Configuring IP Source Guard
• IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding
• IP Source Guard is not supported on fabric extender (FEX) ports or generic expansion module (GEM)
• The following guidelines and limitations apply to the Cisco Nexus 9200 Series switches:
Default Settings for IP Source Guard
This table lists the default settings for IP Source Guard parameters.
Table 34: Default IP Source Guard Parameters
Parameters
IP Source Guard
IP source entries
Configuring IP Source Guard
Enabling or Disabling IP Source Guard on a Layer 2 Interface
You can enable or disable IP Source Guard on a Layer 2 interface. By default, IP Source Guard is disabled
on all interfaces.
Before you begin
Make sure that the DHCP feature and DHCP snooping are enabled.
Make sure that the ACL TCAM region size for IPSG (ipsg) is configured.
SUMMARY STEPS
1. configure terminal
2. interface ethernet slot/port
3. [no] ip verify source dhcp-snooping-vlan
4. (Optional) show running-config dhcp
5. (Optional) copy running-config startup-config
table or upon manual maintenance of static IP source entries.
ports.
• IPv6 adjacency is not formed with IPSG enabled on the incoming interface.
• IPSG drops ARP packets at HSRP standby.
• With DHCP snooping and IPSG enabled, if a binding entry exists for the host, traffic is forwarded
to the host even without ARP.
Default
Disabled on each interface
None. No static or default IP source entries exist by default.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Default Settings for IP Source Guard
407