Configuring IP Source Guard

Prerequisites for IP Source Guard

blank.gifYou must globally configure the ip device tracking maximum limit-number interface configuration command globally for IPSG for static hosts to work. If you only configure this command on a port without enabling IP device tracking globally or setting an IP device tracking maximum on that interface, IPSG with static hosts will reject all the IP traffic from that interface. This requirement also applies to IPSG with static hosts on a Layer 2 access port.

Restrictions for IP Source Guard

blank.gifTo use this feature, the switch must be running the LAN Base image.

blank.gifIP source guard (IPSG) is supported only on Layer 2 ports, including access and trunk ports.

blank.gifDo not use IPSG for static hosts on uplink ports or trunk ports.

Information About IP Source Guard

IP Source Guard

IPSG is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IPSG to prevent traffic attacks if a host tries to use the IP address of its neighbor.

You can enable IPSG when DHCP snooping is enabled on an untrusted interface. After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.

Note: The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface.

The IP source binding table bindings are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address with its associated MAC address and VLAN number. The switch uses the IP source binding table only when IPSG is enabled.

You can configure IPSG with source IP address filtering or with source IP and MAC address filtering.

Source IP Address Filtering

When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.

When a DHCP snooping binding or static IP source binding is added, changed, or deleted on an interface, the switch modifies the port ACL by using the IP source binding changes and re-applies the port ACL to the interface.

If you enable IPSG on an interface on which IP source bindings (dynamically learned by DHCP snooping or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP traffic on the interface. If you disable IPSG, the switch removes the port ACL from the interface.

Source IP and MAC Address Filtering

IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.

When address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch drops all other types of packets except DHCP packets.

The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs.

IP Source Guard for Static Hosts

IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous IPSG used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic received from a host without a valid DHCP binding entry is dropped. This security feature restricts IP traffic on nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings. The previous version of IPSG required a DHCP environment for IPSG to work.

IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device tracking-table entries to install port ACLs. The switch creates static entries based on ARP requests or other IP packets to maintain the list of valid hosts for a given port. You can also specify the number of hosts allowed to send traffic to a given port. This is equivalent to port security at Layer 3.

IPSG for static hosts also supports dynamic hosts. If a dynamic host receives a DHCP-assigned IP address that is available in the IP DHCP snooping table, the same entry is learned by the IP device tracking table. When you enter the show ip device tracking all EXEC command, the IP device tracking table displays the entries as ACTIVE.

Note: Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface. The invalid packets contain the IP or MAC address for another network interface of the host as the source address. The invalid packets can cause IPSG for static hosts to connect to the host, to learn the invalid IP or MAC address bindings, and to reject the valid bindings. Consult the vendor of the corresponding operating system and the network interface to prevent the host from injecting invalid packets.

IPSG for static hosts initially learns IP or MAC bindings dynamically through an ACL-based snooping mechanism. IP or MAC bindings are learned from static hosts by ARP and IP packets. They are stored in the device tracking database. When the number of IP addresses that have been dynamically learned or statically configured on a given port reaches a maximum, the hardware drops any packet with a new IP address. To resolve hosts that have moved or gone away for any reason, IPSG for static hosts leverages IP device tracking to age out dynamically learned IP address bindings. This feature can be used with DHCP snooping. Multiple bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database.

IP Source Guard Configuration Guidelines

blank.gifBy default, IP source guard is disabled.

blank.gifYou can configure static IP bindings only on nonrouted ports. If you enter the ip source binding mac-address vlan vlan-id ip-address interface interface-id global configuration command on a routed interface, this error message appears:

Static IP source binding can only be configured on switch port.
 

blank.gifWhen IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be enabled on the access VLAN for that interface.

blank.gifIf you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is enabled on all the VLANs, the source IP address filter is applied on all the VLANs.

