IP Source Guard is a layer 3 security feature that prevents IP spoofing. It like DAI relies on the DHCP snooping binding table to function.
DAI however works on Layer 2 / ARP and is not able to inspect layer 3 / IP traffic - hence IP Source Guard was introduced.
IP Source Guard is applied on a per-interface level:
int gi0/4
ip verify source
If you have statically assigned IP's you can create a 'static binding' so that IP Source Guard can confirm which IP it is expecting on the specific port.
ip source binding 1111.2222.3333 vlan 100 1.2.3.4 interface gi0/20
We can show interface that have been configured with IP Source Guard with:
do show ip verify source
We can also view the IP Source Guard binding table at any time with:
show ip source binding
No comments:
Post a Comment