- Index
- Preface
- Product Overview
- Command-Line Interfaces (CLI)
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Fast Software Upgrades
- Stateful Switchover (SSO)
- Non-Stop Forwarding (NSF)
- RPR Supervisor Engine Redundancy
- Switch Fabric Functionality
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Power Management
- Environmental Monitoring
- Online Diagnostics
- Onboard Failure Logging (OBFL)
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling (L2PT)
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Policy-Based Routing (PBR)
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- Virtual Private LAN Services (VPLS)
- Ethernet Virtual Connections (EVC)
- Layer 2 over Multipoint GRE (L2omGRE)
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- NetFlow Hardware Support
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS Overview
- PFC QoS Guidelines and Restrictions
- PFC QoS Classification, Marking, and Policing
- PFC QoS Policy Based Queueing
- PFC QoS Global and Interface Options
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast and Multicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Web-Based Authentication
- Port Security
- Lawful Intercept
- Online Diagnostic Tests
- Migrating From a 12.2SX QoS Configuration
IP Source Guard
- Prerequisites for IP Source Guard
- Restrictions for IP Source Guard
- Information About IP Source Guard
- Default Settings for IP Source Guard
- How to Configure IP Source Guard
- Displaying IP Source Guard PACL Information
- Displaying IP Source Binding Information
Note ●
For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps9536/prod_command_reference_list.html
- Cisco IOS Release 12.2SY supports only Ethernet interfaces. Cisco IOS Release 12.2SY does not support any WAN features or commands.
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for IP Source Guard
Restrictions for IP Source Guard
Because the IP source guard feature is supported only in hardware, IP source guard is not applied if there are insufficient hardware resources available. These hardware resources are shared by various other ACL features that are configured on the system. The following restrictions apply to IP source guard:
Information About IP Source Guard
- Overview of IP Source Guard
- IP Source Guard Interaction with VLAN-Based Features
- Channel Ports
- Layer 2 and Layer 3 Port Conversion
- IP Source Guard and Voice VLAN
- IP Source Guard and Web-Based Authentication
Overview of IP Source Guard
IP source guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address. IP source guard is a port-based feature that automatically creates an implicit port access control list (PACL).
IP Source Guard Interaction with VLAN-Based Features
Use the access-group mode command to specify how IP source guard interacts with VLAN-based features (such as VACL and Cisco IOS ACL and RACL).
In prefer port mode, if IP source guard is configured on an interface, IP source guard overrides other VLAN-based features. If IP source guard is not configured on the interface, other VLAN-based features are merged in the ingress direction and applied on the interface.
In merge mode, IP source guard and VLAN-based features are merged in the ingress direction and applied on the interface. This is the default access-group mode.
Channel Ports
IP source guard is supported on Layer 2 port-channel interfaces but not on the port members. When IP source guard is applied to a Layer 2 port-channel channel interface, it is applied to all the member ports in the EtherChannel.
Layer 2 and Layer 3 Port Conversion
When an IP source guard policy is configured on a Layer 2 port, if the port is reconfigured as a Layer 3 port, the IP source guard policy no longer functions but is still present in the configuration. If the port is reconfigured as a Layer 2 port, the IP source guard policy becomes effective again.
IP Source Guard and Voice VLAN
IP source guard is supported on a Layer 2 port that belongs to a voice VLAN. For IP source guard to be active on the voice VLAN, DHCP snooping must be enabled on the voice VLAN. In merge mode, the IP source guard feature is merged with VACL and Cisco IOS ACL configured on the access VLAN.
IP Source Guard and Web-Based Authentication
You can configure IP source guard and web-based authentication (see Chapter 81, “Web-Based Authentication”) on the same interface. Other VLAN-based features are not supported when IP Source Guard and web-based authentication are combined.
Default Settings for IP Source Guard
How to Configure IP Source Guard
To enable IP source guard, perform this task:
Note The static IP source binding can only be configured on a Layer 2 port. If you enter the ip source binding vlan interface command on a Layer 3 port, you receive this error message:
The no keyword deletes the corresponding IP source binding entry. This command requires an exact match of all the required parameters in order for the deletion to be successful.
This example shows how to enable per-Layer 2 port IP source guard on VLANs 10 through 20:
The output shows that there is one valid DHCP binding to VLAN 10.
This example shows how to configure an interface to use prefer port mode:
This example shows how to configure an interface to use merge mode:
Displaying IP Source Guard PACL Information
To display IP source guard PACL information for all interfaces on a switch, perform this task:
|
|
|
|
|---|---|---|
|
|
Displays IP source guard PACL information for all interfaces on a switch or for a specified interface. |
This example shows that DHCP snooping is enabled on VLAN 10 through 20, interface fa6/1 is configured for IP filtering, and there is an existing IP address binding 10.0.01 on VLAN 10:
Note The second entry shows that a default PACL (deny all IP traffic) is installed on the port for those snooping-enabled VLANs that do not have a valid IP source binding.
This example shows the displayed PACL information for a trusted port:
This example shows the displayed PACL information for a port in a VLAN not configured for DHCP snooping:
This example shows the displayed PACL information for a port with multiple bindings configured for an IP/MAC filtering:
This example shows the displayed PACL information for a port configured for IP/MAC filtering but not for port security:
Note The MAC address filter shows permit-all because port security is not enabled, so the MAC filter cannot apply to the port/VLAN and is effectively disabled. Always enable port security first.
This example shows an error message when you enter the show ip verify source command on a port that does not have an IP source filter mode configured:
This example shows how to display all interfaces on the switch that have IP source guard enabled:
Displaying IP Source Binding Information
To display all IP source bindings configured on all interfaces on a switch, perform this task:
This example shows how to display all IP source bindings configured on all interfaces on the switch.
Table 76-1 describes the fields in the show ip source binding command output.
|
|
|
|---|---|
Binding type; static bindings configured from CLI to dynamic binding learned from DHCP snooping |
|
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Feedback