If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the trunk interface, the switch might not properly filter traffic.

blank.gifIf you enable IP source guard with source IP and MAC address filtering, DHCP snooping and port security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned until the host is granted a lease. When forwarding packets from the server to the host, DHCP snooping uses option-82 data to identify the host port.

blank.gifWhen configuring IP source guard on interfaces on which a private VLAN is configured, port security is not supported.

blank.gifIP source guard is not supported on EtherChannels.

blank.gifYou can enable this feature when 802.1x port-based authentication is enabled.

blank.gifIf the number of ternary content addressable memory (TCAM) entries exceeds the maximum, the CPU usage increases.

How to Configure IP Source Guard

Enabling IP Source Guard

 

 
Command
Purpose

1.blank.gif

configure terminal

Enters global configuration mode.

2.blank.gif

interface interface-id

Specifies the interface to be configured, and enters interface configuration mode.

3.blank.gif

ip verify source

or

ip verify source port-security

Enables IPSG with source IP address filtering.

Enables IPSG with source IP and MAC address filtering.

Note: When you enable both IPSG and port security by using the ip verify source port-security interface configuration command, there are two caveats:

  • The DHCP server must support option-82, or the client is not assigned an IP address.
  • The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

4.blank.gif

exit

Returns to global configuration mode.

5.blank.gif

ip source binding mac-address vlan vlan-id ip-address inteface interface-id

Adds a static IP source binding.

Enter this command for each static binding.

6.blank.gif

end

Returns to privileged EXEC mode.

Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port

 

 
Command
Purpose

1.blank.gif

configure terminal

Enters global configuration mode.

2.blank.gif

ip device tracking

Opens the IP host table, and globally enables IP device tracking.

3.blank.gif

interface interface-id

Enters interface configuration mode.

4.blank.gif

switchport mode access

Configures a port as access.

5.blank.gif

switchport access vlan vlan-id

Configures the VLAN for this port.

6.blank.gif

ip verify source tracking port-security

Enables IPSG for static hosts with MAC address filtering.

Note: When you enable both IPSG and port security by using the ip verify source port-security interface configuration command:

  • The DHCP server must support option-82, or the client is not assigned an IP address.
  • The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.

7.blank.gif

ip device tracking maximum number

Specifies a maximum limit for the number of static IPs that the IP device tracking table allows on the port. The range is 1to 10. The maximum number is 10.

Note: You must configure the ip device tracking maximum limit-number interface configuration command.

8.blank.gif

switchport port-security

(Optional) Activates port security for this port.

9.blank.gif

switchport port-security maximum value

(Optional) Specifies a maximum of MAC addresses for this port.

10.blank.gif

end

Returns to privileged EXEC mode.

11.blank.gif

show ip verify source interface interface-id

Verifies the configuration and displays IPSG permit ACLs for static hosts.

12.blank.gif

show ip device track all
[active | inactive] count

Verifies the configuration by displaying the IP-to-MAC binding for a given host on the switch interface.

blank.gifall active—Displays only the active IP or MAC binding entries

blank.gifall inactive—Displays only the inactive IP or MAC binding entries

blank.gifall—Displays the active and inactive IP or MAC binding entries

Monitoring and Maintaining IP Source Guard

 

Command
Purpose

show ip device tracking

Displays the active IP or MAC binding entries for all interfaces.

show ip source binding

Displays the IP source bindings on a switch.

show ip verify source

Displays the IP source guard configuration on the switch.

copy running-config startup-config

Saves your entries in the configuration file.

Configuration Examples for IP Source Guard

Enabling IPSG with Source IP and MAC Filtering: Example

This example shows how to enable IPSG with source IP and MAC filtering on VLANs 10
and 11:

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface GigabitEthernet1/17
Switch(config-if)# ip verify source port-security
Switch(config-if)# exit
Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface GigabitEthernet1/17
Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface GigabitEthernet1/17
Switch(config)# end

Disabling IPSG with Static Hosts: Example

This example shows how to stop IPSG with static hosts on an interface:

Switch(config-if)# no ip verify source
Switch(config-if)# no ip device tracking max

Enabling IPSG for Static Hosts: Examples

This example shows how to enable IPSG with static hosts on a port:

Switch(config)# ip device tracking
Switch(config)# ip device tracking max 10
Switch(config-if)# ip verify source tracking port-security
 

