This feature works by filtering IP traffic with a
source IP address other than that assigned via Dynamic Host Configuration Protocol (DHCP) or static
configuration on the untrusted Layer 2 ports. The IP Source Guard feature works in combination with the DHCP
snooping feature available on Catalyst switches and is enabled on untrusted Layer 2 ports. (DHCP snooping is
discussed in Chapter 4, "Security Features on Switches" with configuration examples.)
As shown in Figure 7-5, when you are using the IP Source Guard feature in a DHCP-enabled environment, all
traffic is blocked on the switch port except for the DHCP packets that are captured by the DHCP snooping
process. The DHCP packets flowing between the DHCP client and the server are monitored, and the monitoring
creates a binding table that lists IP-to-MAC mapping on each switch port. This allows the switch to know which
port is connected with what source MAC address and the assigned IP address. If DHCP is not used, a static IP
source binding map can be configured by the user. With the help of this IP-to-MAC binding table, a per-port
VLAN Access Control List (PACL) is installed (PACL is a security ACL applied on Layer 2 switch ports) that denies
traffic other than spoofed source, based on the binding table.
Pages:
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371