switch# show port-security interface fastEthernet 1/0/2
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
Note Port security can only be configured on static access ports or trunk ports.
DHCP Snooping
DHCP Snooping acts like a firewall between untrusted hosts and DHCP servers. You use
DHCP Snooping to differentiate between untrusted interfaces connected to the end user
and trusted interfaces connected to the DHCP server or another switch. When a switch
receives a packet on an untrusted interface and the interface belongs to a VLAN that has
DHCP Snooping enabled, the switch compares the source MAC address and the DHCP
client hardware address. If the addresses match (the default), the switch forwards the
packet. If the addresses do not match, the switch drops the packet.
Tip For DHCP Snooping to function properly, all DHCP servers must be connected to
the switch through trusted interfaces.
To ensure that the lease time in the database is accurate, Cisco recommends that you
enable and configure NTP.
Feature Example
The DHCP server connects to interface Fastethernet 1/0/3; all interfaces on the switch are
in VLAN 1:
Enable DHCP Snooping on the switch:
1.
switch(config)# ip dhcp snooping vlan 1
Note DHCP Snooping is not active until it is enabled on a VLAN.
Chapter 11: Controlling Traffic and Switch Access 189
: Enabled
: Secure-shutdown
: Shutdown
: 0 mins
: Absolute
: 1
: 1
: 1
: 0
: 0011.8565.4B75:1
: 1