Chapter 9
| General Security Measures
IPv4 Source Guard
– 356 –
â—† Table entries include a MAC address, IP address, lease time, entry type (Static-IP-
SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
â—† Static addresses entered in the source guard binding table with the ip source-
guard binding command are automatically configured with an infinite lease
time. Dynamic entries learned via DHCP snooping are configured by the DHCP
server itself.
◆ If the IP source guard is enabled, an inbound packet’s IP address (sip option) or
both its IP address and corresponding MAC address (sip-mac option) will be
checked against the binding table. If no matching entry is found, the packet
will be dropped.
â—† Filtering rules are implemented as follows:
â–
If DHCPv4 snooping is disabled (see page 331), IP source guard will check
the VLAN ID, source IP address, port number, and source MAC address (for
the sip-mac option). If a matching entry is found in the binding table and
the entry type is static IP source guard binding, the packet will be
forwarded.
â–
If the DHCP snooping is enabled, IP source guard will check the VLAN ID,
source IP address, port number, and source MAC address (for the sip-mac
option). If a matching entry is found in the binding table and the entry type
is static IP source guard binding, or dynamic DHCP snooping binding, the
packet will be forwarded.
â–
If IP source guard if enabled on an interface for which IP source bindings
(dynamically learned via DHCP snooping or manually configured) are not
yet configured, the switch will drop all IP traffic on that port, except for
DHCP packets.
â–
Only unicast addresses are accepted for static bindings.
Example
This example enables IP source guard on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip
Console(config-if)#
Related Commands
ip source-guard binding (353)
ip dhcp snooping (331)
ip dhcp snooping vlan (338)
To Next Page
Loading...
Need help?
General