Wednesday, 15 March 2017

Configuring IP Source Guard on a 2960X

IP Source Guard is a layer 3 security feature that prevents IP spoofing. It like DAI relies on the DHCP snooping binding table to function.

DAI however works on Layer 2 / ARP and is not able to inspect layer 3 / IP traffic - hence IP Source Guard was introduced.

IP Source Guard is applied on a per-interface level:

int gi0/4
ip verify source

If you have statically assigned IP's you can create a 'static binding' so that IP Source Guard can confirm which IP it is expecting on the specific port.

ip source binding 1111.2222.3333 vlan 100 1.2.3.4 interface gi0/20

We can show interface that have been configured with IP Source Guard with:

do show ip verify source

We can also view the IP Source Guard binding table at any time with:

show ip source binding


0 comments:

Post a comment