38 configuring ip source guard, 1 overview, 2 terminology – CANOGA PERKINS 9171 Configuration Guide User Manual

CanogaOS Configuration Guide

38-1

38 Configuring IP Source Guard

38.1 Overview

IP source guard prevents IP spoofing by allowing only the IP addresses that are obtained
through DHCP snooping on a particular port. Initially, all IP traffic on the port is blocked
except for the DHCP packets that are captured by DHCP snooping. When a client
receives a valid IP address from the DHCP server, an access control list (ACL) is
installed on the port that permits the traffic from the IP address. This process restricts the
client IP traffic to those source IP addresses that are obtained from the DHCP server;
any IP traffic with a source IP address other than that in the ACL’s permit list is filtered
out. This filtering limits the ability of a host to attack the network by claiming a neighbor
host’s IP address.
IP source guard uses source IP address filtering, which filters the IP traffic that is based
on its source IP address. Only the IP traffic with a source IP address that matches the IP
source binding entry is permitted. A port’s IP source address filter is changed when a
new DHCP-snooping binding entry for a port is created or deleted. The port ACL is
modified and reapplied in the hardware to reflect the IP source binding change. By
default, if you enable IP source guard without any DHCP-snooping bindings on the port,
a default ACL that denies all IP traffic is installed on the port. When you disable IP source
guard, any IP source filter ACL is removed from the port.
Also IP source guard can use source IP and MAC address Filtering. When IP source
guard is enabled with this option, IP traffic is filtered based on the source IP and Mac
addresses. The switch forwards traffic only when the source IP and MAC addresses
match an entry in the IP source binding table. If not, the switch drops all other types of
packets except DHCP packet.
The switch also supports to have IP, MAC and VLAN Filtering. When IP source guard is
enabled with this option, IP traffic is filtered cased on the source IP and MAC addresses.
The switch forwards traffic only when the source IP, MAC addresses and VLAN match
an entry in the IP source binding table.

38.2 Terminology

Following is a brief description of terms and concepts used to describe the DHCP-Relay:

Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that
automatically provides an Internet Protocol (IP) host with its IP address and other related
configuration information such as the subnet mask and default gateway.

DHCP Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and
trusted DHCP servers. This feature builds and maintains the DHCP snooping binding
database, which contains information about untrusted hosts with leased IP addresses.

ACL
Access control list.