Source Ip And Mac Address Filtering; Ip Source Guard For Static Hosts - Cisco Catalyst 3750-E Software Configuration Manual
Hide thumbs
Also See for Catalyst 3750-E:
- Getting started manual (27 pages) ,
- Product support bulletin (6 pages) ,
- Configuration handbook (359 pages)
Table of Contents
Chapter 22
Configuring DHCP Features and IP Source Guard
Source IP and MAC Address Filtering
IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when
the source IP and MAC addresses match an entry in the IP source binding table.
When address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of
an IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch
drops all other types of packets except DHCP packets.
The switch uses port security to filter source MAC addresses. The interface can shut down when a
port-security violation occurs.
IP Source Guard for Static Hosts
Do not use IPSG (IP source guard) for static hosts on uplink ports or trunk ports.
Note
IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous
IPSG used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic
received from a host without a valid DHCP binding entry is dropped. This security feature restricts IP
traffic on nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database
and on manually configured IP source bindings. The previous version of IPSG required a DHCP
environment for IPSG to work.
IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device
tracking-table entries to install port ACLs. The switch creates static entries based on ARP requests or
other IP packets to maintain the list of valid hosts for a given port. You can also specify the number of
hosts allowed to send traffic to a given port. This is equivalent to port security at Layer 3.
IPSG for static hosts also supports dynamic hosts. If a dynamic host receives a DHCP-assigned IP
address that is available in the IP DHCP snooping table, the same entry is learned by the IP device
tracking table. In a stacked environment, when the master failover occurs, the IP source guard entries for
static hosts attached to member ports are retained. When you enter the show ip device tracking all
EXEC command, the IP device tracking table displays the entries as ACTIVE.
Note
IPSG for static hosts initially learns IP or MAC bindings dynamically through an ACL-based snooping
mechanism. IP or MAC bindings are learned from static hosts by ARP and IP packets. They are stored
in the device tracking database. When the number of IP addresses that have been dynamically learned or
statically configured on a given port reaches a maximum, the hardware drops any packet with a new IP
address. To resolve hosts that have moved or gone away for any reason, IPSG for static hosts leverages
IP device tracking to age out dynamically learned IP address bindings. This feature can be used with
DHCP snooping. Multiple bindings are established on a port that is connected to both DHCP and static
hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP
snooping binding database.
OL-9775-08
Some IP hosts with multiple network interfaces can inject some invalid packets into a network
interface. The invalid packets contain the IP or MAC address for another network interface of
the host as the source address. The invalid packets can cause IPSG for static hosts to connect to
the host, to learn the invalid IP or MAC address bindings, and to reject the valid bindings.
Consult the vender of the corresponding operating system and the network interface to prevent
the host from injecting invalid packets.
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
Understanding IP Source Guard
22-17
Hide quick links:
Table of Contents
Troubleshooting
