Configuring Device Security
Defining DHCP Snooping
Cisco Small Business SFE/SGE Managed Switches Administration Guide
135
4
Defining IP Source Guard
IP Source Guard is a security feature that restricts the client IP traffic to those
source IP addresses configured in the DHCP Snooping Binding Database and in
manually configured IP source bindings. For example, IP Source Guard can help
prevent traffic attacks caused when a host tries to use the IP address of its
neighbor.
•
DHCP snooping must be enabled on the device’s untrusted interfaces and on
the relevant VLAN, in order to activate the IP source guard feature.
•
IP Source Guard must be enabled globally in the
IP Source Guard Properties
Page
before it can be enabled on the device interfaces.
•
IP Source Guard uses
Ternary Content Addressable Memory
(TCAM)
resources, requiring use of 1 TCAM rule per 1 IP Source Guard address entry. If
the number of IP Source Guard entries exceeds the number of available TCAM
rules, new IP source guard addresses remain inactive.
•
IP Source Guard cannot be configured on routed ports.
•
If IP Source Guard and MAC address filtering is enabled on a port, Port
Security cannot be activated on the same port.
•
If a port is trusted, filtering of static IP addresses can be configured, although IP
Source Guard is not active in that condition.
•
If a port’s status changes from untrusted to trusted, the static IP address
filtering entries remain but become inactive.
The IP Source Guard section contains the following topics:
•
Configuring IP Source Guard Properties
•
Defining IP Source Guard Interface Settings
•
Querying the IP Source Binding Database
Configuring IP Source Guard Properties
The
IP Source Guard Properties Page
allows network managers to enable the use
of IP Source Guard on the device. IP Source Guard must be enabled for the device
before it can be enabled on individual ports or LAGs. To enable IP Source Guard: