beautypg.com

37 configuring ip source guard – CANOGA PERKINS CanogaOS Configuration Guide User Manual

Page 307

background image

CanogaOS Configuration Guide

Proprietary & Confidential Canoga Perkins Metro Ethernet Switches

Page 307 of 350

37 Configuring IP Source Guard

IP source guard prevents IP spoofing by allowing only the IP addresses that are obtained through
DHCP snooping on a particular port. Initially, all IP traffic on the port is blocked except for the
DHCP packets that are captured by DHCP snooping. When a client receives a valid IP address
from the DHCP server, an access control list (ACL) is installed on the port that permits the
traffic from the IP address. This process restricts the client IP traffic to those source IP addresses
that are obtained from the DHCP server; any IP traffic with a source IP address other than that in
the ACL’s permit list is filtered out. This filtering limits the ability of a host to attack the
network by claiming a neighbor host’s IP address.
IP source guard uses source IP address filtering, which filters the IP traffic that is based on its
source IP address. Only the IP traffic with a source IP address that matches the IP source binding
entry is permitted. A port’s IP source address filter is changed when a new DHCP-snooping
binding entry for a port is created or deleted. The port ACL is modified and reapplied in the
hardware to reflect the IP source binding change. By default, if you enable IP source guard
without any DHCP-snooping bindings on the port, a default ACL that denies all IP traffic is
installed on the port. When you disable IP source guard, any IP source filter ACL is removed
from the port.
Also IP source guard can use source IP and MAC address Filtering. When IP source guard is
enabled with this option, IP traffic is filtered based on the source IP and Mac addresses. The
switch forwards traffic only when the source IP and MAC addresses match an entry in the IP
source binding table. If not, the switch drops all other types of packets except DHCP packet.
The switch also supports to have IP, MAC and VLAN Filtering. When IP source guard is
enabled with this option, IP traffic is filtered cased on the source IP and MAC addresses. The
switch forwards traffic only when the source IP, MAC addresses and VLAN match an entry in
the IP source binding table.

37.1.1 Terminology
Following is a brief description of terms and concepts used to describe the DHCP-Relay:

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically
provides an Internet Protocol (IP) host with its IP address and other related configuration
information such as the subnet mask and default gateway.

DHCP Snooping

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted
DHCP servers. This feature builds and maintains the DHCP snooping binding database, which
contains information about untrusted hosts with leased IP addresses.

ACL