Difference between revisions of "Netband Project - IP Source Guard"
From Teknologisk videncenter
Line 2: | Line 2: | ||
This page is part of the [[Netband_Project|Netband Project]] | This page is part of the [[Netband_Project|Netband Project]] | ||
− | *IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.<br> | + | *IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the [[Netband Project - DHCP Snooping | DHCP snooping]] binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.<br> |
*IP source guard is supported only on Layer 2 ports, including access and trunk ports | *IP source guard is supported only on Layer 2 ports, including access and trunk ports | ||
* An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. | * An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. |
Revision as of 13:06, 14 April 2009
<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project
- IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
- IP source guard is supported only on Layer 2 ports, including access and trunk ports
- An ACL is applied to the interface, which allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
- Filtering options
- Source IP address
- The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
- Source IP and MAC Address
- The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.
- Filters both ip and non-ip traffic
- Port security is used to filter source MAC addresses
- Is not supported on pvlan
- Source IP address
Configuration
interface FastEthernet0/10 ip verify source port-security