcp-bindings—Logging on DHCP binding matches is reset to log on deny.

If neither the acl-match or the dhcp-bindings keywords are specified, all denied packets are logged.

The implicit deny at the end of an ACL does not include the log keyword. This means that when you use the static keyword in the ip arp inspection filter vlan global configuration command, the ACL overrides the DHCP bindings. Some denied packets might not be logged unless you explicitly specify the deny ip any mac any log ACE at the end of the ARP ACL.

Examples

This example shows how to configure ARP inspection on VLAN 1 to log packets that match the permit commands in the ACL:

Switch(config)# arp access-list test1
Switch(config-arp-nacl)# permit request ip any mac any log
Switch(config-arp-nacl)# permit response ip any any mac any any log
Switch(config-arp-nacl)# exit
Switch(config)# ip arp inspection vlan 1 logging acl-match matchlog 

You can verify your settings by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command
Description

arp access-list

Defines an ARP ACL.

clear ip arp inspection log

Clears the dynamic ARP inspection log buffer.

ip arp inspection log-buffer

Configures the dynamic ARP inspection logging buffer.

show ip arp inspection log

Displays the configuration and contents of the dynamic ARP inspection log buffer.

show ip arp inspection vlan vlan-range

Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.


ip dhcp snooping database

Use the ip dhcp snooping database global configuration command to configure the DHCP snooping binding database agent. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.

ip dhcp snooping database {{flash:/filename | ftp://user:password@host/filename | http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar | rcp://user@host/filename | tftp://host/filename} | timeout seconds | write-delay seconds}

no ip dhcp snooping database [timeout | write-delay]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

flash:/filename

Specify that the database agent or the binding file is in the flash memory.

ftp://user:password@host/filename

Specify that the database agent or the binding file is on an FTP server.

http://[[username:password]@]
{hostname | host-ip}[/directory]
/image-name
.tar

Specify that the database agent or the binding file is on an FTP server.

rcp://user@host/filename

Specify that the database agent or the binding file is on a Remote Control Protocol (RCP) server.

tftp://host/filename

Specify that the database agent or the binding file is on a TFTP server.

timeout seconds

Specify (in seconds) when to stop the database transfer process after the DHCP snooping binding database changes.

The default is 300 seconds. The range is from 0 to 86400. Use 0 to define an infinite duration.

write-delay seconds

Specify (in seconds) the duration for which the transfer should be delayed after the binding database changes. The default is 300 seconds. The range is from 15 to 86400.


Defaults

The URL for the database agent or binding file is not defined.

The timeout value is 300 seconds (5 minutes).

The write-delay value is 300 seconds (5 minutes).

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The DHCP snooping binding database can have up to 8192 bindings.

To ensure that the lease time in the database is accurate, we recommend that Network Time Protocol (NTP) is enabled and configured for these features:

NTP authentication

NTP peer and server associations

NTP broadcast service

NTP access restrictions

NTP packet source IP address

If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.

Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write bindings to the binding file at that URL for the first time.

Use the ip dhcp snooping database flash:/filename command to save the DHCP snooping binding database in the stack master NVRAM. The database is not saved in a stack member NVRAM.

Use the no ip dhcp snooping database command to disable the agent.

Use the no ip dhcp snooping database timeout command to reset the timeout value.

Use the no ip dhcp snooping database write-delay command to reset the write-delay value.

Examples

This example shows how to store a binding file at an IP address of 10.1.1.1 that is in a directory called directory. A file named file must be present on the TFTP server.

Switch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file

This example shows how to store a binding file called file01.txt in the stack master NVRAM.

Switch(config)# ip dhcp snooping database flash:file01.txt

You can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.

