Enterprise Network Cisco switch DHCP snooping and IP source guard prohibit manual IP configuration

Network topology structure:

Scenario Description:

Core layer: Each VLAN interface gateway is at the core layer
Aggregation layer: Two stacks, port-channel to the core layer, Port-channel Xia Lian to the access layer, do not run dynamic routing
Access layer: Two port Port-channel, link to two aggregation switches respectively

Objective:
Prevent internal enterprise network from accessing DHCP server through DHCP snooping;
Prevent internal users from manually configuring IP addresses by enabling IP source guard.

Access Layer DHCP snooping configuration:

2F-NEW-ACC-SW-1(config)#ip dhcp snooping2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 242F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 252F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/472F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/482F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust2F-NEW-ACC-SW-1(config)#interface Po12F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust

The core layer needs to be configured as follows: (otherwise the client gets no IP address)

6S-CORE-SW-1(config)#interface vlan 246S-CORE-SW-1(config)# ip dhcp relay information trusted6S-CORE-SW-1(config)#interface vlan 256S-CORE-SW-1(config)# ip dhcp relay information trusted

Look at the effect:

2F-NEW-ACC-SW-1#SH IP DHCP snoopingswitch DHCP snooping is enabledswitch DHCP gleaning are disableddhcp snooping is Configu Red on following VLANS:24-25DHCP snooping are operational on following VLANS:24-25DHCP snooping are configured on the follow  ing L3 interfaces:insertion of option is enabled Circuit-id default Format:vlan-mod-port remote-id:50f7.22c7.8d00 (MAC) Option untrusted port is not allowedverification of hwaddr field was enabledverification of giaddr field is ENABLEDDH CP snooping Trust/rate is configured on the following Interfaces:interface Trusted allow option Rat E limit (PPS)----------------------------------------------------------gigabitethernet1/0/47 Yes y Es Unlimited Custom circuit-ids:gigabitethernet1/0/48 Yes unlimited custom Circu    It-ids:port-channel1 Yes unlimitedinterface Trusted allow option Rate Limit (PPS)----------------------------------------------------------Custom circuit-ids:2f-new-acc-sw-1#sh ip dhcp Snoo Ping bindingmacaddress IpAddress Lease (sec) Type VLAN Interface----------------------------                                                                                        -----  ----------  -------------  ----  ----------                                                                                        ----------2C:60:0C:73:EA:FC 172.16.24.17 688869 dhcp-snooping gigabitet Hernet1/0/1700:0b:82:86:10:35 172.16.24.136 6                                                                                        09318 dhcp-snooping Gigabitet                                                                                        hernet1/0/20a8:1e:84:a6:74:7e 172.16.25.12 690293 dhcp-snooping gigabitet      HERNET1/0/301C:39:47:E4:7D:1D 172.16.25.11 688206 Dhcp-snooping 25   Gigabitet hernet1/0/28a4:4c:c8:1                                                                                        0:63:ee 172.16.24.150 688220 dhcp-snooping gigabitet HERNET1/0/71C:39:47:E3:5C:C3 172.16.25.14 690459 dhcp-snooping Giga    Bitet hernet1/0/29d4:81:d7:ff:04:08                                                                                        172.16.24.33 684055 dhcp-snooping Gigabitet                                                                                        Hernet1/0/15a8:60:b6:2e:c7:a9 172.16.25.127 690215 dhcp-snooping gigabitet HERNET1/0/44A8:60:B6:38:2F:A9 172                                                                                        .16.25.132 689510 dhcp-snooping Gigabitet Hernet1/0/43f0:76:1c:e2:64:4c 172.16.25.10 689447 dhcp-snooping gigabitet Hernet1/0/34--more--

IP Source Guard Configuration:
IP Souce Guard requires DHCP snooping, so DHCP snooping must be enabled before IP source guard is configured.
The Ip Source Guard configuration is simple and can only be enabled under the corresponding interface:

2F-NEW-ACC-SW-1(config)#interface gigabitEthernet 1/0/12F-NEW-ACC-SW-1(config-if)#switchport port-security2F-NEW-ACC-SW-1(config-if)#ip verify source port-security

Look at the effect:

2f-new-acc-sw-1#sh IP ver sourceinterface filter-type filter-mode ip-address mac-address Vlan-----------    --------------------------------------------------------GI1/0/1 Ip-mac INACTIVE-NO-SNOOPING-VLANGI1/0/2     Ip-mac Active Deny-all deny-all 24GI1/0/3 Ip-mac INACTIVE-NO-SNOOPING-VLANGI1/0/4         Ip-mac Active Deny-all deny-all 24GI1/0/5 Ip-mac Active Deny-all Deny-all 24GI1/0/6 Ip-mac Active deny-all deny-all 24GI1/0/7 ip-mac AC       tive 172.16.24.150 a4:4c:c8:10:63:ee 24gi1/0/8 ip-mac INACTIVE-NO-SNOOPING-VLANGI1/0/9 Ip-mac       Active Deny-all deny-all 24GI1/0/10 ip-mac INACTIVE-NO-SNOOPING-VLANGI1/0/11 Ip-mac           Active Deny-all Deny-all 24GI1/0/12 ip-mac active Deny-all Deny-all 24GI1/0/13 Ip-mac      Active Deny-all deny-all 24GI1/0/14 ip-mac inactive-no-snooping-vlangi1/0/15 ip-ma C Active 172.16.24.33 d4:81:d7:ff:04:08 24gi1/0/16 ip-mac inactive-no-snooping-vlangi1/0/17 ip- Mac active 172.16.24.17 2c:60:0c:73:ea:fc 24gi1/0/18 ip-mac inactive-no-snooping-vlangi1/0/19 I P-mac inactive-no-snooping-vlangi1/0/20 Ip-mac Active 172.16.24.136 00:0b:82:86:10:35 24

Filter mode: All active states
In the IP address column, the normal IP is displayed, and the Deny-all may be manually configured IP address.

Enterprise Network Cisco switch DHCP snooping and IP source guard prohibit manual IP configuration