What is ip source guard – Dell POWEREDGE M1000E User Manual

Page 795

Advertising
background image

Snooping and Inspecting Traffic

795

What Is IP Source Guard?

IPSG is a security feature that filters IP packets based on source ID. This

feature helps protect the network from attacks that use IP address spoofing to

compromise or overwhelm the network.
The source ID may be either the source IP address or a {source IP address,

source MAC address} pair. You can configure:

• Whether enforcement includes the source MAC address
• Static authorized source IDs

The DHCP snooping bindings database and static IPSG entries identify

authorized source IDs. IPSG can be enabled on physical and LAG ports.
If you enable IPSG on a port where DHCP snooping is disabled or where

DHCP snooping is enabled but the port is trusted, all IP traffic received on

that port is dropped depending on the admin-configured IPSG entries.

IPSG and Port Security

IPSG interacts with port security, also known as port MAC locking, (see

"What is Port Security?" on page 517) to enforce the source MAC address.

Port security controls source MAC address learning in the layer 2 forwarding

database (MAC address table). When a frame is received with a previously

unlearned source MAC address, port security queries the IPSG feature to

determine whether the MAC address belongs to a valid binding.
If IPSG is disabled on the ingress port, IPSG replies that the MAC is valid. If

IPSG is enabled on the ingress port, IPSG checks the bindings database. If

the MAC address is in the bindings database and the binding matches the

VLAN the frame was received on, IPSG replies that the MAC is valid. If the

MAC is not in the bindings database, IPSG informs port security that the

frame is a security violation.
In the case of an IPSG violation, port security takes whatever action it

normally takes upon receipt of an unauthorized frame. Port security limits the

number of MAC addresses to a configured maximum. If the limit

n

is less

than the number of stations

m

in the bindings database, port security allows

only

n

stations to use the port. If

n > m

, port security allows only the stations

in the bindings database. For information about configuring the Port Security

feature, see "Configuring 802.1X and Port-Based Security" on page 509.

Advertising
Popular Brands
Popular manuals