IP Source Guard (IPSG)

Overview

IP Source Guard (IPSG) is a security feature implemented in network switches to mitigate IP address spoofing attacks. It generally works by ensuring that incoming packets on a network interface have a source IP address that matches an entry in the IP source guard binding table. Traffic from other IP addresses is dropped.

IP source guard binding table contains two types of entries: static entries and dynamic entries.

  • Static entries: IP addresses that have been manually associated with a MAC address.

  • Dynamic entries: IP addresses added through DHCP snooping binding table.

Dynamic table entry aging does not affect static table entries; that is to say, static table entries do not age.

IP source guard filtering items include either IP or IP+MAC based on specific interface and VLAN.

IP source guard permits traffic from the following sources, in addition to packets that match the entries in the IP source guard binding table:

  • When DHCP snooping is enabled, IP source guard allows the reception of DHCP packets.

  • IPv6 packets are not subjected to IP Source Guard checks.

By default, IP source guard is disabled. It must be enabled on each port where guarding is required.

Configuration Notes and Constraints

When configuring IP source guard, consider the following points:

  • IP source guard can only be configured on Layer 2 physical ports.

  • The interface that enables IPSG cannot be a DHCP snooping trust interface.

  • IPSG has a higher priority than PBR (Policy-Based Routing) and 802.1X (downloadable ACL and dynamic ACL). When IPSG is enabled on the ingress interface and VLAN to which a packet belongs, the packet is subject to IPSG verification. As a result, it bypasses both PBR and 802.1X ACL matching processes.

  • If a packet that matches the IP source guard entry also matches an ACL rule (such as a firewall filter ACL), and the action of the ACL rule is discard, then the packet will be discarded by the ACL regardless of other configurations.

  • After configuring the IP source guard binding entry, it needs to be deployed to the hardware by the system. Therefore, the number of IP source guard binding entries supported by the switch depends on the current utilization of hardware resources. Of course, different switch platforms have different hardware performance, and thus support varying numbers of table entries.

  • IPSG is not supported in MLAG scenarios.

Configuring IP Source Guard

Configuring IP Source Guard involves the following steps:

  1. Configure IP Source Guard binding table entries in the following two ways:

  • Static entries: Manually associate IP addresses with a MAC address.

  • Enable DHCP snooping function to generate dynamic IP Source Guard entries. Dynamic entries are added through the DHCP Snooping binding table.

  1. Enable IP source guard for a specific interface and VLAN.

NOTE:

  • The command set ip-source-guard interface <interface-name> vlan <vlan-id> enable <true | false> is used for step 2.

  • The interface and VLAN configured in step 2 should be consistent with the values in the IP source guard binding table.

  • When IP source guard is enabled on a specific interface and VLAN, all IP packets from this interface and VLAN will be dropped except that match the entries in the IP source guard binding table.

  • Packets received from other interfaces or VLANs that do not have IP source guard enabled will not be inspected by the IP source guard module and will be processed normally.

  1. (Optional) Configure IP source guard filtering item for a specific interface and VLAN.

  2. Verify the IP source guard entries.

You can enable both static and dynamic entries for IP source guard, or you can choose to enable only one of them. For users with dynamically assigned IP addresses, enabling DHCP Snooping is necessary.

Configure Static IP Source Guard Binding Entry

Step 1          Configure static IP source guard entries.

set ip-source-guard binding ip <ip_address> mac <mac-address> interface <interface-name> vlan <vlan-id>

Step 2          Enable IP source guard based on specific interface and VLAN. Here, the interface and VLAN ID should be consistent with the values configured in the static IP source guard entries.

set ip-source-guard interface <interface-name> vlan <vlan-id> enable <true | false>

Step 3          (Optional) Configure IP source guard filtering item based on specific interface and VLAN.

set ip-source-guard interface <interface-name> vlan <vlan-id> verify <ip | ip+mac>

Step 4          Commit the configuration.

commit

Step 5          View the IP source guard binding entries.

run show ip-source-guard binding [interface <interface-name>]

Configure Dynamic IP Source Guard Binding Entry

Step 1          Enable DHCP snooping.

 set protocols dhcp snooping vlan <vlan-id> disable <true | false>

set protocols dhcp snooping trust-port <interface-name>

Step 2          Enable IP source guard based on specific interface and VLAN. Here, the interface and VLAN ID is the one that enables DHCP snooping.

set ip-source-guard interface <interface-name> vlan <vlan-id> enable <true | false>

Step 3          (Optional) Configure IP source guard filtering item based on specific interface and VLAN. Here, the VLAN is the one that enables DHCP snooping.

set ip-source-guard interface <interface-name> vlan <vlan-id> verify <ip | ip+mac>

Step 4          Commit the configuration.

commit

Step 5          View the IP source guard binding entries.

run show ip-source-guard binding [interface <interface-name>]

Configuration Example

Networking Requirements

Figure 1.     IP Source Guard Configuration Example

 

f1.png

 

As shown in Figure 1, on interfaces ge-1/1/1 and ge-1/1/2 of the device named Switch, enable IP Source Guard function to prevent IP address spoofing attacks. Enable both static IP source guard binding entry configuration and dynamic entry originating from the DHCP snooping binding table.

Follow the configuration roadmap below to complete the deployment on the Switch device:

  1. Configure IP source guard binding table static entries for host A.

  2. Enable DHCP Snooping for dynamically assigning IP to host B.

  3. Enable IP source guard function for interfaces ge-1/1/1 and ge-1/1/2.

  4. Configure IP source guard filtering item based on specific interface and VLAN.

  5. Check the IP source guard entries.

Procedure

Step 1          Configure VLAN.

admin@PICOS# set vlans vlan-id 2 admin@PICOS# set vlans vlan-id 3 admin@PICOS# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 10 admin@PICOS# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 20 admin@PICOS# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode trunk admin@PICOS#  set interface gigabit-ethernet ge-1/1/3 family ethernet-switching vlan members 10,20

Step 2          Configure IP source guard static entry for host A.

admin@PICOS# set ip-source-guard binding ip 10.10.10.22 mac 3f:2c:99:51:48:01 interface ge-1/1/1 vlan 10

Step 3          For users with dynamically assigned IP addresses, DHCP snooping needs to be configured.

admin@PICOS# set protocols dhcp snooping vlan 20 disable false admin@PICOS# set protocols dhcp snooping trust-port ge-1/1/3

Step 4          Enable IP source guard.

admin@PICOS# set ip-source-guard interface ge-1/1/1 vlan 10 enable true admin@PICOS# set ip-source-guard interface ge-1/1/2 vlan 20 enable true

Step 5          Configure IP source guard filtering item based on specific interface and VLAN.

admin@PICOS# set ip-source-guard interface ge-1/1/1 vlan 10 verify ip+mac admin@PICOS# set ip-source-guard interface ge-1/1/2 vlan 20 verify ip+mac

Step 6          Commit the configuration.

admin@PICOS# commit

Step 7          View the IP source guard binding entries.

admin@PICOS# run show ip-source-guard binding Total ipsg host count:     2 Mac-Address         Ip-Address      Interface       VLAN      Type         Filter-Type         Status ----------------------------------------------------------------------------------------------------------------------- 3f:2c:99:51:48:01   10.10.10.22   ge-1/1/1        10        static           ip+mac              effective 54:9c:99:d3:09:5c   20.1.1.10       ge-1/1/2        20        dhcp-snooping    ip+mac              effective

 

Copyright © 2024 Pica8 Inc. All Rights Reserved.