Related Commands

Command
Description

ip dhcp snooping

Enables DHCP snooping on a VLAN.

ip dhcp snooping binding

Configures the DHCP snooping binding database.

show ip dhcp snooping database

Displays the status of DHCP snooping database agent.


ip dhcp snooping information option allowed-untrusted

Use the ip dhcp snooping information option allowed-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information from an edge switch. Use the no form of this command to configure the switch to drop these packets from the edge switch.

ip dhcp snooping information option allowed-untrusted

no ip dhcp snooping information option allowed-untrusted


Note Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.


Syntax Description

This command has no arguments or keywords.

Defaults

The switch drops DHCP packets with option-82 information from an edge switch.

Command Modes

Global configuration

Command History

Release
Modification

12.1(22)EA3

This command was introduced. It is supported on switches running Cisco IOS Release 12.1(22)EA3 and running Cisco IOS Release 12.2(25)SEA or later.


Usage Guidelines

You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted interface and does not learn DHCP snooping bindings for connected devices on a trusted interface.

If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allowed-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted interface. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted interface.

Examples

This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:

Switch(config)# ip dhcp snooping information option allowed-untrusted

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command
Description

show ip dhcp snooping

Displays the DHCP snooping configuration.

show ip dhcp snooping binding

Displays the DHCP snooping binding information.


ip igmp snooping querier

Use the ip igmp snooping querier global configuration command to globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to disable the IGMP querier feature or to reset the parameters to the default settings.

ip igmp snooping querier [address {ip-address} | max-response-time response-time | query-interval | tcn query [count count | interval interval] | timer expiry | version version]

no ip igmp snooping querier [address | max-response-time | query-interval | tcn query { count count | interval interval} | timer expiry | version]

Syntax Description

address

(Optional) Specify a source IP address. If you do not specify an IP address, the querier tries to use the global IP address configured for the IGMP querier.

ip-address

Source IP address for the querier.

max-response-time response-time

(Optional) Set the maximum time to wait for an IGMP querier report. You can set a response time from 1 to 25 seconds.

query-interval interval-count

(Optional) Set the interval between IGMP queriers. You can set a count from 1 to 18000 seconds.

tcn query

(Optional) Set the time (in seconds) between Topology Change Notification (TCN) queries.

count count

(Optional) Set the number of TCN queries to be executed during the TCN interval time. You can set a count from 1 to 10.

interval interval

(Optional) Set the TCN query interval time. You can set a time (in seconds) from 1 to 255.

timer expiry

(Optional) Set the length of time until the IGMP querier expires.

version version

(Optional) Select the IGMP version number that the querier feature uses. Select 1 or 2.


Defaults

The IGMP snooping querier feature is globally disabled on the switch.

When enabled, the IGMP snooping querier disables itself if it detects IGMP traffic from a multicast-enabled device.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier.

By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).

Non-RFC-compliant devices running IGMPv1 might reject IGMP general query messages that have a nonzero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.

Examples

This example shows how to globally enable the IGMP snooping querier feature:

Switch(config)# ip igmp snooping querier

This example shows how to globally disable the IGMP snooping querier feature:

Switch(config)# no ip igmp snooping querier

This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:

Switch(config)# ip igmp snooping querier max-response-time 25

This example shows how to set the IGMP snooping querier interval time to 60 seconds:

Switch(config)# ip igmp snooping querier query-interval 60

This example shows how to set the IGMP snooping querier TCN query count to 25:

Switch(config)# no ip igmp snooping querier tcn count 25

This example shows how to set the IGMP snooping querier timeout to 60 seconds:

Switch(config)# ip igmp snooping querier timeout expiry 60

This example shows how to set the IGMP snooping querier feature to version 2:

Switch(config)# no ip igmp snooping querier version 2

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command
Description

ip igmp snooping report-suppression

Enables IGMP report suppression.

show ip igmp snooping

Displays the IGMP snooping configuration.

show ip igmp snooping groups

Displays the IGMP snooping router ports.

show ip igmp snooping groups

Displays IGMP snooping multicast information.


ip source binding

Use the ip source binding global configuration command to configure static IP source bindings on the switch. Use the no form of this command to delete static bindings.

ip source binding mac-address vlan vlan-id ip-address interface interface-id

no source binding mac-address vlan vlan-id ip-address interface interface-id

Syntax Description

mac-address

Specify a MAC address.

vlan vlan-id

Specify a VLAN number. The range is from 1 to 4094.

ip-address

Specify an IP address.

interface interface-id

Specify an interface on which to add or delete an IP source binding.


