beautypg.com

Enabling ip source guard, Enabling ip source inspection on a vlan – Brocade Multi-Service IronWare Switching Configuration Guide (Supporting R05.6.00) User Manual

Page 806

background image

776

Multi-Service IronWare Switching Configuration Guide

53-1003036-02

IP source guard

19

When IP Source Guard is first enabled, only DHCP packets are allowed and all other IP traffic is
blocked. IP Source Guard uses IP or MAC bindings inside the ARP Inspection table to detect a valid
IP address. When the system learns a valid IP address on the port, the client port then allows IP
traffic to enter. If the source IP address of a packet does not match any of the IP addresses inside
the ARP Inspection table, the packet is dropped. Only traffic with valid source IP addresses are
permitted.

The system learns of a valid IP address from ARP. For information on how the ARP table is
populated, Refer to

“ARP entries”

on page 755.

Enabling IP source guard

The source-guard command sets a port as an IP Source Guarded port. DHCP Snooping should be
configured before you enable the IP Source Guard feature.

The default setting is disabled. To enable a port as an IP Source Guarded port, enter the following
commands.

Brocade(config)# interface ethernet 2/2

Brocade(config-if-e10000-2/2)# source-guard

The commands change the CLI to the interface configuration level for port 2/2 and enable IP
source guard on the port.

Syntax: [no] source-guard

NOTE

When IP Source Guard is enabled on a port it must have the same configuration as the primary port,
otherwise it will not implemented as IP Source Guarded.

Enabling IP source inspection on a VLAN

IP Source Guard configuration is enabled on ports per vlan. When IP Source Guard is enabled on a
vlan, by default all ports inside the vlan are set as “unguarded”. You can selectively turn on which
ports inside the vlan to be set as “guarded”. Initially, when the vlan port is IP Source Guarded, only
DHCP packets are allowed to get through. However, as IP or MAC binding is learned from DHCP
snooping, or if it is manually configured, only packets with valid source IP address are allowed
through.

There are two modes for IP Source Guard; strict mode and loose mode. You can configure either
strict or loose mode during IP Source Guard vlan configuration. In a strict mode, the IP source
address is bound to a particular port and vlan. Only packets with an IP address coming from a
particular vlan port is considered valid. If the same source IP address is coming from a different
port, then it is considered an attack and is dropped. The strict mode provides more security, but it
does not allow for a layer 2 occurrence in a vlan. In a loose mode, the IP source address is bound to
a vlan. Only packets with IP source addresses that come from ports within the vlan are considered
valid.

To enable IP Source Inspection for a VLAN or a range of VLANs, enter the following command.

Brocade(config)# ip source-inspection vlan 2

Syntax: [no] ip source-inspection vlan vlan_number [ to vlan_number ] [strict]

The source IP addresses for VLAN IP packets are inspected for any port when IP Source Guard is
enabled.

See also other documents in the category Brocade Computer Accessories: