This chapter describes how to configure IP Source
Guard on Cisco NX-OS devices.
The Cisco NX-OS release that is running on a managed device may not
support all the features or settings described in this
chapter. For the latest feature
information and caveats, see the documentation and release notes for your
platform and software release.
IP Source Guard is a per-interface traffic filter that permits IP
traffic only when the IP address and MAC address of each packet matches one of
two sources of IP and MAC address bindings:
Entries in the Dynamic Host Configuration Protocol (DHCP) snooping
Static IP source entries that you configure.
Filtering on trusted IP and MAC address bindings helps prevent spoofing
attacks, in which an attacker uses the IP address of a valid host to gain
unauthorized network access. To circumvent IP Source Guard, an attacker would
have to spoof both the IP address and the MAC address of a valid host.
You can enable IP Source Guard on Layer 2 interfaces that are not
trusted by DHCP snooping. IP Source Guard supports interfaces that are
configured to operate in access mode and trunk mode. When you initially enable
IP Source Guard, all inbound IP traffic on the interface is blocked except for
DHCP packets, which DHCP snooping inspects and then forwards or
drops, depending upon the results of inspecting the packet.
IP traffic from static IP source entries that you have configured in
the Cisco NX-OS device.
The device permits the IP traffic when DHCP snooping adds a binding
table entry for the IP address and MAC address of an IP packet or when you have
configured a static IP source entry.
The device drops IP packets when the IP address and MAC address of the
packet do not have a binding table entry or a static IP source entry. For
example, assume that
the binding table
contains the following entry:
IP Source Guard requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the NX-OS licensing scheme, see the Cisco Nexus 7000
Series NX-OS Licensing Guide, Release 4.2.
Prerequisites for IP Source Guard
IP Source Guard has the following prerequisite:
DHCP snooping must be enabled.
Guidelines and Limitations for IP Source Guard
IP Source Guard has the following configuration guidelines and
IP Source Guard limits IP traffic on an interface to only those
sources that have an IP-MAC address binding table entry or static IP source
entry. When you first enable IP Source Guard on an interface, you may
experience disruption in IP traffic until the hosts on the interface receive a
new IP address from a DHCP server.
IP Source Guard is dependent upon DHCP snooping to build and
maintain the IP-MAC address binding table or upon manual maintenance of static
IP source entries.
For each device that you use DCNM to configure IP Source Guard,
ensure that you configure the logging level for DHCP snooping to 6
(Informational) or a higher level. To configure the device with the minimal
required logging configuration, log into the command-line interface of the
device and use the following commands:
Enabling or Disabling IP Source Guard on a Layer 2 Interface
You can enable or disable IP Source Guard on a Layer 2 interface. By
default, IP Source Guard is disabled on all interfaces.
Before You Begin
Ensure that DHCP snooping is enabled.
If you are enabling IP Source Guard, ensure that on the Cisco NX-OS
device you configure the logging level for DHCP snooping to 6 (Informational)
or a higher level. To configure the device with the minimal required logging
configuration, log into the command-line interface of the device and use the