Defaults

No IP source bindings are configured.

Command Modes

Global configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.

Examples

This example shows how to add a static IP source binding:

Switch(config)# ip source binding 0001.1234.1234 vlan 1 172.20.50.5 interface 
gigabitethernet0/1 

This example shows how to add a static binding and then modify the IP address for it:

Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.25 interface 
gigabitethernet0/1 
Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.30 interface 
gigabitethernet0/1 

You can verify your settings by entering the show ip source binding privileged EXEC command.

Related Commands

Command
Description

ip verify source

Enables IP source guard on an interface.

show ip source binding

Displays the IP source bindings on the switch.

show ip verify source

Displays the IP source guard configuration on the switch or on a specific interface.


ip verify source

Use the ip verify source interface configuration command to enable IP source guard on an interface. Use the no form of this command to disable IP source guard.

ip verify source [port-security]

no ip verify source

Syntax Description

port-security

(Optional) Enable IP source guard with IP and MAC address filtering.

If you do not enter the port-security keyword, IP source guard with IP address filtering is enabled.


Defaults

IP source guard is disabled.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

To enable IP source guard with source IP and MAC address filtering, use the ip verify source port-security interface configuration command.

Examples

This example shows how to enable IP source guard with source IP address filtering:

Switch(config-if)# ip verify source 

This example shows how to enable IP source guard with source IP and MAC address filtering:

Switch(config-if)# ip verify source port-security 

You can verify your settings by entering the show ip source binding privileged EXEC command.

Related Commands

Command
Description

ip source binding

Configures static bindings on the switch.

show ip verify source

Displays the IP source guard configuration on the switch or on a specific interface.


permit (ARP access-list configuration)

Use the permit Address Resolution Protocol (ARP) access-list configuration command to permit an ARP packet based on matches against the Dynamic Host Configuration Protocol (DHCP) bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access control list.

permit {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

no permit {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

Syntax Description

request

(Optional) Requests a match for the ARP request. When request is not specified, matching is performed against all ARP packets.

ip

Specify the sender IP address.

any

Accept any IP or MAC address.

host sender-ip

Accept the specified sender IP address.

sender-ip sender-ip-mask

Accept the specified range of sender IP addresses.

mac

Specify the sender MAC address.

host sender-mac

Accept the specified sender MAC address.

sender-mac sender-mac-mask

Accept the specified range of sender MAC addresses.

response ip

Define the IP address values for the ARP responses.

host target-ip

(Optional) Accept the specified target IP address.

target-ip target-ip-mask

(Optional) Accept the specified range of target IP addresses.

mac

Specify the MAC address values for the ARP responses.

host target-mac

(Optional) Accept the specified target MAC address.

target-mac target-mac-mask

(Optional) Accept the specified range of target MAC addresses.

log

(Optional) Log a packet when it matches the ACE. Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global configuration command.


Defaults

There are no default settings.

Command Modes

ARP access-list configuration

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

You can add permit clauses to forward ARP packets based on some matching criteria.

Examples

This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 0000.0000.abcd
Switch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.

Related Commands

Command
Description

arp access-list

Defines an ARP ACL.

deny (ARP access-list configuration)

Denies an ARP packet based on matches against the DHCP bindings.

ip arp inspection filter vlan

Permits ARP requests and responses from a host configured with a static IP address.

show arp access-list

Displays detailed information about ARP access lists.


show arp access-list

Use the show arp access-list user EXEC command to display detailed information about Address Resolution Protocol (ARP) access control lists (ACLs).

show arp access-list [acl-name] [ | {begin | exclude | include} expression]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

acl-name

(Optional) Name of the ACL.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.

