Ip Source Guard - Cisco Catalyst 4500 series Administration Manual

Security Features
CDP, EAPOL, STP, DTP, VTP, ICMP, CGMP, IGMP, DHCP, RIPv2, OSPF, PIM, TELNET, SNMP,
HTTP, and packets destined to 224.0.0.* multicast link local addresses. Predefined system policies or
user-configurable policies can be applied to those control protocols.
Through Layer 2 Control Packet QoS, you can police control packets arriving on a physical port or
VLAN; it enables you to apply QoS on Layer 2 control packets
For information on control plane policing and Layer 2 control packet QoS, see
Control Plane Policing and Layer 2 Control Packet QoS."

IP Source Guard

Similar to DHCP snooping, this feature is enabled on an untrusted Layer 2 port that is configured for
DHCP snooping. Initially all IP traffic on the port is blocked except for the DHCP packets, which are
captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP
server, a PVACL is installed on the port, which restricts the client IP traffic only to clients with assigned
IP addresses, so any IP traffic with source IP addresses other than those assigned by the DHCP server
will be filtered out. This filtering prevents a malicious host from attacking a network by hijacking
neighbor host's IP address.
For information on configuring IP Source Guard, see
Source Guard, and IPSG for Static Hosts."
IP Source Guard for Static Hosts
This feature allows you to secure the IP address learned from static hosts by using ARP packets and then
bind that IP address to a given MAC address using the device tracking database, allowing entries to
survive through link down events.
IP Source Guard (IPSG) for static hosts allows multiple bindings per-port per-MAC address for both
DHCP and static hosts, in both device tracking database and DHCP snooping binding database. The
feature allows you to take action when a limit is exceeded.
For information on configuring IPSG for static hosts, see
Source Guard, and IPSG for Static Hosts."
IPv6 First Hop Security
IPv6 First Hop Security is supported only on Catalyst 4948E, Catalyst 4948E-F, Catalyst 4500-X,
Note
Supervisor Engine 6-E, 6L-E, 7-E, 7L-E, and 8-E.
IPv6 FHS is a suite of features designed to secure link operations in an IPv6 enabled network as well as
address certain scalability issues seen in large L2 domains. IPv6 FHS provides effective counter
measures for the following types of attacks or misconfiguration errors that could result in DoS or
information theft:
•
•
•
•
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-38
Router impersonation (MiM attacks)
Address theft
Address spoofing
Remote address resolution cache exhaustion (DoS attacks)
Chapter 1
Chapter 51, "Configuring
Chapter 53, "Configuring DHCP Snooping, IP
Chapter 53, "Configuring DHCP Snooping, IP
Product Overview
OL-30933-01