Licensing Requirements for IP Source Guard
The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC
address of an IP packet or when you have configured a static IP source entry.
The device drops IP packets when the IP address and MAC address of the packet do not have a binding table
entry or a static IP source entry. For example, assume that the show ip dhcp snooping binding command
displays the following binding table entry:
MacAddress
-----------------
00:02:B3:3F:3B:99
If the device receives an IP packet with an IP address of 10.5.5.2, IP Source Guard forwards the packet only
if the MAC address of the packet is 00:02:B3:3F:3B:99.
Licensing Requirements for IP Source Guard
This table shows the licensing requirements for IP Source Guard.
Product
Cisco
NX-OS
Prerequisites for IP Source Guard
IP Source Guard has the following prerequisites:
• You must enable the DHCP feature and DHCP snooping before you can configure IP Source Guard. See
• You must configure the ACL TCAM region size for IP Source Guard using the hardware access-list
Guidelines and Limitations for IP Source Guard
IP Source Guard has the following configuration guidelines and limitations:
• IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
406
IpAddress
----------
10.5.5.2
License Requirement
IP Source Guard requires no license. Any feature not included in a license package is bundled
with the nx-os image and is provided at no extra charge to you. For an explanation of the
Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Configuring DHCP, on page
tcam region ipsg command. See
Note
By default the ipsg region size is zero. You need to allocate enough entries to
this region for storing and enforcing the SMAC-IP bindings.
binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you
may experience disruption in IP traffic until the hosts on the interface receive a new IP address from a
DHCP server.
LeaseSec
Type
---------
-------------
6943
dhcp-snooping
327.
Configuring ACL TCAM Region Sizes, on page
Configuring IP Source Guard
VLAN
Interface
----
---------
10
Ethernet2/3
240.