Examples

This is an example of output from the show arp access-list command:

Switch> show arp access-list
ARP access list rose
    permit ip 10.101.1.1 0.0.0.255 mac any
    permit ip 20.3.1.0 0.0.0.255 mac any

Related Commands

Command
Description

arp access-list

Defines an ARP ACL.

deny (ARP access-list configuration)

Denies an ARP packet based on matches against the Dynamic Host Configuration Protocol (DHCP) bindings.

ip arp inspection filter vlan

Permits ARP requests and responses from a host configured with a static IP address.

permit (ARP access-list configuration)

Permits an ARP packet based on matches against the DHCP bindings.


show errdisable detect

Use the show errdisable detect user EXEC command to display error-disable detection status.

show errdisable detect [ | {begin | exclude | include} expression]

Syntax Description

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.1(4)EA1

This command was introduced.


Usage Guidelines

Expressions are case sensitive. For example, if you enterexclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.

A displayed gbic-invalid error reason refers to an invalid small form-factor pluggable (SFP) module.

Examples

This is an example of output from the show errdisable detect command:

Switch> show errdisable detect
ErrDisable Reason    Detection status
-----------------    ----------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
psecure-violation    Enabled
vmps                 Enabled
loopback             Enabled
unicase-flood	 				 Enabled
pagp-flap            Enabled
dtp-flap             Enabled
l2ptguard            Enabled
link-flap            Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
unicast-flood        Enabled
storm-control        Enabled
ilpower              Enabled
arp-inspection       Enabled

Note Though visible in the output, the ilpower, storm-control, and unicast-flood fields are not valid.


Related Commands

Command
Description

errdisable detect cause

Enables error-disable detection for a specific cause or all causes.

show errdisable flap-values

Displays error condition recognition information.

show errdisable recovery

Displays error-disabled recovery timer information.

show interfaces status

Displays interface status or a list of interfaces in error-disabled state.


show ip arp inspection

Use the show ip arp inspection privileged EXEC command to display the configuration and the operating state of dynamic Address Resolution Protocol (ARP) inspection or the status of this feature for all VLANs or for the specified interface or VLAN.

show ip arp inspection [interfaces [interface-id] | log | statistics [vlan vlan-range] | vlan vlan-range] [ | {begin | exclude | include} expression]

Syntax Description

interfaces [interface-id]

(Optional) Display the trust state and the rate limit of ARP packets for the specified interface or all interfaces. Valid interfaces include physical ports and port channels.

log

(Optional) Display the configuration and contents of the dynamic ARP inspection log buffer.

statistics [vlan vlan-range]

(Optional) Display statistics for forwarded, dropped, MAC validation failure, IP validation failure, access control list (ACL) permitted and denied, and DHCP permitted and denied packets for the specified VLAN. If no VLANs are specified or if a range is specified, display information only for VLANs with dynamic ARP inspection enabled (active).

You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

vlan vlan-range

(Optional) Display the configuration and the operating state of dynamic ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, display information only for VLANs with dynamic ARP inspection enabled (active).

You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.

Examples

This is an example of output from the show ip arp inspection interfaces command:

Switch# show ip arp inspection interfaces
 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Gi1/0/1            Untrusted               15                 1
 Gi1/0/2            Untrusted               15                 1
 Gi1/0/3            Untrusted               15                 1

This is an example of output from the show ip arp inspection interfaces interface-id command:

Switch# show ip arp inspection interfaces gigabitethernet1/0/1
 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Gi1/0/1            Untrusted               15                 1

This is an example of output from the show ip arp inspection log command. It shows the contents of the log buffer before the buffers are cleared:

Switch# show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 10 entries per 300 seconds.

