IP Source Guard is a security feature that restricts IP traffic on nonrouted Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings.

You can enable IP source guard when DHCP snooping is enabled. This ensures that IP traffic with a source IP address in the binding table is allowed, while all other traffic is denied.

The switch utilizes a source IP lookup table enabling both IP and MAC filtering through a combination of source IP and source MAC lookups. This table, known as the IP source binding table, contains bindings that are either learned by DHCP snooping or manually configured as static IP source bindings. Each entry in this table consists of an IP address, its associated MAC address, and its associated VLAN number.

IP source guard is supported on private VLAN access port and etherchannel but not on private VLAN trunk port. You have the capability to configure IP Source Guard with source IP address filtering or with source IP and MAC address filtering.

Note	Do not use IP Source Guard for static hosts on uplink ports or trunk ports.

A static host is a network device in a non-DHCP environment that:

• requires IP addresses to be manually assigned,

• extends IP Source Guard capabilities without relying on DHCP, and

• relies on IP device tracking-table entries to manage port ACLs.

Any traffic received from a host without a valid DHCP binding entry is dropped. This security feature restricts IP traffic on nonrouted Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and manually configured IP source bindings.

IP Source Guard for static hosts also supports dynamic hosts. If a dynamic host receives a DHCP-assigned IP address in the IP DHCP snooping table, the same entry is learned by the IP device tracking table. In a stacked environment, when the active switch failover occurs, the IP Source Guard entries for static hosts attached to member ports are retained. When you enter the show device-tracking database EXEC command, the IP device tracking table displays the entries as ACTIVE.

Note

Some IP hosts with multiple network interfaces can inject invalid packets into the network. Invalid packets contain the IP or MAC address of another network interface as the source address. The invalid packets can cause IP Source Guard for static hosts to interact with the host, to learn the invalid IP or MAC address bindings, and to reject the valid bindings. Contact the vendor of the operating system and network interface to stop the host from injecting invalid packets.

IP Source Guard for static hosts initially learns IP or MAC bindings dynamically through an ACL-based snooping mechanism. IP or MAC bindings are learned via ARP and IP packets and stored in the device tracking database. If dynamically learned or statically configured IP addresses on a port reach their maximum, the hardware drops any packet with a new IP address.

To resolve hosts that have moved or gone away for any reason, IP Source Guard for static hosts leverages IP device tracking to age out dynamically learned IP address bindings. This feature can be used with DHCP snooping. Multiple bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database.