C
HAPTER
27
| General Security Measures
IP Source Guard
– 920 –
u Table entries include a MAC address, IP address, lease time, entry type
(Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and
port identifier.
u Static addresses entered in the source guard binding table with the ip
source-guard binding command (page 918) are automatically
configured with an infinite lease time. Dynamic entries learned via
DHCP snooping are configured by the DHCP server itself.
u If the IP source guard is enabled, an inbound packet’s IP address (sip
option) or both its IP address and corresponding MAC address (sip-mac
option) will be checked against the binding table. If no matching entry
is found, the packet will be dropped.
u Filtering rules are implemented as follows:
n
If DHCP snooping is disabled (see page 900), IP source guard will
check the VLAN ID, source IP address, port number, and source
MAC address (for the sip-mac option). If a matching entry is found
in the binding table and the entry type is static IP source guard
binding, the packet will be forwarded.
n
If the DHCP snooping is enabled, IP source guard will check the
VLAN ID, source IP address, port number, and source MAC address
(for the sip-mac option). If a matching entry is found in the binding
table and the entry type is static IP source guard binding, or
dynamic DHCP snooping binding, the packet will be forwarded.
n
If IP source guard if enabled on an interface for which IP source
bindings (dynamically learned via DHCP snooping or manually
configured) are not yet configured, the switch will drop all IP traffic
on that port, except for DHCP packets.
n
Only unicast addresses are accepted for static bindings.
EXAMPLE
This example enables IP source guard on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip
Console(config-if)#
RELATED COMMANDS
ip source-guard binding (918)
ip dhcp snooping (900)
ip dhcp snooping vlan (905)
To Next Page