Access Layer April 2014
31
Step 8: Configure DHCP snooping and ARP inspection on the interface to process 100 packets per second of
traffic on the port.
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
The packets per second rate that you choose is an arbitrary rate. You may tune this value to fit your environment.
Step 9: Configure IP Source Guard on the interface. IP Source Guard is a means of preventing IP spoofing.
ip verify source
If you have a Cisco Catalyst 4500, use the following command instead because Catalyst 4500 requires an
additional keyword for the ip verify source command.
ip verify source vlan dhcp-snooping
Example: Connected to Distribution Switch
VLAN 100
AN
VLAN 101
Voice VLAN
IP: 10.4.15.5/25
VLAN 115
LAN
Distribution
vlan 100
name Data
vlan 101
name Voice
vlan 115
name Management
!
interface vlan 115
description In-band Management
ip address 10.4.15.5 255.255.255.0
no shutdown
!
ip default-gateway 10.4.15.1
!
ip dhcp snooping vlan 100,101
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 100,101
!
spanning-tree portfast bpduguard default
!
interface range GigabitEthernet 1/0/1–24
switchport access vlan 100
switchport voice vlan 101
switchport host
macro apply AccessEdgeQoS
switchport port-security maximum 11
switchport port-security
switchport port-security aging time 2
Comments to this Manuals