|
|
Table Of Contents
Documentation Updates for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA
Updates to the Catalyst 3550 Multilayer Switch Software Configuration Guide
Configuring DHCP Snooping Binding Database
Enabling DHCP Snooping and Option 82
Configuring Dynamic ARP Inspection
Configuring a System Name and Prompt
Updates to the Catalyst 3550 Multilayer Switch Command Reference
clear ip arp inspection statistics
debug platform ip arp inspection
deny (ARP access-list configuration)
ip arp inspection vlan logging
ip dhcp snooping information option allowed-untrusted
permit (ARP access-list configuration)
show ip dhcp snooping database
show ip igmp snooping querier detail
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Documentation Updates for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA
January 2005
These documentation updates are for Catalyst 3550 switches running Cisco IOS Release 12.2(25)SEA. Use this document with the information in the Release Notes for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA.
This document provides updates to the Catalyst 3550 product documentation. These changes will be included in the next revision of the documentation.
•
"Updates to the Catalyst 3550 Multilayer Switch Software Configuration Guide" section
•
For more information about the Catalyst 3550 switches, see the "Related Documentation" section.
Contents
This information is in the release notes:
•
•
•
•
•
•
•
•
Updates to the Catalyst 3550 Multilayer Switch Software Configuration Guide
This section contains these updates to the Catalyst 3550 Software Configuration Guide:
•
•
•
•
•
•
•
•
•
Configuring DHCP Snooping Binding Database
This release supports the DHCP Snooping Binding Database feature. Use this information with the "Configuring DHCP Features" chapter:
•
•
•
•
Cisco IOS DHCP Server Database
During the DHCP-based autoconfiguration process, the designated DHCP server uses the Cisco IOS DHCP server database. It has IP addresses, address bindings, and configuration parameters, such as the boot file.
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool. For more information about manual and automatic address bindings, see the "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide,
Release 12.2.DHCP Snooping Binding Database
When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings.
Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. A checksum value, the end of each entry, is the number of bytes from the start of the file to end of the entry. Each entry is 72 bytes, followed by a space and then the checksum value.
To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DCHP spoofing attacks.
The database agent stores the bindings in a file at a configured location. When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch keeps the file current by updating it when the database changes.
When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. The switch also updates the entries in the binding file. The frequency at which the file is updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.
This is the format of the file that has the bindings:
<initial-checksum>TYPE DHCP-SNOOPINGVERSION 1BEGIN<entry-1> <checksum-1><entry-2> <checksum-1-2>......<entry-n> <checksum-1-2-..-n>ENDEach entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file. The initial-checksum entry on the first line distinguishes entries associated with the latest file update from entries associated with a previous file update.
This is an example of a binding file:
2bb4c2a1TYPE DHCP-SNOOPINGVERSION 1BEGIN192.1.168.1 3 0003.47d8.c91f 2BB6488E Fa0/4 21ae5fbb192.1.168.3 3 0003.44d6.c52f 2BB648EB Fa0/4 1bdb223f192.1.168.2 3 0003.47d9.c8f1 2BB648AB Fa0/4 584a38f0ENDWhen the switch starts and the calculated checksum value equals the stored checksum value, the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database. The switch ignores an entry when one of these situations occurs:
•
•
•
•
Enabling the Cisco IOS DHCP Server Database
For procedures to enable and configure the Cisco IOS DHCP server database, see the "DHCP Configuration Task List" section in the "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Enabling the DHCP Snooping Binding Database Agent
Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch.
To stop using the database agent or binding files, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds interface configuration command.
To clear the statistics of the DHCP snooping binding database agent, use the clear ip dhcp snooping database statistics privileged EXEC command. To renew the database, use the renew ip dhcp snooping database privileged EXEC command.
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you delete.
DHCP Snooping Enhancement
If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.
When option-82 information is inserted by an edge switch in software releases earlier than Cisco IOS Release 12.2(25)SEA, you cannot configure DHCP snooping on an aggregation switch because the DHCP snooping bindings database will not be properly populated. You also cannot configure IP source guard and dynamic Address Resolution Protocol (ARP) inspection on the switch unless you use static bindings or ARP access control lists (ACLs).
In Cisco IOS Release 12.1(22)EA3 or in Cisco IOS Release 12.2(25)SEA or later, when an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allowed-trust global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on ingress untrusted interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.
Note
Enabling DHCP Snooping and Option 82
Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch.
Note
To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command. To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping information option allowed-untrusted global configuration command.Configuring Dynamic ARP Inspection
This section describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3550 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Note
To use this feature, you must have the enhanced multilayer image (EMI) installed on your switch.
Note
This section consists of these topics:
•
•
•
Understanding Dynamic ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host.
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 1 shows an example of ARP cache poisoning.
Figure 1 ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middle attack.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities:
•
•
•
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. For configuration information, see the "Configuring Dynamic ARP Inspection in DHCP Environments" section.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP ACL by using the arp access-list acl-name global configuration command. For configuration information, see the "Configuring ARP ACLs for Non-DHCP Environments" section. The switch logs dropped packets. For more information about the log buffer, see the "Logging of Dropped Packets" section.
You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the "Performing Validation Checks" section.
Interface Trust States and Network Security
Dynamic ARP inspection associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted interfaces undergo the dynamic ARP inspection validation process.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. No other validation is needed at any other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command.
Caution
In Figure 2, assume that both Switch A and Switch B are running dynamic ARP inspection on the VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity between Host 1 and Host 2 is lost.
Figure 2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection.
Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
In cases in which some switches in a VLAN run dynamic ARP inspection and other switches do not, configure the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from nondynamic ARP inspection switches, configure the switch running dynamic ARP inspection with ARP ACLs. When you cannot determine such bindings, at Layer 3, isolate switches running dynamic ARP inspection from switches not running dynamic ARP inspection switches. For configuration information, see the "Configuring ARP ACLs for Non-DHCP Environments" section.
Note
Rate Limiting of ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can change this setting by using the ip arp inspection limit interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you change it. You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period.
For configuration information, see the "Limiting the Rate of Incoming ARP Packets" section.
Relative Priority of ARP ACLs and DHCP Snooping Entries
Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you configure them by using the ip arp inspection filter vlan global configuration command. The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command. For configuration information, see the "Configuring the Log Buffer" section.
Configuring Dynamic ARP Inspection
These sections describe how to configure dynamic ARP inspection on your switch:
•
•
•
•
•
•
•
Default Dynamic ARP Inspection Configuration
Table 1 shows the default dynamic ARP inspection configuration.
Dynamic ARP Inspection Configuration Guidelines
These are the dynamic ARP inspection configuration guidelines:
•
•
•
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny packets.
•
•
Conversely, when you change the trust state on the port channel, the switch configures a new trust state on all the physical ports that comprise the channel.
•
•
The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports.
If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.
•
Configuring Dynamic ARP Inspection in DHCP Environments
This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 2. Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Therefore, Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2.
Note
For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the "Configuring ARP ACLs for Non-DHCP Environments" section.
Beginning in privileged EXEC mode, follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches. This procedure is required.
Step 1
show cdp neighbors
Verify the connection between the switches.
Step 2
configure terminal
Enter global configuration mode.
Step 3
ip arp inspection vlan vlan-range
Enable dynamic ARP inspection on a per-VLAN basis. By default, dynamic ARP inspection is disabled on all VLANs.
For vlan-range, specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
Specify the same VLAN ID for both switches.
Step 4
interface interface-id
Specify the interface connected to the other switch, and enter interface configuration mode.
Step 5
ip arp inspection trust
Configure the connection between the switches as trusted.
By default, all interfaces are untrusted.
The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets.
For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command. For more information, see the "Configuring the Log Buffer" section.
Step 6
end
Return to privileged EXEC mode.
Step 7
show ip arp inspection interfaces
show ip arp inspection vlan vlan-range
Verify the dynamic ARP inspection configuration.
Step 8
show ip dhcp snooping binding
Verify the DHCP bindings.
Step 9
show ip arp inspection statistics vlan vlan-range
Check the dynamic ARP inspection statistics.
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface configuration command.
This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B:
Switch(config)# ip arp inspection vlan 1Switch(config)# interface gigabitethernet 0/1Switch(config-if)# ip arp inspection trustConfiguring ARP ACLs for Non-DHCP Environments
This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 2 does not support dynamic ARP inspection or DHCP snooping.
If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of Host 2 is not static, (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.
Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments.
Step 1
configure terminal
Enter global configuration mode.
Step 2
arp access-list acl-name
Define an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined.
Note
Step 3
permit ip host sender-ip mac host sender-mac [log]
Permit ARP packets from the specified host (Host 2).
•
•
•
Step 4
exit
Return to global configuration mode.
Step 5
ip arp inspection filter arp-acl-name vlan vlan-range [static]
Apply the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN.
•
•
•
If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.
ARP packets containing only IP-to-MAC address bindings are compared against the ACL. Packets are permitted only if the access list permits them.
Step 6
interface interface-id
Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode.
Step 7
no ip arp inspection trust
Configure the Switch A interface that is connected to Switch B as untrusted.
By default, all interfaces are untrusted.
For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command. For more information, see the "Configuring the Log Buffer" section.
Step 8
end
Return to privileged EXEC mode.
Step 9
show arp access-list [acl-name]
show ip arp inspection vlan vlan-range
show ip arp inspection interfaces
Verify your entries.
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command.
This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and to configure port 1 on Switch A as untrusted:
Switch(config)# arp access-list host2Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1Switch(config-arp-acl)# exitSwitch(config)# ip arp inspection filter host2 vlan 1Switch(config)# interface gigabitethernet0/1Switch(config-if)# no ip arp inspection trustLimiting the Rate of Incoming ARP Packets
The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you intervene, unless you enable error-disable recovery so that ports automatically emerge from this state after a specified timeout period.
Note
For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the "Dynamic ARP Inspection Configuration Guidelines" section.
Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional.
To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command.
Performing Validation Checks
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.
Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command.
Configuring the Log Buffer
When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry.
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.
Beginning in privileged EXEC mode, follow these steps to configure the log buffer. This procedure is optional.
To return to the default log buffer settings, use the no ip arp inspection log-buffer {entries | logs} global configuration command. To return to the default VLAN log settings, use the no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings} global configuration command. To clear the log buffer, use the clear ip arp inspection log privileged EXEC command.
Displaying Dynamic ARP Inspection Information
To display dynamic ARP inspection information, use the privileged EXEC commands described in Table 2:
To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 3:
For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of ACL or DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.
To clear or display dynamic ARP inspection logging information, use the privileged EXEC commands in Table 4:
For more information about commands that support this features, see these sections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
IfIndex Persistence
This release supports the ifIndex Persistence feature. Use this information with the "Configuring SNMP" chapter:
SNMP ifIndex MIB Object Values
In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface. For example, if the switch assigns a port 2 an ifIndex value of 10003, this value is the same after the switch reboots.
Use the snmp-server ifindex persist global configuration command to enable ifindex persistence on the switch.