Interface   Vlan  Sender MAC      Sender IP        Num Pkts   Reason       Time
----------  ----  --------------  ---------------  ---------  -----------  ----
Gi1/0/1       5     0003.0000.d673  192.2.10.4               5  DHCP Deny    19:39:01 UTC 
Mon Mar 1 1993
Gi1/0/1       5     0001.0000.d774  128.1.9.25               6  DHCP Deny    19:39:02 UTC 
Mon Mar 1 1993
Gi1/0/1       5     0001.c940.1111  10.10.10.1               7  DHCP Deny    19:39:03 UTC 
Mon Mar 1 1993
Gi1/0/1       5     0001.c940.1112  10.10.10.2               8  DHCP Deny    19:39:04 UTC 
Mon Mar 1 1993
Gi1/0/1       5     0001.c940.1114  173.1.1.1               10  DHCP Deny    19:39:06 UTC 
Mon Mar 1 1993
Gi1/0/1       5     0001.c940.1115  173.1.1.2               11  DHCP Deny    19:39:07 UTC 
Mon Mar 1 1993
Gi1/0/1       5     0001.c940.1116  173.1.1.3               12  DHCP Deny    19:39:08 UTC 
Mon Mar 1 1993

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffe,r or increase the logging rate in the ip arp inspection log-buffer global configuration command.

This is an example of output from the show ip arp inspection statistics command. It shows the statistics for packets that have been processed by dynamic ARP inspection for all active VLANs.

Switch# show ip arp inspection statistics
Vlan       Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    5              3           4618           4605              4
 2000              0              0              0              0

 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    5              0             12                     0
 2000              0              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures
 ----   -----------------   ----------------------
    5                   0                        9
 2000                   0                        0

For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of ACL- or DHCP-permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.

This is an example of output from the show ip arp inspection statistics vlan 5 command. It shows statistics for packets that have been processed by dynamic ARP for VLAN 5.

Switch# show ip arp inspection statistics vlan 5
Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    5              3           4618           4605              4

 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    5              0             12                     0

 Vlan   Dest MAC Failures   IP Validation Failures      Invalid Protocol Data
 ----   -----------------   ----------------------      ---------------------
    5                   0                        9                          3

This is an example of output from the show ip arp inspection vlan 5 command. It shows the configuration and the operating state of dynamic ARP inspection for VLAN 5.

Switch# show ip arp inspection vlan 5
Source Mac Validation      :Enabled
Destination Mac Validation :Enabled
IP Address Validation      :Enabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    5     Enabled          Active      second             No

 Vlan     ACL Logging      DHCP Logging
 ----     -----------      ------------
    5     Acl-Match        All

Related Commands

Command
Description

arp access-list

Defines an ARP ACL.

clear ip arp inspection log

Clears the dynamic ARP inspection log buffer.

clear ip arp inspection statistics

Clears the dynamic ARP inspection statistics.

ip arp inspection log-buffer

Configures the dynamic ARP inspection logging buffer.

ip arp inspection vlan logging

Controls the type of packets that are logged per VLAN.

show arp access-list

Displays detailed information about ARP access lists.


show ip dhcp snooping database

Use the show ip dhcp snooping database user EXEC command to display the status of the DHCP snooping binding database agent.

show ip dhcp snooping database [detail] [ | {begin | exclude | include} expression]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

detail

(Optional) Display detailed status and statistics information.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Examples

This is an example of output from the show ip dhcp snooping database command:

Switch> show ip dhcp snooping database
Agent URL : 
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        0   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0

This is an example of output from the show ip dhcp snooping database detail command:

Switch# show ip dhcp snooping database detail 
Agent URL : tftp://10.1.1.1/directory/file
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : 7 (00:00:07)
Abort Timer Expiry : Not Running
Last Succeded Time : None
Last Failed Time : 17:14:25 UTC Sat Jul 7 2001
Last Failed Reason : Unable to access URL.

