IP Source Guard is disabled by default. You can enable IP Source Guard on DHCP snooping untrusted ports.
To run IP Source Guard, you must first enable support for ACL filtering based on VLAN membership or VE port membership. Enter the following commands at the global configuration level.
device(config# enable ACL-per-port-per-vlan
device(config)# write memory
device(config)# exit
device# reload
NOTE
You must save the configuration and reload the software for the changes to take effect.
-
Enter global configuration mode by issuing the
configure terminal command.
device# configure terminal
-
Enter interface configuration mode.
device(config)# interface ethernet 1/1/1
-
Enable IP Source Guard on the port.
device(config-if-e10000-1/1/1)# source-guard enable
This command enables IP Source Guard on the port. If 1/1/1 is the primary port, this configuration applies to all ports in the LAG.
-
To enable IP Source Guard on a range of ports, enter interface configuration mode and specify the range of ports.
device(config-if-e10000-1/1/1)# interface ethernet 1/1/21 to 1/1/25
When enabling IP Source Guard on a range of ports, you can choose only a range of ports within a given slot.
-
Enable IP Source Guard on the range of ports specified in the previous step.
device(config-mif-1/1/21-1/1/25)# source-guard enable
NOTE
If you try to configure IP Source Guard across different modules, the following error displays.
device(config)# interface ethernet 2/1/10 to 12/1/10
Error - cannot configure multi-ports on different slot
