IP Source Guard Configuration on ESW2-550X Switch

Objective

IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighboring host. When IP Source Guard is enabled, the switch only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database. If the packet that a host sends matches an entry in the database, the switch forwards the packet. If the packet does not match an entry in the database it is dropped.

In a real time scenario, IP Source Guard is used is to help prevent man-in-the-middle attacks where an untrusted third party attempts to masquerade as a genuine user. Based on the addresses which are configured in the IP source guard binding database, only the traffic from the client with that IP address is allowed the rest of the packets are dropped.

Note: DHCP Snooping should be enabled for IP Source Guard to function. In order to get more details on how to enable DHCP Snooping, please refer to the article DHCP Properties Configuration on ESW2-550X Switch. It is also necessary to configure the binding database to specify which IP addresses are allowed. More details on this can be found in the article Configuration of DHCP Snooping Binding Database on ESW2-550X Switch.

This article explains how to configure IP Source Guard on the ESW2-550X stackable managed switches.

Applicable Devices

• ESW2-550X
• ESW2-550X-DC

Software Version

• v1.2.9.44

Globally Enable IP Source Guard Settings

Step 1. Log in to the web configuration utility and choose Security > IP Source Guard > Properties. The IP Source Guard Properties page opens:

Step 2. Check the Enable check box to enable IP Source Guard globally.

Step 3. Click Apply to apply the settings.

Edit Interface Settings for IP Source Guard

If the IP Source Guard is enabled on an untrusted port or LAG, the DHCP packets which are transmitted are allowed by the DHCP Snooping Database. If the IP address is enabled with a filter then packet transmission is allowed as follows:

• IPv4 Traffic — The IPv4 traffic which is associated with the source IP address with the particular port is allowed.

• Non-IPv4 Traffic — All non-IPv4 traffic is allowed.

Step 1. Log in to the web configuration utility and choose Security > IP Source Guard > Interface Settings. The Interface Settings page opens:

The Interface Settings Table consists of the following parameters.

• Interface — Shows the Interface to which the IP Source Guard is applied.

• IP Source Guard — Shows whether IP Source Guard is enabled or not. IP Source Guard can be enabled on individual interfaces.

• DHCP Snooping Trusted Interface — Shows whether it is a DHCP trusted interface or not. Trusted interfaces can receive traffic only from within the network.  IP Source Guard is usually configured on DHCP interfaces which are not trusted. An untrusted interface is an interface that is configured such that it can receive messages from outside the network.

Step 2. Scroll down the page, and click the radio button which corresponds to the interface to be edited. Click Edit at the bottom of the page. The Edit Interface Settings window appears.

Step 3. (Optional) To choose an interface, click either of the radio buttons in the Interface field.

• Unit/Slot and Port — The unit identifies whether the switch is active or a member in the stack. Unit 1 is active and unit 2 is a member. If you are unfamiliar with the terms used, check out Cisco Business: Glossary of New Terms. The slot identifies whether the switch is ESW2-550 or ESW2-550X. Slot 1 is ESW2-550 and slot 2 is ESW2-550X. Choose the desired option from the Unit/Slot drop-down list, and choose the desired port from the Port drop-down list.

• LAG — Choose the desired LAG from the LAG drop-down list. A Link Aggregate Group (LAG) is used to link multiple ports together. LAGs multiply bandwidth, increase port flexibility, and provide link redundancy between two devices to optimize port usage.

Step 4. Check the Enabled check box in the IP Source Guard field to enable IP Source Guard on the current interface.

Step 5. Click Apply. 

Copy Interface Settings for IP Source Guard

Step 1. Log in to the web configuration utility and choose Security > IP Source Guard > Interface Settings. The Interface Settings page opens:

Step 2. Click the radio button for the desired interface and scroll down the page.

Step 3. Click Copy Settings. The Copy Settings page opens:

Step 4. Enter the interface to which the chosen entry needs to be copied in the provided field. You can enter interfaces by their name (GE1) or number. You can also give a range of interfaces such as GE30-GE37 or 30-40.

Step 5. Click Apply.