I would say that IP source guard goes hand in hand with DHCP snooping. Cisco doc says (Catalyst 3650) "When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be enabled on the access VLAN for that interface" And then they start configuring IPSG with DHCP snooping as part of it.
I tested it and my findings are that even if you have "ip source binding AAAA.BBBB.CCCC vlan XYZ XXX.XXX.XXX.XXX interface Fa0/XX" it is not active without DHCP snooping: SW2#show ip ver source interface Fa0/6 Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---------- Fa0/6 ip inactive-no-snooping-vlan I had a host obtain an IP address from the DHCP server different from the IP address used in "ip source binding" and was able to communicate. Once I enabled DHCP snooping globally and for the specific VLAN the IPSG feature became active and the host wasn't able to communicate with others: SW2#sh ip verif source inter fa0/6 Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---------- Fa0/6 ip active 174.1.255.2 102 Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, June 05, 2012 9:01 PM To: Mike Rojas Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 can't be used for DHCP snooping. Have you tested it? It can be only used for IPSG validation not DHCP packet validation. With regards Kings On Wed, Jun 6, 2012 at 7:35 AM, Mike Rojas <[email protected]<mailto:[email protected]>> wrote: I made that mistake on the test, the question clearly said, make sure it survives upon reload.... Mike ________________________________ Date: Tue, 5 Jun 2012 20:04:27 -0400 From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] Dhcp snooping permenant vs temp binding For the dhcp snooping I learned the hard way the difference between the two commands. The below command is done at exec level and binding will be removed afte a reload 3560# ip dhcp snooping binding cccd.1233.3422 vlan 101 1.11.1.1 interface gi0/3 The following is permenant and will not be removed from the config or binding database after reboot 3560(config)# ip source binding 1112.3332.2243 vlan 3 1.1.1.1 interface gi0/3 Are you able to pick the difference between the two commands. Hope this helps. -- FNK _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