IGMP Snooping Querier
This release support the IGMP snooping querier feature. Use this information with the "Configuring IGMP Snooping" chapter:
This section contains these topics about IGMP snooping querier feature:
•
•
•
Understanding the IGMP Snooping Querier
You can configure an IGMP snooping querier to support IGMP snooping in subnets without multicast interfaces because the multicast traffic does not need to be routed. For more information about the IGMP snooping querier, see the "Configuring the IGMP Snooping Querier" section.
IGMP Snooping Querier Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring the IGMP snooping querier:
•
•
•
•
•
•
•
–
–
Configuring the IGMP Snooping Querier
To enable the IGMP snooping querier feature in a VLAN, follow these steps:
This example shows how to set the IGMP snooping querier source address to 10.0.0.64 and to verify the configuration:
Switch# configure terminalSwitch(config)# ip igmp snooping querier 10.0.0.64Switch(config)# end
This example shows how to set the IGMP snooping querier maximum response time to 25 seconds and verify the configuration:
Switch# configure terminalSwitch(config)# ip igmp snooping querier query-interval 25Switch(config)# endThis example shows how to set the IGMP snooping querier timeout to 60 seconds and to verify the configuration:
Switch# configure terminalSwitch(config)# ip igmp snooping querier timeout expiry 60Switch(config)# endThis example shows how to set the IGMP snooping querier feature to version 2 and to verify the configuration:
Switch# configure terminalSwitch(config)# no ip igmp snooping querier version 2Switch(config)# endFor more information about commands that support this feature, see these sections:
•
•
Configuring IP Source Guard
This release supports the IP source guard feature. Use this information with the "Configuring DHCP Features" chapter:
•
•
Understanding IP Source Guard
IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IP source guard is enabled on an interface, the switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
IP source guard is supported only on Layer 2 ports, including access and trunk ports.You can configure IP source guard with source IP address filtering or with source IP and MAC address filtering.
To use this feature, you must have the enhanced multilayer image (EMI) installed on your switch.
Source IP Address Filtering
When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
When a DHCP snooping binding or static IP source binding is added, changed, or deleted on an interface, the switch modifies the port ACL with the IP source binding changes and re-applies the port ACL to the interface.
If you enable IP source guard on an interface on which IP source bindings (dynamically learned by DHCP snooping or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP traffic on the interface. If you disable IP source guard, the switch removes the port ACL from the interface.
Source IP and MAC Address Filtering
When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.
When IP source guard with source IP and MAC address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch drops all other types of packets except DHCP packets.
The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs.
Configuring IP Source Guard
This section describes how to configure IP source guard on your switch.
•
•
•
Default IP Source Guard Configuration
By default, IP source guard is disabled.
IP Source Guard Configuration Guidelines
These are the configuration guides for IP source guard:
•
Static IP source binding can only be configured on switch port.•
•
Note
•
•
•
•
•
Enabling IP Source Guard
Beginning in privileged EXEC mode, follow these steps to enable and configure IP source guard on an interface.
To disable IP source guard with source IP address filtering, use the no ip verify source interface configuration command.
To delete a static IP source binding entry, use the no ip source global configuration command.
This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10
and 11:Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitethernet0/1Switch(config-if)# ip verify source port-securitySwitch(config-if)# exitSwitch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface gigabitethernet0/2Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet0/2Switch(config)# endDisplaying IP Source Guard Information
To display the IP source guard information, use one or more of the privileged EXEC commands in Table 5:
For more information about commands that support this features, see these sections:
•
•
•
SmartPort Enhancements
This is an update to the "Configuring Smartports Macros" chapter:
In Cisco IOS Release 12.1(22)EA3 or later, the switch supports the default cisco-desktop Smartports macro that you use when connecting the switch and a wireless access point.
Deleting SVIs
In Chapter 10, "Configuring Interface Characteristics," this new information applies:
You cannot delete interface VLAN 1.
In previous releases, deleting the switch virtual interface (SVI) for VLAN 1was allowed, but the interface would reappear by default after the switch was reloaded.
Configuring Router ACLs
In Chapter 27, "Configuring Network Security with ACLs," configuration guidelines have been added for configuring input router ACLs. There can be a large increase in the number of TCAM entries when the input router ACLs are applied. If the number of TCAM entries exceeds the allocated resources, ACL filtering is done in software instead of hardware, which can have a negative impact on performance.
There are several ways to prevent excessive TCAM usage:
•
•
•
When an input router ACL is applied, it is automatically merged with an implicit ACL that matches against routing protocol packets and sends them to the protocol queue. This merge results in additional TCAM entries. To minimize the number of entries, you can configure router ACLs to explicitly permit or deny routing protocols, such as RIP, EIGRP, OSPF, BGP, and PIM, by configuring permit or deny ACEs at the beginning of the ACL.
This is an example of how to configure an input router ACL to minimize TCAM usage:
Switch(config)# access-list 100 [permit|deny] tcp any any eq bgpSwitch(config)# access-list 100 [permit|deny] eigrp any anySwitch(config)# access-list 100 [permit|deny] pim any anySwitch(config)# access-list 100 [permit|deny] ospf any anySwitch(config)# access-list 100 [permit|deny] udp any any eq ripSwitch(config)# access-list 100 ...... ACL 100's ACE(s)Switch(config)# exitUnsupported CLI Commands
In Appendix C, "Unsupported CLI Commands in Cisco IOS Release 12.2(25)SE", this fallback bridging priviledged EXEC command is not supported:
bridge bridge-group acquire
Configuring a System Name and Prompt
The "Configuring a System Name and Prompt" section and the "Configuring a System Prompt" section of the "Administering the Switch" chapter incorrectly state that you can manually configure the prompt global configuration command. The switch does not support this command. You should ignore this information in printed and online copies of the software configuration guide.
