Configuring Ip Source Guard; About Ip Source Guard - Cisco Nexus 9000 Series Configuration Manual

Configuring IP Source Guard

This chapter describes how to configure IP Source Guard on Cisco NX-OS devices.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•
•

About IP Source Guard

IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC
address of each packet matches one of two sources of IP and MAC address bindings:
• Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table
• Static IP source entries that you configure
Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses
the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker
would have to spoof both the IP address and the MAC address of a valid host.
You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source
Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially
enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:
• DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results
• IP traffic from static IP source entries that you have configured on the Cisco NX-OS device
About IP Source Guard, on page 405
Licensing Requirements for IP Source Guard, on page 406
Prerequisites for IP Source Guard, on page 406
Guidelines and Limitations for IP Source Guard, on page 406
Default Settings for IP Source Guard, on page 407
Configuring IP Source Guard, on page 407
Displaying IP Source Guard Bindings, on page 410
Clearing IP Source Guard Statistics, on page 410
Configuration Example for IP Source Guard, on page 410
Additional References, on page 411
of inspecting the packet
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
17
C H A P T E R
405