impostering as a legitimate client, the source address appears on the wrong ingress port and the systemdrops the packet. If the IP address is fake, the address is not on the list of permissible addresses for the portand the packet is dropped. Similarly, if the IP address does not belong to the permissible VLAN, the packet isdropped.To enable IP source address validation, use the following command.NOTE: If you enable IP source guard using the ip dhcp source-address-validation command andif there are more entries in the current DHCP snooping binding table than the available CAM space, SAVmay not be applied to all entries. To ensure that SAV is applied correctly to all entries, enable the ip dhcpsource-address-validation command before adding entries to the binding table.• Enable IP source address validation.INTERFACE modeINTERFACE PORT EXTENDERip dhcp source-address-validation• Enable IP source address validation with VLAN option.INTERFACE modeip dhcp source-address-validation vlan vlan-idNOTE:Before enabling SAV With VLAN option, allocate at least one FP block to the ipmacacl CAM region.DHCP MAC Source Address ValidationDHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against theclient hardware address field (CHADDR) in the payload.The system ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCPheader only for packets from snooped VLANs.• Enable DHCP MAC SAV.CONFIGURATION modeip dhcp snooping verify mac-addressEnabling IP+MAC Source Address ValidationIP source address validation (SAV) validates the IP source address of an incoming packet against the DHCPsnooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are alegitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IPSAV.1 Allocate at least one FP block to the ipmacacl CAM region.CONFIGURATION modeDynamic Host Configuration Protocol (DHCP) 410