Updates to the Catalyst 3550 Multilayer Switch Command Reference
This section contains these updates to the Catalyst 3550 Multilayer Switch Command Reference:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
arp access-list
Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.
arp access-list acl-name
no arp access-list acl-name
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Defaults
No ARP access lists are defined.
Command Modes
Global configuration
Command History
Usage Guidelines
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
•
•
•
•
•
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).
Examples
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hostsSwitch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcdSwitch(config-arp-nacl)# endYou can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
clear ip arp inspection log
Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.
clear ip arp inspection log
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the contents of the log buffer:
Switch#clear ip arp inspection logYou can verify that the log was cleared by entering the show ip arp inspection log privileged command.
Related Commands
clear ip arp inspection statistics
Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.
clear ip arp inspection statistics [vlan vlan-range]
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the statistics for VLAN 1:
Switch# clear ip arp inspection statistics vlan 1You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
Related Commands
debug platform ip arp inspection
Use the debug platform ip arp inspection privileged EXEC command to debug dynamic Address Resolution Protocol (ARP) inspection events. Use the no form of this command to disable debugging.
debug platform ip arp inspection {all | error | event | packet | rpc}
no debug platform ip arp inspection {all | error | event | packet | rpc}
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Defaults
Debugging is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The undebug platform ip arp inspection command is the same as the no debug platform ip arp inspection command.
Related Commands
debug ip verify source packet
Use the debug ip verify source packet privileged EXEC command to enable debugging of IP source guard. Use the no form of this command to disable debugging.
debug ip verify source packet
no debug ip verify source packet
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The undebug ip verify source packet command is the same as the no debug ip verify source packet command.
Related Commands
deny (ARP access-list configuration)
Use the deny Address Resolution Protocol (ARP) access-list configuration command to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.
deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Defaults
There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command.
Command Modes
ARP access-list configuration
Command History
Usage Guidelines
You can add deny clauses to drop ARP packets based on matching criteria.
Examples
This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hostsSwitch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcdSwitch(config-arp-nacl)# endYou can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
errdisable detect cause
Use the errdisable detect cause global configuration command to enable error-disabled detection for a specific cause or all causes. Use the no form of this command to disable the error-disabled detection feature.
errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap}
no errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap}
Syntax Description
Defaults
Detection is enabled for all causes.
Command Modes
Global configuration
Command History
Usage Guidelines
A cause (all, dhcp-rate-limit, and so forth) is the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state, an operational state that is similar to a link-down state.
If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.
Examples
This example shows how to enable error-disabled detection for the link-flap error-disable cause:
Switch(config)# errdisable detect cause link-flapYou can verify your setting by entering the show errdisable detect privileged EXEC command.
Related Commands
errdisable recovery
Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.
errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps} | {interval interval}
no errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps} | {interval interval}
Syntax Description
Note
Defaults
Recovery is disabled for all causes.
The default recovery interval is 300 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
A cause (all, bpduguard and so forth) is defined as the reason that the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable error-disabled recovery for the cause, the interface stays in the error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.
Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state.
Examples
This example shows how to enable the recovery timer for the BPDU guard error-disable cause:
Switch(config)# errdisable recovery cause bpduguardThis example shows how to set the timer to 500 seconds:
Switch(config)# errdisable recovery interval 500You can verify your settings by entering the show errdisable recovery privileged EXEC command.
Related Commands
ip arp inspection filter vlan
Use the ip arp inspection filter vlan global configuration command to permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled. Use the no form of this command to return to the default settings.
ip arp inspection filter arp-acl-name vlan vlan-range [static]
no ip arp inspection filter arp-acl-name vlan vlan-range [static]
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Defaults
No defined ARP ACLs are applied to any VLAN.
Command Modes
Global configuration
Command History
Usage Guidelines
When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation.
If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static, which means that packets are not compared against the bindings).
Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list.
Examples
This example shows how to apply the ARP ACL static-hosts to VLAN 1 for dynamic ARP inspection:
Switch(config)# ip arp inspection filter static-hosts vlan 1You can verify your settings by entering the show ip arp inspection vlan 1 privileged EXEC command.
Related Commands
ip arp inspection limit
Use the ip arp inspection limit interface configuration command to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service occurs. Use the no form of this command to return to the default settings.
ip arp inspection limit {rate pps [burst interval seconds] | none}
no ip arp inspection limit
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Defaults
The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
Command Modes
Interface configuration
Command History
Usage Guidelines
The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited.
After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.
You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.
The rate of incoming ARP packets on EtherChannel ports equals to the sum of the incoming rate of ARP packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all the channel members.
Examples
This example shows how to limit the rate of incoming ARP requests on a port to 25 pps and to set the interface monitoring interval to 5 consecutive seconds:
Switch(config)# interface gigabitethernet 0/1Switch(config-if)# ip arp inspection limit rate 25 burst interval 5You can verify your settings by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
Related Commands
show ip arp inspection interfaces
Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.
ip arp inspection log-buffer
Use the ip arp inspection log-buffer global configuration command to configure the dynamic Address Resolution Protocol (ARP) inspection logging buffer. Use the no form of this command to return to the default settings.
ip arp inspection log-buffer {entries number | logs number interval seconds}
no ip arp inspection log-buffer {entries | logs}
Syntax Description
Defaults
When dynamic ARP inspection is enabled, denied or dropped ARP packets are logged.
The number of log entries is 32.
The number of system messages is limited to 5 per second.
The logging-rate interval is 1 second.
