This feature helps prevent
IP spoofing attacks when a host tries to spoof and use the IP address of another host. Any IP traffic coming into
the interface with a source IP address other than that assigned (via DHCP or static configuration) will be filtered
out on the untrusted Layer 2 ports.
The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted Layer 2
interfaces. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually
configured (static IP source bindings). An entry in the IP source binding table contains the IP address and the
associated MAC and VLAN numbers. The IP Source Guard is supported on Layer 2 ports only, including access
and trunk ports.
Example 4-9 shows how to enable the IP Source Guard with dynamic source IP and MAC address filtering.
Example 4-9. IP Source Guard Configuration Example 1
Switch(config)#interface GigabitEthernet1/0/1
Switch(config-if)#ip verify source port-security
Example 4-10 shows how to enable the IP Source Guard with a static source IP address and MAC address
filtering mapped on VLAN 5.
Example 4-10. IP Source Guard Configuration Example 2
Switch(config)# ip source binding 0011.
Pages:
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192