Ip Source Guard - Cisco SF500-24 Administration Manual

Configuring Security

IP Source Guard

IP Source Guard
Cisco 500 Series Stackable Managed Switch Administration Guide
IP Source Guard is a security feature that can be used to prevent traffic attacks
caused when a host tries to use the IP address of its neighbor.
When IP Source Guard is enabled, the switch only transmits client IP traffic to IP
addresses contained in the DHCP Snooping Binding database. This includes both
addresses added by DHCP Snooping and manually-added entries.
If the packet matches an entry in the database, the switch forwards it. If not, it is
dropped.
Interactions with Other Features
The following points are relevant to IP Source Guard:
• DHCP Snooping must be globally enabled in order to enable IP Source
Guard on an interface.
• IP source guard can be active on an interface only if:
- DHCP Snooping is enabled on at least one of the port's VLANs
- The interface is DHCP untrusted. All packets on trusted ports are
forwarded.
• If a port is DHCP trusted, filtering of static IP addresses can be configured,
even though IP Source Guard is not active in that condition by enabling IP
Source Guard on the port.
• When the port's status changes from DHCP untrusted to DHCP trusted, the
static IP address filtering entries remain in the Binding database, but they
become inactive.
• Port security cannot be enabled if source IP and MAC address filtering is
configured on a port.
• IP Source Guard uses TCAM resources and requires a single TCAM rule per
IP Source Guard address entry. If the number of IP Source Guard entries
exceeds the number of available TCAM rules, the extra addresses are
inactive.
Filtering
If IP Source Guard is enabled on a port then:
18
338