Command Modes
Global configuration
Command History
Usage Guidelines
A value of 0 is not allowed for both the logs and the interval keywords.
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. For example, if the logs number is 20 and the interval seconds is 4, the switch generates system messages for five entries every second while there are entries in the log buffer.
A log buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a system message as a single entry.
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the output display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate.
Examples
This example shows how to configure the logging buffer to hold up to 45 entries:
Switch(config)# ip arp inspection log-buffer entries 45This example shows how to configure the logging rate to 20 log entries per 4 seconds. With this configuration, the switch generates system messages for five entries every second while there are entries in the log buffer.
Switch(config)# ip arp inspection log-buffer logs 20 interval 4You can verify your settings by entering the show ip arp inspection log privileged EXEC command.
Related Commands
ip arp inspection trust
Use the ip arp inspection trust interface configuration command to configure an interface trust state that determines which incoming Address Resolution Protocol (ARP) packets are inspected. Use the no form of this command to return to the default setting.
ip arp inspection trust
no ip arp inspection trust
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
This command has no arguments or keywords.
Defaults
The interface is untrusted.
Command Modes
Interface configuration
Command History
Usage Guidelines
The switch does not check ARP packets that it receives on the trusted interface; it simply forwards the packets.
For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.
Examples
This example shows how to configure a port to be trusted:
Switch(config)# interface gigabitethernet 0/1Switch(config-if)# ip arp inspection trustYou can verify your setting by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
Related Commands
ip arp inspection validate
Use the ip arp inspection validate global configuration command to perform specific checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this command to return to the default settings.
ip arp inspection validate {[src-mac] [dst-mac] [ip]}
no ip arp inspection validate [src-mac] [dst-mac] [ip]
Syntax Description
Defaults
No checks are performed.
Command Modes
Global configuration
Command History
Usage Guidelines
You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
If you first specify the src-mac keyword, you also can specify the dst-mac and ip keywords. If you first specify the ip keyword, no other keywords can be specified.
The no form of the command disables only the specified checks. If none of the options are enabled, all checks are disabled.
Examples
This example show how to enable source MAC validation:
Switch(config)# ip arp inspection validate src-macYou can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
Related Commands
show ip arp inspection vlan vlan-range
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.
ip arp inspection vlan
Use the ip arp inspection vlan global configuration command to enable dynamic Address Resolution Protocol (ARP) inspection on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
vlan-range
VLAN number or range.
You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
Defaults
ARP inspection is disabled on all VLANs.
Command Modes
Global configuration
Command History
Usage Guidelines
You must specify the VLANs on which to enable dynamic ARP inspection.
Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
Examples
This example shows how to enable dynamic ARP inspection on VLAN 1:
Switch(config)# ip arp inspection vlan 1You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
Related Commands
ip arp inspection vlan logging
Use the ip arp inspection vlan logging global configuration command to control the type of packets that are logged per VLAN. Use the no form of this command to disable this logging control.
ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}}
no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}
Syntax Description
Defaults
All denied or all dropped packets are logged.
Command Modes
Global configuration
Command History
Usage Guidelines
The term logged means that the entry is placed into the log buffer and that a system message is generated.
The acl-match and dhcp-bindings keywords merge with each other; that is, when you configure an ACL match, the DHCP bindings configuration is not disabled. Use the no form of the command to reset the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log when Address Resolution Protocol (ARP) packets are denied. These are the options:
•
•
If neither the acl-match or the dhcp-bindings keywords are specified, all denied packets are logged.
The implicit deny at the end of an ACL does not include the log keyword. This means that when you use the static keyword in the ip arp inspection filter vlan global configuration command, the ACL overrides the DHCP bindings. Some denied packets might not be logged unless you explicitly specify the deny ip any mac any log ACE at the end of the ARP ACL.
Examples
This example shows how to configure ARP inspection on VLAN 1 to log packets that match the permit commands in the ACL:
Switch(config)# arp access-list test1Switch(config-arp-nacl)# permit request ip any mac any logSwitch(config-arp-nacl)# permit response ip any any mac any any logSwitch(config-arp-nacl)# exitSwitch(config)# ip arp inspection vlan 1 logging acl-match matchlogYou can verify your settings by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
Related Commands
ip dhcp snooping database
Use the ip dhcp snooping database global configuration command to configure the DHCP snooping binding database agent. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.
ip dhcp snooping database {{flash:/filename | ftp://user:password@host/filename | http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar | rcp://user@host/filename | tftp://host/filename} | timeout seconds | write-delay seconds}
no ip dhcp snooping database [timeout | write-delay]
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Defaults
The URL for the database agent or binding file is not defined.
The timeout value is 300 seconds (5 minutes).
The write-delay value is 300 seconds (5 minutes).
Command Modes
Global configuration
Command History
Usage Guidelines
The DHCP snooping binding database can have up to 8192 bindings.
To ensure that the lease time in the database is accurate, we recommend that Network Time Protocol (NTP) is enabled and configured for these features:
•
•
•
•
•
If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.
Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write bindings to the binding file at that URL for the first time.
Use the ip dhcp snooping database flash:/filename command to save the DHCP snooping binding database in the stack master NVRAM. The database is not saved in a stack member NVRAM.
Use the no ip dhcp snooping database command to disable the agent.
Use the no ip dhcp snooping database timeout command to reset the timeout value.
Use the no ip dhcp snooping database write-delay command to reset the write-delay value.
Examples
This example shows how to store a binding file at an IP address of 10.1.1.1 that is in a directory called directory. A file named file must be present on the TFTP server.
Switch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/fileThis example shows how to store a binding file called file01.txt in the stack master NVRAM.