This example shows how to enable IPSG for static hosts with IP filters on a Layer 2 access port and to verify the valid IP bindings on the interface Gi0/3:

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip device tracking
Switch(config)# interface gigabitethernet 0/3
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# ip device tracking maximum 5
Switch(config-if)# ip verify source tracking
Switch(config-if)# end
 
Switch# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Gi0/3 ip trk active 40.1.1.24 10
Gi0/3 ip trk active 40.1.1.20 10
Gi0/3 ip trk active 40.1.1.21 10
 

This example shows how to enable IPSG for static hosts with IP-MAC filters on a Layer 2 access port, to verify the valid IP-MAC bindings on the interface Gi0/3, and to verify that the number of bindings on this interface has reached the maximum:

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip device tracking
Switch(config)# interface gigabitethernet 0/3
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 1
Switch(config-if)# ip device tracking maximum 5
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# ip verify source tracking port-security
Switch(config-if)# end
 
Switch# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Gi0/3 ip-mac trk active 40.1.1.24 00:00:00:00:03:04 1
Gi0/3 ip-mac trk active 40.1.1.20 00:00:00:00:03:05 1
Gi0/3 ip-mac trk active 40.1.1.21 00:00:00:00:03:06 1
Gi0/3 ip-mac trk active 40.1.1.22 00:00:00:00:03:07 1
Gi0/3 ip-mac trk active 40.1.1.23 00:00:00:00:03:08 1

Displaying IP or MAC Binding Entries: Examples

This example displays all IP or MAC binding entries for all interfaces. The CLI displays all active as well as inactive entries. When a host is learned on a interface, the new entry is marked as active. When the same host is disconnected from that interface and connected to a different interface, a new IP or MAC binding entry displays as active as soon as the host is detected. The old entry for this host on the previous interface is marked as INACTIVE.

Switch# show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------
200.1.1.8 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.9 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.10 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.1 0001.0600.0000 9 GigabitEthernet1/18 ACTIVE
200.1.1.1 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.2 0001.0600.0000 9 GigabitEthernet1/18 ACTIVE
200.1.1.2 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.3 0001.0600.0000 9 GigabitEthernet1/18 ACTIVE
200.1.1.3 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.4 0001.0600.0000 9 GigabitEthernet1/18 ACTIVE
200.1.1.4 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.5 0001.0600.0000 9 GigabitEthernet1/18 ACTIVE
200.1.1.5 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.6 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.7 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
 

This example displays all active IP or MAC binding entries for all interfaces:

Switch# show ip device tracking all active
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------
200.1.1.1 0001.0600.0000 9 GigabitEthernet1/17 ACTIVE
200.1.1.2 0001.0600.0000 9 GigabitEthernet1/17 ACTIVE
200.1.1.3 0001.0600.0000 9 GigabitEthernet1/17 ACTIVE
200.1.1.4 0001.0600.0000 9 GigabitEthernet1/17 ACTIVE
200.1.1.5 0001.0600.0000 9 GigabitEthernet1/17 ACTIVE
 

This example displays all inactive IP or MAC binding entries for all interfaces. The host was first learned on GigabitEthernet 0/1 and then moved to GigabitEthernet 0/2. The IP or MAC binding entries learned on GigabitEthernet 0/1 are marked as inactive.

Switch# show ip device tracking all inactive
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------
200.1.1.8 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.9 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.10 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.1 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.2 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.3 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.4 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.5 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.6 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
200.1.1.7 0001.0600.0000 8 GigabitEthernet1/17 INACTIVE
 

This example displays the count of all IP device tracking host entries for all interfaces:

Switch# show ip device tracking all count
Total IP Device Tracking Host entries: 5
---------------------------------------------------------------------
Interface Maximum Limit Number of Entries
---------------------------------------------------------------------
Gi0/3 5

Additional References

The following sections provide references related to switch administration:

Related Documents

Related Topic
Document Title

Cisco IOS basic commands

Cisco IOS Configuration Fundamentals Command Reference

Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.