IP Source Guard

The primary purpose of IP Source Guard is to restrict the port access to a number of authorized LAN clients, whose MAC address and IP address are both listed in IP source guard table. If an unauthorized LAN client connects to a port which has IP Source Guard enabled, Switch will drop the packets from it.

 

IP Source Guard provides security to the network by filtering clients with invalid or spoofed IP addresses. IP Source Guard is a Layer 2 (L2), port-to-port feature that works closely with information in the Dynamic Host Control Protocol (DHCP) snooping binding table. 

When you enable IP Source Guard on an untrusted port with DHCP snooping enabled, an IP filter entry is created or deleted for that port automatically, based on IP information stored in the corresponding DHCP binding table entry.

 When a connecting client receives a valid IP address from the DHCP server, a filter is installed on the port to allow traffic only from the assigned IP address. A maximum of 10 IP addresses are allowed on each IP Source Guard-enabled port. When this number is reached, no more filters are set up and traffic is dropped. 

These are the command for the configuration:

 IP Source Guard use the information stored in the DHCP binding table (from DHCP Snooping) to validate the IP traffic. Any device whether it be statically configured or dynamically configured would need to appear in the DHCP binding table.

 Statically configured devices would need to be manually placed in the DHCP binding table. If someone changed out a device the MAC address would most likely need to be updated in the DHCP binding table.

 If  for any reason the DHCP binding table was accidentally cleared the switch would block IP traffic until the DHCP binding table was re-built either manually or from DHCP transactions.

So we will do the initial configuration using DHCP snooping:

We see that DHCP snooping was successfully installed  on the interface  Fa0/4.Now we will use IP VERIFY SOURCE  to enable ip source guard at the interface level

With the last command we verified the mac address  related to the interface  fa0/4 .

If we choose the option of  port-security , it will enable an extra level of security , as the source MAC Address of incoming packets  on that port will be checked against the local switch 's Mac Address table.If those packets match , all is well;if not , the packets are dropped.

Check this out:

If the device off fa0/4 was getting the ip address via DHCP , we would see a secure MAC address under IP Address , rather than inactive-trust-port

Here we finished  this configuration, and with the  command  #show ip verify source  you will see the interface fa0/4   binding with IP address 10.0.0.13 and the lab is done.

If you like it please share it..