Difference between revisions of "Netband Project - IP Source Guard"

From Teknologisk videncenter
Jump to: navigation, search
 
(24 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<accesscontrol>NetBand</accesscontrol>
+
=IP Source Guard=
 
This page is part of the [[Netband_Project|Netband Project]]
 
This page is part of the [[Netband_Project|Netband Project]]
  
*IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.<br>
+
*IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the [[Netband Project - DHCP Snooping | DHCP snooping]] binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.<br>
 
*IP source guard is supported only on Layer 2 ports, including access and trunk ports
 
*IP source guard is supported only on Layer 2 ports, including access and trunk ports
 
* An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
 
* An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
Line 12: Line 12:
 
***Filters both ip and non-ip traffic
 
***Filters both ip and non-ip traffic
 
***Port security is used to filter source MAC addresses
 
***Port security is used to filter source MAC addresses
 +
***Is not supported on pvlan
 +
 +
 +
==Configuration==
 +
-------
 +
'''[[Netband Project - DHCP Snooping | DHCP snooping]] must be configured correctly, for IP source guard to work properly.'''
 +
-------
 +
Source IP -and Mac address filtering
 +
<pre>
 +
interface FastEthernet0/10
 +
ip verify source port-security
 +
</pre>
 +
Source IP address filtering
 +
<pre>
 +
interface FastEthernet0/10
 +
ip verify source
 +
</pre>
 +
 +
Statically assigned IP -and Mac address entry
 +
<pre>
 +
ip source binding 0003.47C9.A1D8 vlan 3 10.1.1.11 interface Fa0/1
 +
</pre>
 +
 +
==Verification==
 +
<pre>
 +
HQSW1#sh ip source binding
 +
MacAddress          IpAddress        Lease(sec)  Type          VLAN  Interface
 +
------------------  ---------------  ----------  -------------  ----  --------------------
 +
00:03:47:C9:A1:D8  10.1.1.11        infinite    static        3    FastEthernet0/1
 +
00:1B:2A:79:5F:53  10.1.2.52        185        dhcp-snooping  5    FastEthernet0/13
 +
00:03:47:C9:9F:AC  10.1.1.10        233        dhcp-snooping  3    FastEthernet0/2
 +
00:21:5A:F7:F1:01  10.1.2.50        228        dhcp-snooping  5    FastEthernet0/11
 +
Total number of bindings: 4
 +
</pre>
 +
 +
==External Links==
 +
[http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdhcp82.html#wp1256657 C3560 Configuration guide]
 +
[[Category:network]][[Category:CCNP]][[category:students]][[Category:CCNP4]]

Latest revision as of 06:52, 13 May 2009

IP Source Guard

This page is part of the Netband Project

  • IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
  • IP source guard is supported only on Layer 2 ports, including access and trunk ports
  • An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
  • Filtering options
    • Source IP address
      • The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
    • Source IP and MAC Address
      • The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.
      • Filters both ip and non-ip traffic
      • Port security is used to filter source MAC addresses
      • Is not supported on pvlan


Configuration


DHCP snooping must be configured correctly, for IP source guard to work properly.


Source IP -and Mac address filtering

interface FastEthernet0/10
 ip verify source port-security

Source IP address filtering

interface FastEthernet0/10
 ip verify source 

Statically assigned IP -and Mac address entry

ip source binding 0003.47C9.A1D8 vlan 3 10.1.1.11 interface Fa0/1

Verification

HQSW1#sh ip source binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:03:47:C9:A1:D8   10.1.1.11        infinite    static         3     FastEthernet0/1
00:1B:2A:79:5F:53   10.1.2.52        185         dhcp-snooping  5     FastEthernet0/13
00:03:47:C9:9F:AC   10.1.1.10        233         dhcp-snooping  3     FastEthernet0/2
00:21:5A:F7:F1:01   10.1.2.50        228         dhcp-snooping  5     FastEthernet0/11
Total number of bindings: 4

External Links

C3560 Configuration guide