Switch(config)# ip dhcp snooping database flash:file01.txtYou can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.
Related Commands
ip dhcp snooping information option allowed-untrusted
Use the ip dhcp snooping information option allowed-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information from an edge switch. Use the no form of this command to configure the switch to drop these packets from the edge switch.
ip dhcp snooping information option allowed-untrusted
no ip dhcp snooping information option allowed-untrusted
Note
Syntax Description
This command has no arguments or keywords.
Defaults
The switch drops DHCP packets with option-82 information from an edge switch.
Command Modes
Global configuration
Command History
12.1(22)EA3
This command was introduced. It is supported on switches running Cisco IOS Release 12.1(22)EA3 and running Cisco IOS Release 12.2(25)SEA or later.
Usage Guidelines
You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted interface and does not learn DHCP snooping bindings for connected devices on a trusted interface.
If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allowed-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted interface. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted interface.
Examples
This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:
Switch(config)# ip dhcp snooping information option allowed-untrustedYou can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Related Commands
show ip dhcp snooping
Displays the DHCP snooping configuration.
show ip dhcp snooping binding
Displays the DHCP snooping binding information.
ip igmp snooping querier
Use the ip igmp snooping querier global configuration command to globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to disable the IGMP querier feature or to reset the parameters to the default settings.
ip igmp snooping querier [address {ip-address} | max-response-time response-time | query-interval | tcn query [count count | interval interval] | timer expiry | version version]
no ip igmp snooping querier [address | max-response-time | query-interval | tcn query { count count | interval interval} | timer expiry | version]
Syntax Description
Defaults
The IGMP snooping querier feature is globally disabled on the switch.
When enabled, the IGMP snooping querier disables itself if it detects IGMP traffic from a multicast-enabled device.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier.
By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).
Non-RFC-compliant devices running IGMPv1 might reject IGMP general query messages that have a nonzero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.
Examples
This example shows how to globally enable the IGMP snooping querier feature:
Switch(config)# ip igmp snooping querierThis example shows how to globally disable the IGMP snooping querier feature:
Switch(config)# no ip igmp snooping querierThis example shows how to set the IGMP snooping querier maximum response time to 25 seconds:
Switch(config)# ip igmp snooping querier max-response-time 25This example shows how to set the IGMP snooping querier interval time to 60 seconds:
Switch(config)# ip igmp snooping querier query-interval 60This example shows how to set the IGMP snooping querier TCN query count to 25:
Switch(config)# no ip igmp snooping querier tcn count 25This example shows how to set the IGMP snooping querier timeout to 60 seconds:
Switch(config)# ip igmp snooping querier timeout expiry 60This example shows how to set the IGMP snooping querier feature to version 2:
Switch(config)# no ip igmp snooping querier version 2You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Related Commands
ip source binding
Use the ip source binding global configuration command to configure static IP source bindings on the switch. Use the no form of this command to delete static bindings.
ip source binding mac-address vlan vlan-id ip-address interface interface-id
no source binding mac-address vlan vlan-id ip-address interface interface-id
Syntax Description
Defaults
No IP source bindings are configured.
Command Modes
Global configuration
Command History
Usage Guidelines
A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.
Examples
This example shows how to add a static IP source binding:
Switch(config)# ip source binding 0001.1234.1234 vlan 1 172.20.50.5 interface gigabitethernet0/1This example shows how to add a static binding and then modify the IP address for it:
Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.25 interface gigabitethernet0/1Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.30 interface gigabitethernet0/1You can verify your settings by entering the show ip source binding privileged EXEC command.
Related Commands
Enables IP source guard on an interface.
Displays the IP source bindings on the switch.
Displays the IP source guard configuration on the switch or on a specific interface.
ip verify source
Use the ip verify source interface configuration command to enable IP source guard on an interface. Use the no form of this command to disable IP source guard.
ip verify source [port-security]
no ip verify source
Syntax Description
port-security
(Optional) Enable IP source guard with IP and MAC address filtering.
If you do not enter the port-security keyword, IP source guard with IP address filtering is enabled.
Defaults
IP source guard is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.
To enable IP source guard with source IP and MAC address filtering, use the ip verify source port-security interface configuration command.
Examples
This example shows how to enable IP source guard with source IP address filtering:
Switch(config-if)# ip verify sourceThis example shows how to enable IP source guard with source IP and MAC address filtering:
Switch(config-if)# ip verify source port-securityYou can verify your settings by entering the show ip source binding privileged EXEC command.
Related Commands
Configures static bindings on the switch.
Displays the IP source guard configuration on the switch or on a specific interface.
permit (ARP access-list configuration)
Use the permit Address Resolution Protocol (ARP) access-list configuration command to permit an ARP packet based on matches against the Dynamic Host Configuration Protocol (DHCP) bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access control list.
permit {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
no permit {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
Syntax Description
Defaults
There are no default settings.
Command Modes
ARP access-list configuration
Command History
Usage Guidelines
You can add permit clauses to forward ARP packets based on some matching criteria.
Examples
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hostsSwitch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 0000.0000.abcdSwitch(config-arp-nacl)# endYou can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
show arp access-list
Use the show arp access-list user EXEC command to display detailed information about Address Resolution Protocol (ARP) access control lists (ACLs).
show arp access-list [acl-name] [ | {begin | exclude | include} expression]
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Command Modes
User EXEC
Command History
Usage Guidelines
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
Examples
This is an example of output from the show arp access-list command:
Switch> show arp access-listARP access list rosepermit ip 10.101.1.1 0.0.0.255 mac anypermit ip 20.3.1.0 0.0.0.255 mac anyRelated Commands
show errdisable detect
Use the show errdisable detect user EXEC command to display error-disable detection status.
show errdisable detect [ | {begin | exclude | include} expression]
Syntax Description
Command Modes
User EXEC
Command History
Usage Guidelines
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
A displayed
gbic-invaliderror reason refers to an invalid small form-factor pluggable (SFP) module.Examples
This is an example of output from the show errdisable detect command:
Switch> show errdisable detectErrDisable Reason Detection status----------------- ----------------udld Enabledbpduguard Enabledsecurity-violatio Enabledchannel-misconfig Enabledpsecure-violation Enabledvmps Enabledloopback Enabledunicase-flood Enabledpagp-flap Enableddtp-flap Enabledl2ptguard Enabledlink-flap Enabledgbic-invalid Enableddhcp-rate-limit Enabledunicast-flood Enabledstorm-control Enabledilpower Enabledarp-inspection Enabled
Note
Related Commands
show ip arp inspection
Use the show ip arp inspection privileged EXEC command to display the configuration and the operating state of dynamic Address Resolution Protocol (ARP) inspection or the status of this feature for all VLANs or for the specified interface or VLAN.
show ip arp inspection [interfaces [interface-id] | log | statistics [vlan vlan-range] | vlan vlan-range] [ | {begin | exclude | include} expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
Examples
This is an example of output from the show ip arp inspection interfaces command:
Switch# show ip arp inspection interfacesInterface Trust State Rate (pps) Burst Interval--------------- ----------- ---------- --------------Gi1/0/1 Untrusted 15 1Gi1/0/2 Untrusted 15 1Gi1/0/3 Untrusted 15 1This is an example of output from the show ip arp inspection interfaces interface-id command:
Switch# show ip arp inspection interfaces gigabitethernet1/0/1Interface Trust State Rate (pps) Burst Interval--------------- ----------- ---------- --------------Gi1/0/1 Untrusted 15 1This is an example of output from the show ip arp inspection log command. It shows the contents of the log buffer before the buffers are cleared:
Switch# show ip arp inspection logTotal Log Buffer Size : 32Syslog rate : 10 entries per 300 seconds.Interface Vlan Sender MAC Sender IP Num Pkts Reason Time---------- ---- -------------- --------------- --------- ----------- ----Gi1/0/1 5 0003.0000.d673 192.2.10.4 5 DHCP Deny 19:39:01 UTC Mon Mar 1 1993Gi1/0/1 5 0001.0000.d774 128.1.9.25 6 DHCP Deny 19:39:02 UTC Mon Mar 1 1993Gi1/0/1 5 0001.c940.1111 10.10.10.1 7 DHCP Deny 19:39:03 UTC Mon Mar 1 1993Gi1/0/1 5 0001.c940.1112 10.10.10.2 8 DHCP Deny 19:39:04 UTC Mon Mar 1 1993Gi1/0/1 5 0001.c940.1114 173.1.1.1 10 DHCP Deny 19:39:06 UTC Mon Mar 1 1993Gi1/0/1 5 0001.c940.1115 173.1.1.2 11 DHCP Deny 19:39:07 UTC Mon Mar 1 1993Gi1/0/1 5 0001.c940.1116 173.1.1.3 12 DHCP Deny 19:39:08 UTC Mon Mar 1 1993If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffe,r or increase the logging rate in the ip arp inspection log-buffer global configuration command.
This is an example of output from the show ip arp inspection statistics command. It shows the statistics for packets that have been processed by dynamic ARP inspection for all active VLANs.
Switch# show ip arp inspection statisticsVlan Forwarded Dropped DHCP Drops ACL Drops---- --------- ------- ---------- ---------5 3 4618 4605 42000 0 0 0 0Vlan DHCP Permits ACL Permits Source MAC Failures---- ------------ ----------- -------------------5 0 12 02000 0 0 0Vlan Dest MAC Failures IP Validation Failures---- ----------------- ----------------------5 0 92000 0 0For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of ACL- or DHCP-permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.
This is an example of output from the show ip arp inspection statistics vlan 5 command. It shows statistics for packets that have been processed by dynamic ARP for VLAN 5.
Switch# show ip arp inspection statistics vlan 5Vlan Forwarded Dropped DHCP Drops ACL Drops---- --------- ------- ---------- ---------5 3 4618 4605 4Vlan DHCP Permits ACL Permits Source MAC Failures---- ------------ ----------- -------------------5 0 12 0Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data---- ----------------- ---------------------- ---------------------5 0 9 3This is an example of output from the show ip arp inspection vlan 5 command. It shows the configuration and the operating state of dynamic ARP inspection for VLAN 5.
Switch# show ip arp inspection vlan 5Source Mac Validation :EnabledDestination Mac Validation :EnabledIP Address Validation :EnabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------5 Enabled Active second NoVlan ACL Logging DHCP Logging---- ----------- ------------5 Acl-Match AllRelated Commands
show ip dhcp snooping database
Use the show ip dhcp snooping database user EXEC command to display the status of the DHCP snooping binding database agent.
show ip dhcp snooping database [detail] [ | {begin | exclude | include} expression]
This command is available only if your switch is running the enhanced multilayer image (EMI).
