IP Source Guard 3

Web – Click DHCP Snooping, DHCP Snooping Binding Information.

Figure 3-118 DHCP Snooping Binding Information

CLI – This example shows how to display the DHCP Snooping binding table entries.

Console#show ip dhcp snooping binding

4-237

MacAddress

IpAddress

Lease(sec) Type

VLAN

Interface

 

 

 

----------------- --------------- ---------- -------------------- ---- --

11-22-33-44-55-66 192.168.0.990 Dynamic1 Eth 1/5

Console#

IP Source Guard

IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-186). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.

Note: Due to a chip limitation, IP source guard and Quality of Service (only for IP related QoS function) cannot be enabled at the same time. Thus, if the user has already enabled the IP source guard function, it needs to be disabled first in order for the QoS function to work and vice versa.

IP Source Guard Port Configuration

IP Source Guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.

When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table. An inbound packet’s IP address (sip option) or both its IP address and corresponding MAC address (sip-mac option) are checked against the binding table. If no matching entry is found, the packet is dropped.

3-191

Page 235
Image 235
SMC Networks SMC8150L2 IP Source Guard Port Configuration, Web Click Dhcp Snooping, Dhcp Snooping Binding Information