Table of Contents
Advertisement
Configuring Device Security
Defining DHCP Snooping
ESW 500 Series Switches Administration Guide
Defining IP Source Guard
IP Source Guard is a security feature that restricts the client IP traffic to those
source IP addresses configured in the DHCP Snooping Binding Database and in
manually configured IP source bindings. For example, IP Source Guard can help
prevent traffic attacks caused when a host tries to use the IP address of its
neighbor.
•
DHCP snooping must be enabled on the device's untrusted interfaces and on
the relevant VLAN, in order to activate the IP source guard feature.
•
IP Source Guard must be enabled globally in the
Page
before it can be enabled on the device interfaces.
•
IP Source Guard uses Ternary Content Addressable Memory (TCAM)
resources, requiring use of 1 TCAM rule per 1 IP Source Guard address entry. If
the number of IP Source Guard entries exceeds the number of available TCAM
rules, new IP source guard addresses remain inactive.
•
IP Source Guard cannot be configured on routed ports.
•
If IP Source Guard and MAC address filtering is enabled on a port, Port Security
cannot be activated on the same port.
•
If a port is trusted, filtering of static IP addresses can be configured, although IP
Source Guard is not active in that condition.
•
If a port's status changes from untrusted to trusted, the static IP address
filtering entries remain but become inactive.
The IP Source Guard section contains the following topics:
•
Configuring IP Source Guard Properties
•
Defining IP Source Guard Interface Settings
•
Querying the IP Source Binding Database
Configuring IP Source Guard Properties
IP Source Guard Properties Page
The
of IP Source Guard on the device. IP Source Guard must be enabled for the device
before it can be enabled on individual ports or EtherChannels. To enable IP Source
Guard:
IP Source Guard Properties
allows network managers to enable the use
5
184
Hide quick links:
Advertisement
Table of Contents