Syntax Description
Command Modes
User EXEC
Command History
Examples
This is an example of output from the show ip dhcp snooping database command:
Switch> show ip dhcp snooping databaseAgent URL :Write delay Timer : 300 secondsAbort Timer : 300 secondsAgent Running : NoDelay Timer Expiry : Not RunningAbort Timer Expiry : Not RunningLast Succeded Time : NoneLast Failed Time : NoneLast Failed Reason : No failure recorded.Total Attempts : 0 Startup Failures : 0Successful Transfers : 0 Failed Transfers : 0Successful Reads : 0 Failed Reads : 0Successful Writes : 0 Failed Writes : 0Media Failures : 0This is an example of output from the show ip dhcp snooping database detail command:
Switch# show ip dhcp snooping database detailAgent URL : tftp://10.1.1.1/directory/fileWrite delay Timer : 300 secondsAbort Timer : 300 secondsAgent Running : NoDelay Timer Expiry : 7 (00:00:07)Abort Timer Expiry : Not RunningLast Succeded Time : NoneLast Failed Time : 17:14:25 UTC Sat Jul 7 2001Last Failed Reason : Unable to access URL.Total Attempts : 21 Startup Failures : 0Successful Transfers : 0 Failed Transfers : 21Successful Reads : 0 Failed Reads : 0Successful Writes : 0 Failed Writes : 21Media Failures : 0First successful access: ReadLast ignored bindings counters :Binding Collisions : 0 Expired leases : 0Invalid interfaces : 0 Unsupported vlans : 0Parse failures : 0Last Ignored Time : NoneTotal ignored bindings counters:Binding Collisions : 0 Expired leases : 0Invalid interfaces : 0 Unsupported vlans : 0Parse failures : 0Related Commands
show ip igmp snooping querier detail
Use the show ip igmp snooping querier detail user EXEC command to display the configuration and operation information for the IGMP querier configured on a switch.
show ip igmp snooping querier detail
Syntax Description
Command Modes
User EXEC
Command History
Usage Guidelines
The show ip igmp snooping querier detail user EXEC command is similar to the show ip igmp snooping querier command. However, the show ip igmp snooping querier only displays the IP address of the most recent device detected by the switch querier.
The show ip igmp snooping querier command detail displays the IP address of the most recent device detected by the switch querier along with this additional information:
•
•
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
Examples
This is an example of output from the show ip igmp snooping querier detail command:
Switch>show ip igmp snooping querier detailVlan IP Address IGMP Version Port-------------------------------------------------------------1 1.1.1.1 v2 Fa8/0/1Global IGMP switch querier status--------------------------------------------------------admin state : Enabledadmin version : 2source IP address : 0.0.0.0query-interval (sec) : 60max-response-time (sec) : 10querier-timeout (sec) : 120tcn query count : 2tcn query interval (sec) : 10Vlan 1: IGMP switch querier status--------------------------------------------------------elected querier is 1.1.1.1 on port Fa8/0/1--------------------------------------------------------admin state : Enabledadmin version : 2source IP address : 10.1.1.65query-interval (sec) : 60max-response-time (sec) : 10querier-timeout (sec) : 120tcn query count : 2tcn query interval (sec) : 10operational state : Non-Querieroperational version : 2tcn query pending count : 0Related Commands
show ip source binding
Use the show ip source binding user EXEC command to display the IP source bindings on the switch.
show ip source binding [ip-address] [mac-address] [dhcp-snooping | static] [interface interface-id] [vlan vlan-id] [ | {begin | exclude | include} expression]
Syntax Description
Command Modes
User EXEC
Command History
Usage Guidelines
The show ip source binding command output shows the dynamically and statically configured bindings in the Dynamic Host Configuration Protocol (DHCP) snooping binding database. Use the show ip dhcp snooping binding privileged EXEC command to display only the dynamically configured bindings.
Examples
This is an example of output from the show ip source binding command:
Switch> show ip source bindingMacAddress IpAddress Lease(sec) Type VLAN Interface-------------- --------------- ---------- ------------- ---- --------------------00:00:00:0A:00:0B 11.0.0.1 infinite static 10 GigabitEthernet0/100:00:00:0A:00:0A 11.0.0.2 10000 dhcp-snooping 10 GigabitEthernet0/1Related Commands
ip dhcp snooping binding
Configures the DHCP snooping binding database.
Configures static IP source bindings on the switch.
show ip verify source
Use the show ip verify source user EXEC command to display the IP source guard configuration on the switch or on a specific interface.
show ip verify source [interface interface-id] [ | {begin | exclude | include} expression]
Syntax Description
Command Modes
User EXEC
Command History
Examples
This is an example of output from the show ip verify source command:
Switch> show ip verify sourceInterface Filter-type Filter-mode IP-address Mac-address Vlan--------- ----------- ----------- --------------- -------------- ---------Fa0/1 ip active 10.0.0.1 10Fa0/1 ip active deny-all 11-20Fa0/2 ip inactive-trust-portFa0/3 ip inactive-no-snooping-vlanFa0/4 ip-mac active 10.0.0.2 aaaa.bbbb.cccc 10Fa0/4 ip-mac active 11.0.0.1 aaaa.bbbb.cccd 11Fa0/4 ip-mac active deny-all deny-all 12-20Fa0/5 ip-mac active 10.0.0.3 permit-all 10Fa0/5 ip-mac active deny-all permit-all 11-20In the previous example, this is the IP source guard configuration:
•
•
•
•
•
This is an example of output on an interface on which IP source guard is disabled:
Switch> show ip verify source fastethernet1/0/6IP source guard is not configured on the interface fa0/6.Related Commands
Related Documentation
These documents provide complete information about the Catalyst 3550 switches and are available at Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/index.htm
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.
•
•
•
•
•
•
For information about other related products, refer to these documents:
•
•
•
•
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•
•
•
A current list of security advisories and notices for Cisco products is available at this URL:
If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:
•
•
Tip
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:
•
•
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Posted: Sun Jan 30 18:18:24 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
