This command configures the switch to filter inbound traffic based source IP address, or source IP
address and corresponding MAC address. Use the no form to disable this function.

Syntax

ip source-guard {sip | sip-mac}

no ip source-guard

sip - Filters traffic based on IP addresses stored in the binding table.

sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in
the binding table.

Default Setting
Disabled

Command Mode
Interface Configuration (Ethernet)

Command Usage

•

Source guard is used to filter traffic on an insecure port which receives messages from outside
the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying
to use the IP address of a neighbor.

•

Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port.
Use the “sip” option to check the VLAN ID, source IP address, and port number against all
entries in the binding table. Use the “sip-mac” option to check these same parameters, plus
the source MAC address. Use the no ip source guard command to disable this function on the
selected port.

•

When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or
static addresses configured in the source guard binding table.

•

Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding,
Dynamic-DHCP-Binding, VLAN identifier, and port identifier.

•

Static addresses entered in the source guard binding table with the

ip source-guard binding

command (see

“ip source-guard binding”

on page 221) are automatically configured with an

infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP
server itself.