IP Source Guard is a per-interface traffic filter that permits IP
traffic only when the IP address and MAC address of each packet matches one of
two sources of IP and MAC address bindings:
Filtering on trusted IP and MAC address bindings helps prevent spoofing
attacks, in which an attacker uses the IP address of a valid host to gain
unauthorized network access. To circumvent IP Source Guard, an attacker would
have to spoof both the IP address and the MAC address of a valid host.
You can enable IP Source Guard on Layer 2 interfaces that are not
trusted by DHCP snooping. IP Source Guard supports interfaces that are
configured to operate in access mode and trunk mode. When you initially enable
IP Source Guard, all inbound IP traffic on the interface is blocked except for
the following:
-
DHCP packets, which DHCP snooping inspects and then forwards or
drops, depending upon the results of inspecting the packet.
-
IP traffic from static IP source entries that you have configured in
the Cisco NX-OS device.
The device permits the IP traffic when DHCP snooping adds a binding
table entry for the IP address and MAC address of an IP packet or when you have
configured a static IP source entry.
The device drops IP packets when the IP address and MAC address of the
packet do not have a binding table entry or a static IP source entry. For
example, assume that
the
show ip dhcp snooping binding command displays the
following binding table entry:
MacAddress IpAddress LeaseSec Type VLAN Interface
---------- ---------- --------- ------ ------- ---------
00:02:B3:3F:3B:99 10.5.5.2 6943 dhcp-snooping 10 Ethernet2/3
If the device receives an IP packet with an IP address of 10.5.5.2, IP
Source Guard forwards the packet only if the MAC address of the packet is
00:02:B3:3F:3B:99.