Information About IP Source Guard
IP Source Guard (IPSG) is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches the IP and MAC address bindings of dynamic or static IP source entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table. This feature enables you to control the egress network traffic at the source point. You can configure IPSG in two modes: IP-only mode and IP-MAC mode. The IP-only mode allows you to filter the traffic based on the IP address. The IP address and MAC address combination is used to filter traffic in the IPSG IP-MAC mode. Starting with Cisco Nexus 1000V switch, Release 5.2(1)SV3(2.1), you can now bind multiple IP addresses to a single MAC address for traffic filtering. The multi-IP per MAC functionality enables you to manage traffic from multiple trusted VLANs in a network.
IPSG multi-IP per MAC feature is required to manage traffic when multiple IP addresses are originating from the same interface. For example, you need IPSG multi-IP per MAC feature to source guard a router configured behind a Nexus 1000V switch on a virtual ethernet (veth) trunk port.
You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:
-
DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.
-
IP traffic from a source whose static IP entries are configured in the Cisco Nexus 1000V.
The device permits IP packets if the IP address and MAC address of the packet matches a binding table entry or a static IP source entry in the DHCP binding table.
The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry. For example, assume that the show ip dhcp snooping binding command displays the following binding table entry:
MacAddress IpAddress LeaseSec Type VLAN Interface
---------- ---------- --------- ------ ------- ---------
00:02:B3:3F:3B:99 10.5.5.2 6943 dhcp-snooping 10 vEthernet3
If the device receives an IP packet with an IP address of 10.5.5.2, IP Source Guard forwards the packet only if the MAC address of the packet is 00:02:B3:3F:3B:99.
Starting with Release 4.2(1)SV2(1.1), you can filter the IP traffic based on the source IP address only as opposed to filtering the traffic based on the IP-MAC Address pair. For more information, refer to Enabling Source IP-Based Filtering.