IP Source Guard (IPSG)
Overview
IP Source Guard (IPSG) is a security feature implemented in network switches to mitigate IP address spoofing attacks. It generally works by ensuring that incoming packets on a network interface have a source IP address that matches an entry in the IP source guard binding table. Traffic from other IP addresses is dropped.
IP source guard binding table contains two types of entries: static entries and dynamic entries.
Static entries: IP addresses that have been manually associated with a MAC address.
Dynamic entries: IP addresses added through DHCP snooping binding table.
Dynamic table entry aging does not affect static table entries; that is to say, static table entries do not age.
IP source guard filtering items include either IP or IP+MAC based on specific interface and VLAN.
IP source guard permits traffic from the following sources, in addition to packets that match the entries in the IP source guard binding table:
When DHCP snooping is enabled, IP source guard allows the reception of DHCP packets.
IPv6 packets are not subjected to IP Source Guard checks.
By default, IP source guard is disabled. It must be enabled on each port where guarding is required.
Configuration Notes and Constraints
When configuring IP source guard, consider the following points:
IP source guard can only be configured on Layer 2 physical ports.
The interface that enables IPSG cannot be a DHCP snooping trust interface.
IPSG has a higher priority than PBR (Policy-Based Routing) and 802.1X (downloadable ACL and dynamic ACL). When IPSG is enabled on the ingress interface and VLAN to which a packet belongs, the packet is subject to IPSG verification. As a result, it bypasses both PBR and 802.1X ACL matching processes.
If a packet that matches the IP source guard entry also matches an ACL rule (such as a firewall filter ACL), and the action of the ACL rule is discard, then the packet will be discarded by the ACL regardless of other configurations.
After configuring the IP source guard binding entry, it needs to be deployed to the hardware by the system. Therefore, the number of IP source guard binding entries supported by the switch depends on the current utilization of hardware resources. Of course, different switch platforms have different hardware performance, and thus support varying numbers of table entries.
IPSG is not supported in MLAG scenarios.
Configuring IP Source Guard
Configuring IP Source Guard involves the following steps:
Configure IP Source Guard binding table entries in the following two ways:
Static entries: Manually associate IP addresses with a MAC address.
Enable DHCP snooping function to generate dynamic IP Source Guard entries. Dynamic entries are added through the DHCP Snooping binding table.
Enable IP source guard for a specific interface and VLAN.
NOTE:
The command set ip-source-guard interface <interface-name> vlan <vlan-id> enable <true | false> is used for step 2.
The interface and VLAN configured in step 2 should be consistent with the values in the IP source guard binding table.
When IP source guard is enabled on a specific interface and VLAN, all IP packets from this interface and VLAN will be dropped except that match the entries in the IP source guard binding table.
Packets received from other interfaces or VLANs that do not have IP source guard enabled will not be inspected by the IP source guard module and will be processed normally.
(Optional) Configure IP source guard filtering item for a specific interface and VLAN.
Verify the IP source guard entries.
You can enable both static and dynamic entries for IP source guard, or you can choose to enable only one of them. For users with dynamically assigned IP addresses, enabling DHCP Snooping is necessary.
Configure Static IP Source Guard Binding Entry
Step 1Â Â Â Â Â Â Â Â Â Configure static IP source guard entries.
set ip-source-guard binding ip <ip_address> mac <mac-address> interface <interface-name> vlan <vlan-id>
Step 2Â Â Â Â Â Â Â Â Â Enable IP source guard based on specific interface and VLAN. Here, the interface and VLAN ID should be consistent with the values configured in the static IP source guard entries.
set ip-source-guard interface <interface-name> vlan <vlan-id> enable <true | false>
Step 3Â Â Â Â Â Â Â Â Â (Optional) Configure IP source guard filtering item based on specific interface and VLAN.
set ip-source-guard interface <interface-name> vlan <vlan-id> verify <ip | ip+mac>
Step 4Â Â Â Â Â Â Â Â Â Commit the configuration.
commit
Step 5Â Â Â Â Â Â Â Â Â View the IP source guard binding entries.
