Chapter 8
| General Security Measures
IP Source Guard
IP Source Guard
ip source-guard
binding
IP Source Guard is a security feature that filters IP traffic on network interfaces
based on manually configured entries in the IP Source Guard table, or dynamic
entries in the DHCP Snooping table when enabled (see
page
242). IP source guard can be used to prevent traffic attacks caused when a
host tries to use the IP address of a neighbor to access the network. This section
describes commands used to configure IP Source Guard.
Table 51: IP Source Guard Commands
Command
ip source-guard binding
ip source-guard
ip source-guard max-binding
show ip source-guard
show ip source-guard
binding
This command adds a static address to the source-guard binding table. Use the no
form to remove a static entry.
Syntax
ip source-guard binding mac-address vlan vlan-id ip-address
interface ethernet unit/port
no ip source-guard binding mac-address vlan vlan-id
mac-address - A valid unicast MAC address.
vlan-id - ID of a configured VLAN (Range: 1-4093)
ip-address - A valid unicast IP address, including classful types A, B or C.
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Default Setting
No configured entries
Command Mode
Global Configuration
Function
Adds a static address to the source-guard binding table
Configures the switch to filter inbound traffic based on
source IP address, or source IP address and
corresponding MAC address
Sets the maximum number of entries that can be bound
to an interface
Shows whether source guard is enabled or disabled on
each interface
Shows the source guard binding table
– 250 –
"DHCP Snooping" on
Mode
GC
IC
IC
PE
PE