Chapter 1 3 Configuring Ip Source Guard; Finding Feature Information; Information About Ip Source Guard; Ip Source Guard - Cisco Catalyst 2960-XR Security Configuration Manual

Configuring IP Source Guard
IP Source Guard (IPSG) is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by
filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings.
This chapter contains the following topics:
•
•
•
•

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Information About IP Source Guard

IP Source Guard

You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor and
you can enable IP source guard when DHCP snooping is enabled on an untrusted interface.
After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for
DHCP packets allowed by DHCP snooping.
The switch uses a source IP lookup table in hardware to bind IP addresses to ports. For IP and MAC filtering,
a combination of source IP and source MAC lookups are used. IP traffic with a source IP address is the binding
table is allowed, all other traffic is denied.
OL-29434-01
Finding Feature Information, page 185
Information About IP Source Guard, page 185
How to Configure IP Source Guard, page 188
Monitoring IP Source Guard, page 193
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
13
C H A P T E R
185