C H A P T E R
17
Configuring IP Source Guard
This chapter describes how to configure IP Source Guard on Cisco NX-OS devices.
This chapter includes the following sections:
•
About IP Source Guard, on page 405
•
Licensing Requirements for IP Source Guard, on page 406
•
Prerequisites for IP Source Guard, on page 406
•
Guidelines and Limitations for IP Source Guard, on page 406
•
Default Settings for IP Source Guard, on page 407
•
Configuring IP Source Guard, on page 407
•
Displaying IP Source Guard Bindings, on page 410
•
Clearing IP Source Guard Statistics, on page 410
•
Configuration Example for IP Source Guard, on page 410
•
Additional References, on page 411
About IP Source Guard
IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC
address of each packet matches one of two sources of IP and MAC address bindings:
• Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table
• Static IP source entries that you configure
Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses
the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker
would have to spoof both the IP address and the MAC address of a valid host.
You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source
Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially
enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:
• DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results
of inspecting the packet
• IP traffic from static IP source entries that you have configured on the Cisco NX-OS device
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
405