IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings:

• Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table

• Static IP source entries that you configure

Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker would have to spoof both the IP address and the MAC address of a valid host.

You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:

• DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet

• IP traffic from static IP source entries that you have configured on the Cisco NX-OS device

The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry.

The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry. For example, assume that the show ip dhcp snooping binding command displays the following binding table entry:

MacAddress         IpAddress    LeaseSec   Type           VLAN    Interface    
-----------------  ----------   ---------  -------------  ----    ---------  
00:02:B3:3F:3B:99  10.5.5.2     6943       dhcp-snooping  10      Ethernet2/3

If the device receives an IP packet with an IP address of 10.5.5.2, IP Source Guard forwards the packet only if the MAC address of the packet is 00:02:B3:3F:3B:99.

IP Source Guard has the following prerequisites:

• You must enable the DHCP feature and DHCP snooping before you can configure IP Source Guard. See Configuring DHCP.

• You must configure the ACL TCAM region size for IP Source Guard using the hardware access-list tcam region ipsg command. See Configuring ACL TCAM Region Sizes.

  Note	By default the ipsg region size is zero. You need to allocate enough entries to this region for storing and enforcing the SMAC-IP bindings.

IP Source Guard has the following configuration guidelines and limitations:

• IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address from a DHCP server.

• IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.

• IP Source Guard is not supported on fabric extender (FEX) ports or generic expansion module (GEM) ports.

• The following guidelines and limitations apply to the Cisco Nexus 9200 Series switches:

  • IPv6 adjacency is not formed with IPSG enabled on the incoming interface.

  • IPSG drops ARP packets at HSRP standby.

  • With DHCP snooping and IPSG enabled, if a binding entry exists for the host, traffic is forwarded to the host even without ARP.

• Beginning with Cisco NX-OS Release 9.3(5), IP Source Guard is supported on Cisco Nexus 9364C-GX, Cisco Nexus 9316D-GX, and Cisco Nexus 93600CD-GX switches.

• IP Source Guard does not require TCAM carving on the Cisco Nexus 9300-X Cloud Scale Switches.

This table lists the default settings for IP Source Guard parameters.

Use the show ip ver source [ethernet slot/port | port-channel channel-number] command to display the IP-MAC address bindings.

To clear IP Source Guard statistics, use the commands in this table.