Table of Contents | ||
---|---|---|
|
Overview
IP Source Guard (IPSG) is a security feature implemented in network switches to mitigate IP address spoofing attacks. It generally works by ensuring that incoming packets on a network interface have a source IP address that matches an entry in the IP source guard binding table. Traffic from other IP addresses is dropped.
...
By default, IP source guard is disabled. It must be enabled on each port where guarding is required.
Configuration Notes and Constraints
When configuring IP source guard, consider the following points:
IP source guard can only be configured on Layer 2 physical ports.
The interface that enables IPSG cannot be a DHCP snooping trust interface.
IPSG has a higher priority than PBR (Policy-Based Routing) and 802.1X (downloadable ACL and dynamic ACL). When IPSG is enabled on the ingress interface and VLAN to which a packet belongs, the packet is subject to IPSG verification. As a result, it bypasses both PBR and 802.1X ACL matching processes.
If a packet that matches the IP source guard entry also matches an ACL rule (such as a firewall filter ACL), and the action of the ACL rule is discard, then the packet will be discarded by the ACL regardless of other configurations.
IPSG is not supported in MLAG scenarios.
Configuring IP Source Guard
Configuring IP Source Guard involves the following steps:
...
run show ip-source-guard binding [interface <interface-name>]
Configuration Example
Networking Requirements
Figure 1. IP Source Guard Configuration Example
...
Code Block |
---|
admin@PICOS# run show ip-source-guard binding Total ipsg host count: 2 Mac-Address Ip-Address Interface VLAN Type Filter-Type Status ----------------------------------------------------------------------------------------------------------------------- 3f:2c:99:51:48:01 10.10.10.22 ge-1/1/1 10 static ip ip+mac effective 54:9c:99:d3:09:5c 20.1.1.10 ge-1/1/2 20 dhcp-snooping ip+mac effective |
...