- Securing Layer 2
- Port-Level Traffic Controls
- Private VLAN (PVLAN)
- Access Lists on Switches
- Spanning Tree Protocol Features
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Advanced Integrated Security Features on High-End Catalyst Switches
- Control Plane Policing (CoPP) Feature
- CPU Rate Limiters
- Layer 2 Security Best Practices
- Summary
- References
IP Source Guard
IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host. Any IP traffic coming into the interface with a source IP address other than that assigned (via DHCP or static configuration) will be filtered out on the untrusted Layer 2 ports.
The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted Layer 2 interfaces. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually configured (static IP source bindings). An entry in the IP source binding table contains the IP address and the associated MAC and VLAN numbers. The IP Source Guard is supported on Layer 2 ports only, including access and trunk ports.
Example 4-9 shows how to enable the IP Source Guard with dynamic source IP and MAC address filtering.
Example 4-9. IP Source Guard Configuration Example 1
Switch(config)#interface GigabitEthernet1/0/1 Switch(config-if)#ip verify source port-security
Example 4-10 shows how to enable the IP Source Guard with a static source IP address and MAC address filtering mapped on VLAN 5.
Example 4-10. IP Source Guard Configuration Example 2
Switch(config)# ip source binding 0011.0011.0011 vlan 5 10.1.1.11 interface GigabitEthernet1/0/2
Use the show ip verify source command to display the IP Source Guard configuration and the show ip source binding command to display the IP source bindings on the switch.