The switch uses a source IP lookup table in hardware to bind IP addresses to ports. For IP and MAC filtering,
a combination of source IP and source MAC lookups are used. IP traffic with a source IP address is the binding
table is allowed, all other traffic is denied.
The IP source binding table has bindings that are learned by DHCP snooping or are manually configured
(static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its
associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
IPSG is supported only on Layer 2 ports, including access and trunk ports. You can configure IPSG with
source IP address filtering or with source IP and MAC address filtering.
IP Source Guard for Static Hosts
Do not use IPSG (IP source guard) for static hosts on uplink ports or trunk ports.
Note
IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous IPSG
used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic received
from a host without a valid DHCP binding entry is dropped. This security feature restricts IP traffic on
nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database and on manually
configured IP source bindings. The previous version of IPSG required a DHCP environment for IPSG to
work.
IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device tracking-table
entries to install port ACLs. The switch creates static entries based on ARP requests or other IP packets to
maintain the list of valid hosts for a given port. You can also specify the number of hosts allowed to send
traffic to a given port. This is equivalent to port security at Layer 3.
IPSG for static hosts also supports dynamic hosts. If a dynamic host receives a DHCP-assigned IP address
that is available in the IP DHCP snooping table, the same entry is learned by the IP device tracking table. In
a stacked environment, when the master failover occurs, the IP source guard entries for static hosts attached
to member ports are retained. When you enter the
show ip device tracking all
EXEC command, the IP device
tracking table displays the entries as ACTIVE.
Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface.
The invalid packets contain the IP or MAC address for another network interface of the host as the source
address. The invalid packets can cause IPSG for static hosts to connect to the host, to learn the invalid IP
or MAC address bindings, and to reject the valid bindings. Consult the vender of the corresponding
operating system and the network interface to prevent the host from injecting invalid packets.
Note
IPSG for static hosts initially learns IP or MAC bindings dynamically through an ACL-based snooping
mechanism. IP or MAC bindings are learned from static hosts by ARP and IP packets. They are stored in the
device tracking database. When the number of IP addresses that have been dynamically learned or statically
configured on a given port reaches a maximum, the hardware drops any packet with a new IP address. To
resolve hosts that have moved or gone away for any reason, IPSG for static hosts leverages IP device tracking
to age out dynamically learned IP address bindings. This feature can be used with DHCP snooping. Multiple
bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are
stored in both the device tracking database as well as in the DHCP snooping binding database.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1292
Information About IP Source Guard
Содержание Catalyst 2960 Series
Страница 78: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches lxxviii Contents ...
Страница 96: ......
Страница 184: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 102 Additional References ...
Страница 195: ...P A R T II IP Multicast Routing Configuring IGMP Snooping and Multicast VLAN Registration page 115 ...
Страница 196: ......
Страница 250: ......
Страница 292: ......
Страница 488: ......
Страница 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Страница 590: ......
Страница 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Страница 620: ......
Страница 749: ...P A R T VIII Routing Configuring IP Unicast Routing page 669 Configuring IPv6 First Hop Security page 677 ...
Страница 750: ......
Страница 796: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 714 Additional References ...
Страница 856: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 774 Additional References ...
Страница 1400: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1318 Additional References ...
Страница 1546: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1464 Auto Identity ...
Страница 1596: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1514 Additional References ...
Страница 1604: ......
Страница 1740: ......
Страница 1764: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1682 Additional References ...
Страница 1942: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1860 cli_write ...
Страница 1950: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1868 context_save ...
Страница 2058: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1976 event_register_wdsysmon ...
Страница 2076: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1994 smtp_subst ...
Страница 2090: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2008 sys_reqinfo_syslog_history ...
Страница 2104: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2022 unregister_counter ...
Страница 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Страница 2106: ......
Страница 2118: ......
Страница 2164: ......