Difference between revisions of "Netband Project - IP Source Guard"
From Teknologisk videncenter
| (26 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | =IP Source Guard= | |
This page is part of the [[Netband_Project|Netband Project]] | This page is part of the [[Netband_Project|Netband Project]] | ||
| − | *IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.<br> | + | *IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the [[Netband Project - DHCP Snooping | DHCP snooping]] binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.<br> |
*IP source guard is supported only on Layer 2 ports, including access and trunk ports | *IP source guard is supported only on Layer 2 ports, including access and trunk ports | ||
* An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. | * An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. | ||
| − | * | + | *Filtering options |
**Source IP address | **Source IP address | ||
***The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table. | ***The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table. | ||
**Source IP and MAC Address | **Source IP and MAC Address | ||
***The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. | ***The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. | ||
| + | ***Filters both ip and non-ip traffic | ||
| + | ***Port security is used to filter source MAC addresses | ||
| + | ***Is not supported on pvlan | ||
| + | |||
| + | |||
| + | ==Configuration== | ||
| + | ------- | ||
| + | '''[[Netband Project - DHCP Snooping | DHCP snooping]] must be configured correctly, for IP source guard to work properly.''' | ||
| + | ------- | ||
| + | Source IP -and Mac address filtering | ||
| + | <pre> | ||
| + | interface FastEthernet0/10 | ||
| + | ip verify source port-security | ||
| + | </pre> | ||
| + | Source IP address filtering | ||
| + | <pre> | ||
| + | interface FastEthernet0/10 | ||
| + | ip verify source | ||
| + | </pre> | ||
| + | |||
| + | Statically assigned IP -and Mac address entry | ||
| + | <pre> | ||
| + | ip source binding 0003.47C9.A1D8 vlan 3 10.1.1.11 interface Fa0/1 | ||
| + | </pre> | ||
| + | |||
| + | ==Verification== | ||
| + | <pre> | ||
| + | HQSW1#sh ip source binding | ||
| + | MacAddress IpAddress Lease(sec) Type VLAN Interface | ||
| + | ------------------ --------------- ---------- ------------- ---- -------------------- | ||
| + | 00:03:47:C9:A1:D8 10.1.1.11 infinite static 3 FastEthernet0/1 | ||
| + | 00:1B:2A:79:5F:53 10.1.2.52 185 dhcp-snooping 5 FastEthernet0/13 | ||
| + | 00:03:47:C9:9F:AC 10.1.1.10 233 dhcp-snooping 3 FastEthernet0/2 | ||
| + | 00:21:5A:F7:F1:01 10.1.2.50 228 dhcp-snooping 5 FastEthernet0/11 | ||
| + | Total number of bindings: 4 | ||
| + | </pre> | ||
| + | |||
| + | ==External Links== | ||
| + | [http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdhcp82.html#wp1256657 C3560 Configuration guide] | ||
| + | [[Category:network]][[Category:CCNP]][[category:students]][[Category:CCNP4]] | ||
Latest revision as of 06:52, 13 May 2009
IP Source Guard
This page is part of the Netband Project
- IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
- IP source guard is supported only on Layer 2 ports, including access and trunk ports
- An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
- Filtering options
- Source IP address
- The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
- Source IP and MAC Address
- The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.
- Filters both ip and non-ip traffic
- Port security is used to filter source MAC addresses
- Is not supported on pvlan
- Source IP address
Configuration
DHCP snooping must be configured correctly, for IP source guard to work properly.
Source IP -and Mac address filtering
interface FastEthernet0/10 ip verify source port-security
Source IP address filtering
interface FastEthernet0/10 ip verify source
Statically assigned IP -and Mac address entry
ip source binding 0003.47C9.A1D8 vlan 3 10.1.1.11 interface Fa0/1
Verification
HQSW1#sh ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:C9:A1:D8 10.1.1.11 infinite static 3 FastEthernet0/1 00:1B:2A:79:5F:53 10.1.2.52 185 dhcp-snooping 5 FastEthernet0/13 00:03:47:C9:9F:AC 10.1.1.10 233 dhcp-snooping 3 FastEthernet0/2 00:21:5A:F7:F1:01 10.1.2.50 228 dhcp-snooping 5 FastEthernet0/11 Total number of bindings: 4