Total Attempts       :       21   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :       21
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :       21
Media Failures       :        0

First successful access: Read

Last ignored bindings counters :
Binding Collisions    :        0   Expired leases    :        0
Invalid interfaces    :        0   Unsupported vlans :        0
Parse failures        :        0
Last Ignored Time : None

Total ignored bindings counters:
Binding Collisions    :        0   Expired leases    :        0
Invalid interfaces    :        0   Unsupported vlans :        0
Parse failures        :        0

Related Commands

Command
Description

ip dhcp snooping

Enables DHCP snooping on a VLAN.

ip dhcp snooping database

Configures the DHCP snooping binding database agent or the binding file.

show ip dhcp snooping

Displays DHCP snooping information.


show ip igmp snooping querier detail

Use the show ip igmp snooping querier detail user EXEC command to display the configuration and operation information for the IGMP querier configured on a switch.

show ip igmp snooping querier detail

Syntax Description

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The show ip igmp snooping querier detail user EXEC command is similar to the show ip igmp snooping querier command. However, the show ip igmp snooping querier only displays the IP address of the most recent device detected by the switch querier.

The show ip igmp snooping querier command detail displays the IP address of the most recent device detected by the switch querier along with this additional information:

the elected IGMP querier in the VLAN

the configuration and operational information pertaining to the switch querier (if any) that is configured in the VLAN

Expressions are case sensitive. For example, if you enterexclude output, the lines that contain output do not appear, but the lines that contain Output appear.

Examples

This is an example of output from the show ip igmp snooping querier detail command:

Switch> show ip igmp snooping querier detail

Vlan      IP Address     IGMP Version   Port
-------------------------------------------------------------
1         1.1.1.1        v2             Fa8/0/1 

Global IGMP switch querier status
--------------------------------------------------------
admin state                    : Enabled
admin version                  : 2
source IP address              : 0.0.0.0        
query-interval (sec)           : 60
max-response-time (sec)        : 10
querier-timeout (sec)          : 120
tcn query count                : 2
tcn query interval (sec)       : 10

Vlan 1:   IGMP switch querier status

--------------------------------------------------------
elected querier is 1.1.1.1         on port Fa8/0/1
--------------------------------------------------------
admin state                    : Enabled
admin version                  : 2
source IP address              : 10.1.1.65      
query-interval (sec)           : 60
max-response-time (sec)        : 10
querier-timeout (sec)          : 120
tcn query count                : 2
tcn query interval (sec)       : 10
operational state              : Non-Querier
operational version            : 2
tcn query pending count        : 0

Related Commands

Command
Description

ip igmp snooping

Enables and configures IGMP snooping on the switch or on a VLAN.

show ip igmp snooping

Displays IGMP snooping multicast router ports for the switch or for the specified multicast VLAN.

show ip igmp snooping

Displays IGMP snooping multicast information for the switch or for the specified parameter.


show ip source binding

Use the show ip source binding user EXEC command to display the IP source bindings on the switch.

show ip source binding [ip-address] [mac-address] [dhcp-snooping | static] [interface interface-id] [vlan vlan-id] [ | {begin | exclude | include} expression]

Syntax Description

ip-address

(Optional) Display IP source bindings for a specific IP address.

mac-address

(Optional) Display IP source bindings for a specific MAC address.

dhcp-snooping

(Optional) Display IP source bindings that were learned by DHCP snooping.

static

(Optional) Display static IP source bindings.

interface interface-id

(Optional) Display IP source bindings on a specific interface.

vlan vlan-id

(Optional) Display IP source bindings on a specific VLAN.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Usage Guidelines

The show ip source binding command output shows the dynamically and statically configured bindings in the Dynamic Host Configuration Protocol (DHCP) snooping binding database. Use the show ip dhcp snooping binding privileged EXEC command to display only the dynamically configured bindings.

Examples

This is an example of output from the show ip source binding command:

Switch> show ip source binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
--------------      ---------------  ----------  -------------  ----  --------------------
00:00:00:0A:00:0B   11.0.0.1         infinite    static         10    GigabitEthernet0/1
00:00:00:0A:00:0A   11.0.0.2         10000       dhcp-snooping  10    GigabitEthernet0/1

Related Commands

Command
Description

ip dhcp snooping binding

Configures the DHCP snooping binding database.

ip source binding

Configures static IP source bindings on the switch.


show ip verify source

Use the show ip verify source user EXEC command to display the IP source guard configuration on the switch or on a specific interface.

show ip verify source [interface interface-id] [ | {begin | exclude | include} expression]

Syntax Description

interface interface-id

(Optional) Display IP source guard configuration on a specific interface.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.2(25)SEA

This command was introduced.


Examples

This is an example of output from the show ip verify source command:

Switch> show ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address     Vlan
---------  -----------  -----------  ---------------  --------------  ---------
Fa0/1      ip           active       10.0.0.1                         10
Fa0/1      ip           active       deny-all                         11-20
Fa0/2      ip           inactive-trust-port
Fa0/3      ip           inactive-no-snooping-vlan
Fa0/4      ip-mac       active       10.0.0.2         aaaa.bbbb.cccc  10
Fa0/4      ip-mac       active       11.0.0.1         aaaa.bbbb.cccd  11
Fa0/4      ip-mac       active       deny-all         deny-all        12-20
Fa0/5      ip-mac       active       10.0.0.3         permit-all      10
Fa0/5      ip-mac       active       deny-all         permit-all      11-20

In the previous example, this is the IP source guard configuration:

On the Fast Ethernet 0/1 interface, Dynamic Host Configuration Protocol (DHCP) snooping is enabled on VLANs 10 to 20. For VLAN 10, IP source guard with IP address filtering is configured on the interface, and a binding exists on the interface. For VLANs 11 to 20, the second entry shows that a default port access control list (ACL) is applied on the interface for the VLANs on which IP source guard is not configured.

The Fast Ethernet 0/2 interface is configured as trusted for DHCP snooping.

On the Fast Ethernet 0/3 interface, DHCP snooping is not enabled on the VLANs to which the interface belongs.

On the Fast Ethernet 0/4 interface, IP source guard with source IP and MAC address filtering is enabled, and static IP source bindings are configured on VLANs 10 and 11. For VLANs 12 to 20, the default port ACL is applied on the interface for the VLANs on which IP source guard is not configured.

On the Fast Ethernet 0/5 interface, IP source guard with source IP and MAC address filtering is enabled and configured with a static IP binding, but port security is disabled. The switch cannot filter source MAC addresses.

This is an example of output on an interface on which IP source guard is disabled:

Switch> show ip verify source fastethernet1/0/6
IP source guard is not configured on the interface fa0/6.

Related Commands

Command
Description

ip verify source

Enables IP source guard on an interface.


Related Documentation

These documents provide complete information about the Catalyst 3550 switches and are available at Cisco.com:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.

Catalyst 3550 Multilayer Switch Software Configuration Guide (order number DOC-7816610=)

Catalyst 3550 Multilayer Switch Command Reference (order number DOC-7816611=)

Catalyst 3550 Multilayer Switch System Message Guide (order number DOC-7816681=)

Catalyst 3550 Multilayer Switch Hardware Installation Guide (not orderable but available on Cisco.com)

Catalyst 3550 Switch Getting Started Guide (order number DOC-7816575=)

Regulatory Compliance and Safety Information for the Catalyst 3550 Switch (order number DOC-7816655=)

For information about other related products, refer to these documents:

Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com)

Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com)

1000BASE-T Gigabit Interface Converter Installation Note (not orderable but is available on Cisco.com)

Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide (order number DOC-786460=)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

Report security vulnerabilities in Cisco products.

Obtain assistance with security incidents that involve Cisco products.

Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

Emergencies — security-alert@cisco.com

Nonemergencies — psirt@cisco.com


Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on


In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL: