Table of Contents | ||
---|---|---|
|
Overview
IP Source Guard (IPSG) is a security feature implemented in network switches to mitigate IP address spoofing attacks. It generally works by ensuring that incoming packets on a network interface have a source IP address that matches an entry in the IP source guard binding table. Traffic from other IP addresses is dropped.
...
By default, IP source guard is disabled. It must be enabled on each port where guarding is required.
Configuration Notes and Constraints
When configuring IP source guard, consider the following points:
IP source guard can only be configured on Layer 2 physical ports.
The interface that enables IPSG cannot be a DHCP snooping trust interface.
IPSG has a higher priority than PBR (Policy-Based Routing) and 802.1X (downloadable ACL and dynamic ACL). When IPSG is enabled on the ingress interface and VLAN to which a packet belongs, the packet is subject to IPSG verification. As a result, it bypasses both PBR and 802.1X ACL matching processes.
If a packet that matches the IP source guard entry also matches an ACL rule (such as a firewall filter ACL), and the action of the ACL rule is discard, then the packet will be discarded by the ACL regardless of other configurations.
After configuring the IP source guard binding entry, it needs to be deployed to the hardware by the system. Therefore, the number of IP source guard binding entries supported by the switch depends on the current utilization of hardware resources. Of course, different switch platforms have different hardware performance, and thus support varying numbers of table entries.
IPSG is not supported in MLAG scenarios.
Configuring IP Source Guard
Configuring IP Source Guard involves the following steps:
...
Info |
---|
NOTE:
|
...
run show ip-source-guard binding [interface <interface-name>]
Configuration Example
Networking Requirements
Figure 1. IP Source Guard Configuration Example
...