run show ip-source-guard binding [interface <interface-name>]
Configure Dynamic IP Source Guard Binding Entry
Step 1Â Â Â Â Â Â Â Â Â Enable DHCP snooping.
 set protocols dhcp snooping vlan <vlan-id> disable <true | false>
set protocols dhcp snooping trust-port <interface-name>
Step 2Â Â Â Â Â Â Â Â Â Enable IP source guard based on specific interface and VLAN. Here, the interface and VLAN ID is the one that enables DHCP snooping.
set ip-source-guard interface <interface-name> vlan <vlan-id> enable <true | false>
Step 3Â Â Â Â Â Â Â Â Â (Optional) Configure IP source guard filtering item based on specific interface and VLAN. Here, the VLAN is the one that enables DHCP snooping.
set ip-source-guard interface <interface-name> vlan <vlan-id> verify <ip | ip+mac>
Step 4Â Â Â Â Â Â Â Â Â Commit the configuration.
commit
Step 5Â Â Â Â Â Â Â Â Â View the IP source guard binding entries.
run show ip-source-guard binding [interface <interface-name>]
Configuration Example
Networking Requirements
Figure 1.    IP Source Guard Configuration Example
Â
Â
As shown in Figure 1, on interfaces ge-1/1/1 and ge-1/1/2 of the device named Switch, enable IP Source Guard function to prevent IP address spoofing attacks. Enable both static IP source guard binding entry configuration and dynamic entry originating from the DHCP snooping binding table.
Follow the configuration roadmap below to complete the deployment on the Switch device:
Configure IP source guard binding table static entries for host A.
Enable DHCP Snooping for dynamically assigning IP to host B.
Enable IP source guard function for interfaces ge-1/1/1 and ge-1/1/2.
Configure IP source guard filtering item based on specific interface and VLAN.
Check the IP source guard entries.
Procedure
Step 1Â Â Â Â Â Â Â Â Â Configure VLAN.
admin@PICOS# set vlans vlan-id 2
admin@PICOS# set vlans vlan-id 3
admin@PICOS# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 10
admin@PICOS# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 20
admin@PICOS# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode trunk
admin@PICOS# Â set interface gigabit-ethernet ge-1/1/3 family ethernet-switching vlan members 10,20
Step 2Â Â Â Â Â Â Â Â Â Configure IP source guard static entry for host A.
admin@PICOS# set ip-source-guard binding ip 10.10.10.22 mac 3f:2c:99:51:48:01 interface ge-1/1/1 vlan 10
Step 3Â Â Â Â Â Â Â Â Â For users with dynamically assigned IP addresses, DHCP snooping needs to be configured.
admin@PICOS# set protocols dhcp snooping vlan 20 disable false
admin@PICOS# set protocols dhcp snooping trust-port ge-1/1/3
Step 4Â Â Â Â Â Â Â Â Â Enable IP source guard.
admin@PICOS# set ip-source-guard interface ge-1/1/1 vlan 10 enable true
admin@PICOS# set ip-source-guard interface ge-1/1/2 vlan 20 enable true
Step 5Â Â Â Â Â Â Â Â Â Configure IP source guard filtering item based on specific interface and VLAN.
admin@PICOS# set ip-source-guard interface ge-1/1/1 vlan 10 verify ip+mac
admin@PICOS# set ip-source-guard interface ge-1/1/2 vlan 20 verify ip+mac
Step 6Â Â Â Â Â Â Â Â Â Commit the configuration.
admin@PICOS# commit
Step 7Â Â Â Â Â Â Â Â Â View the IP source guard binding entries.
admin@PICOS# run show ip-source-guard binding
Total ipsg host count:Â Â Â Â 2
Mac-Address        Ip-Address     Interface      VLAN     Type        Filter-Type        Status
-----------------------------------------------------------------------------------------------------------------------
3f:2c:99:51:48:01  10.10.10.22  ge-1/1/1       10       static          ip+mac             effective
54:9c:99:d3:09:5c  20.1.1.10      ge-1/1/2       20       dhcp-snooping   ip+mac             effective
Â
Copyright © 2024 Pica8 Inc. All Rights Reserved.