Versions Compared

Old Version 1

changes.mady.by.user Tracy Yang

Saved on

compared with

New Version Current

changes.mady.by.user Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
stylenone

Overview

IP Source Guard (IPSG) is a security feature implemented in network switches to mitigate IP address spoofing attacks. It generally works by ensuring that incoming packets on a network interface have a source IP address that matches an entry in the IP source guard binding table. Traffic from other IP addresses is dropped.

...

By default, IP source guard is disabled. It must be enabled on each port where guarding is required.

Configuration Notes and Constraints

When configuring IP source guard, consider the following points:

  • IP source guard can only be configured on Layer 2 physical ports.

  • The interface that enables IPSG cannot be a DHCP snooping trust interface.

  • IPSG has a higher priority than PBR (Policy-Based Routing) and 802.1X (downloadable ACL and dynamic ACL). When IPSG is enabled on the ingress interface and VLAN to which a packet belongs, the packet is subject to IPSG verification. As a result, it bypasses both PBR and 802.1X ACL matching processes.

  • If a packet that matches the IP source guard entry also matches an ACL rule (such as a firewall filter ACL), and the action of the ACL rule is discard, then the packet will be discarded by the ACL regardless of other configurations.

  • After configuring the IP source guard binding entry, it needs to be deployed to the hardware by the system. Therefore, the number of IP source guard binding entries supported by the switch depends on the current utilization of hardware resources. Of course, different switch platforms have different hardware performance, and thus support varying numbers of table entries.

  • IPSG is not supported in MLAG scenarios.

Configuring IP Source Guard

Configuring IP Source Guard involves the following steps:

...

Info

NOTE:

  • The command set ip-source-guard interface <interface-name> vlan <vlan-id> enable <true | false> is used for step 2.

  • The interface and VLAN configured in step 2 should be consistent with the values in the IP source guard binding table.

  • When IP source guard is enabled on a specific interface and VLAN, all IP packets from this interface and VLAN will be dropped except that match the entries in the IP source guard binding table.

  • Packets received from other interfaces or VLANs that do not have IP source guard enabled will not be inspected by the IP source guard module and will be processed normally.

...

run show ip-source-guard binding [interface <interface-name>]

Configuration Example

Networking Requirements

Figure 1.     IP Source Guard Configuration Example

...

Code Block
admin@PICOS# run show ip-source-guard binding
Total ipsg host count:     2
Mac-Address         Ip-Address      Interface       VLAN      Type         Filter-Type         Status
-----------------------------------------------------------------------------------------------------------------------
3f:2c:99:51:48:01   10.10.10.22     ge-1/1/1        10        static                   ip   ip+mac              effective
54:9c:99:d3:09:5c   20.1.1.10       ge-1/1/2        20        dhcp-snooping    ip+mac              effective

...