Configuring IP Source Guard

This chapter includes the following sections:

Finding Feature Information

Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.

Information About IP Source Guard

IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings:

  • Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.

  • Static IP source entries that you configure.

Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker would have to spoof both the IP address and the MAC address of a valid host.

You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:

  • DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.

  • IP traffic from static IP source entries that you have configured in the Cisco NX-OS device.

The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry.

The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry. For example, assume that the show ip dhcp snooping binding command displays the following binding table entry:

MacAddress         IpAddress    LeaseSec   Type        VLAN      Interface    
----------         ----------   ---------  ------      -------    ---------  
00:02:B3:3F:3B:99  10.5.5.2       6943    dhcp-snooping  10      Ethernet2/3

If the device receives an IP packet with an IP address of 10.5.5.2, IP Source Guard forwards the packet only if the MAC address of the packet is 00:02:B3:3F:3B:99.

Virtualization Support for IP Source Guard

The following information applies to IP Source Guard used in virtual device contexts (VDCs):

  • IP-MAC address bindings are unique per VDC. Bindings in one VDC do not affect IP Source Guard in other VDCs.

  • Cisco NX-OS does not limit the binding database size on a per-VDC basis.

Prerequisites for IP Source Guard

IP Source Guard has the following prerequisite:

  • You must enable the DHCP feature.

Guidelines and Limitations for IP Source Guard

IP Source Guard has the following configuration guidelines and limitations:

  • IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address from a DHCP server.

  • IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.

Default Settings for IP Source Guard

This table lists the default settings for IP Source Guard parameters.

Table 1. Default IP Source Guard Parameters

Parameters

Default

IP Source Guard

Disabled on each interface.

IP source entries

None. No static or default IP source entries exist by default.

Configuring IP Source Guard

Enabling or Disabling IP Source Guard on a Layer 2 Interface

You can enable or disable IP Source Guard on a Layer 2 interface. By default, IP Source Guard is disabled on all interfaces.

Before you begin

Ensure that the DHCP feature is enabled.

SUMMARY STEPS

  1. configure terminal
  2. interface ethernet slot/port
  3. [no] ip verify source dhcp-snooping-vlan
  4. (Optional) show running-config dhcp
  5. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

interface ethernet slot/port

Example:

switch(config)# interface ethernet 2/3
switch(config-if)#

Enters interface configuration mode for the specified interface.

Step 3

[no] ip verify source dhcp-snooping-vlan

Example:

switch(config-if)# ip verify source dhcp-snooping vlan

Enables IP Source Guard on the interface. The no option disables IP Source Guard on the interface.

Step 4

(Optional) show running-config dhcp

Example:

switch(config-if)# show running-config dhcp
(Optional)

Displays the running configuration for DHCP snooping, including the IP Source Guard configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config-if)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Adding or Removing a Static IP Source Entry

You can add or remove a static IP source entry on a device. By default, there are no static IP source entries on a device.

SUMMARY STEPS

  1. configure terminal
  2. [no] ip source binding IP-address MAC-address vlan vlan-ID interface ethernet slot/port
  3. (Optional) show ip dhcp snooping binding [interface ethernet slot/port]
  4. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ip source binding IP-address MAC-address vlan vlan-ID interface ethernet slot/port

Example:

switch(config)# ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3

Creates a static IP source entry for the current interface, or if you use the no option, removes a static IP source entry.

Step 3

(Optional) show ip dhcp snooping binding [interface ethernet slot/port]

Example:

switch(config)# show ip dhcp snooping binding interface ethernet 2/3
(Optional)

Displays IP-MAC address bindings for the interface specified, including static IP source entries. Static entries appear with the term in the Type column.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Displaying IP Source Guard Bindings

Use the show ip verify source command to display IP-MAC address bindings.

Configuration Example for IP Source Guard

This example shows how to create a static IP source entry and then how to enable IP Source Guard on an interface.

ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3 
interface ethernet 2/3
  no shutdown
  ip verify source dhcp-snooping-vlan

Additional References for IP Source Guard

Related Documents

Related Topic

Document Title

IP Source Guard commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Cisco Nexus 7000 Series NX-OS Security Command Reference

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

Feature History for IP Source Guard

This table lists the release history for this feature.

Table 2. Feature History for IP Source Guard

Feature Name

Releases

Feature Information

IP Source Guard

6.0(1)

No change from Release 5.2.

IP Source Guard

4.2(1)

No change from Release 4.1.