Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series

941

942

943

944

945

946

947

948

949

950

948 Snooping and Inspecting Traffic

What Is IP Source Guard?

IPSG is a security feature that filters IP packets based on source ID. This

feature helps protect the network from attacks that use IP address spoofing to

compromise or overwhelm the network.

The source ID may be either the source IP address or a {source IP address,

source MAC address} pair. The following can be configured:

• Whether enforcement includes the source MAC address

• Static authorized source IDs

The DHCP snooping bindings database and static IPSG entries identify

authorized source IDs. IPSG can be enabled on physical and LAG ports.

If you enable IPSG on a port where DHCP snooping is disabled or where

DHCP snooping is enabled but the port is trusted, all IP traffic received on

that port is dropped depending on the admin-configured IPSG entries.

IPSG and Port Security

IPSG interacts with port security, also known as port MAC locking, (see "Port-

based Security—Port MAC Locking " on page 623) to enforce the source

MAC address. Port security controls source MAC address learning in the

layer-2 forwarding database (MAC address table). When a frame is received

with a previously unlearned source MAC address, port security queries the

IPSG feature to determine whether the MAC address belongs to a valid

binding.

If IPSG is disabled on the ingress port, IPSG replies that the MAC is valid. If

IPSG is enabled on the ingress port, IPSG checks the bindings database. If

the MAC address is in the bindings database and the binding matches the

VLAN the frame was received on, IPSG replies that the MAC is valid. If the

MAC is not in the bindings database, IPSG informs port security that the

frame is a security violation.

In the case of an IPSG violation, port security takes whatever action it

normally takes upon receipt of an unauthorized frame. Port security limits the

number of MAC addresses to a configured maximum. If the limit

is less

than the number of stations

in the bindings database, port security allows

only

stations to use the port. If

n > m

, port security allows only the stations

in the bindings database. For information about configuring the Port Security

feature, see "Port and System Security " on page 623.