Cisco Systems IE 2000 Source IP Address Filtering, Source IP and MAC Address Filtering, IP Source Guard for Static Hosts

27-2

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 27 Configuring IP Source Guard

Information About IP Source Guard

You can enable IPSG when DHCP snooping is enabled on an untrusted interface. After IPSG is enabled

on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets

allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL

allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.

Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface.

The IP source binding table bindings are learned by DHCP snooping or are manually configured (stat ic

IP source bindings). An entry in this table has an IP address with its associated MAC address and VLAN

number. The switch uses the IP source binding table only when IPSG is enabled.

You can configure IPSG with source IP address filtering or with source IP and MAC address filtering.

Source IP Address Filtering

When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch

forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database

or a binding in the IP source binding table.

When a DHCP snooping binding or static IP source binding is added, chan ged, or deleted on an interface,

the switch modifies the port ACL by using the IP source binding changes and re-applies the port ACL to

the interface.

If you enable IPSG on an interface on which IP source bindings (dynamically learned by DHCP snooping

or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP

traffic on the interface. If you disable IPSG, the switch removes the port ACL from the interface.

Source IP and MAC Address Filtering

IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when

the source IP and MAC addresses match an entry in the IP source binding table.

When address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of

an IP or non-IP packet matches a valid IP source binding, the swit ch forwards the packet. The switch

drops all other types of packets except DHCP packets.

The switch uses port security to filter source MAC addresses. The interface can shut down when a

port-security violation occurs.

IP Source Guard for Static Hosts

IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous

IPSG used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic

received from a host without a valid DHCP binding entry is dropped. This security feature restricts IP

traffic on nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database

and on manually configured IP source bindings. The previous version of IPSG required a DHCP

environment for IPSG to work.

IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device

tracking-table entries to install port ACLs. The switch creates static entries based on ARP requests or

other IP packets to maintain the list of valid hosts for a given port. You can also specify the number of

hosts allowed to send traffic to a given port. This is equivalent to port security at L ayer 3.