27-2
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 27 Configuring IP Source Guard
Information About IP Source Guard
You can enable IPSG when DHCP snooping is enabled on an untrusted interface. After IPSG is enabled
on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets
allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL
allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface.
The IP source binding table bindings are learned by DHCP snooping or are manually configured (stat ic
IP source bindings). An entry in this table has an IP address with its associated MAC address and VLAN
number. The switch uses the IP source binding table only when IPSG is enabled.
You can configure IPSG with source IP address filtering or with source IP and MAC address filtering.
Source IP Address Filtering
When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch
forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database
or a binding in the IP source binding table.
When a DHCP snooping binding or static IP source binding is added, chan ged, or deleted on an interface,
the switch modifies the port ACL by using the IP source binding changes and re-applies the port ACL to
the interface.
If you enable IPSG on an interface on which IP source bindings (dynamically learned by DHCP snooping
or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP
traffic on the interface. If you disable IPSG, the switch removes the port ACL from the interface.
Source IP and MAC Address Filtering
IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when
the source IP and MAC addresses match an entry in the IP source binding table.
When address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of
an IP or non-IP packet matches a valid IP source binding, the swit ch forwards the packet. The switch
drops all other types of packets except DHCP packets.
The switch uses port security to filter source MAC addresses. The interface can shut down when a
port-security violation occurs.
IP Source Guard for Static Hosts
IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous
IPSG used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic
received from a host without a valid DHCP binding entry is dropped. This security feature restricts IP
traffic on nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database
and on manually configured IP source bindings. The previous version of IPSG required a DHCP
environment for IPSG to work.
IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device
tracking-table entries to install port ACLs. The switch creates static entries based on ARP requests or
other IP packets to maintain the list of valid hosts for a given port. You can also specify the number of
hosts allowed to send traffic to a given port. This is equivalent to port security at L ayer 3.