C H A P T E R

81

IP Source Guard

•

•

•

•

•

•

•

Prerequisites for IP Source Guard, page 81-1

Restrictions for IP Source Guard, page 81-2

Information About IP Source Guard, page 81-2

Default Settings for IP Source Guard, page 81-3

How to Configure IP Source Guard, page 81-3

Displaying IP Source Guard PACL Information, page 81-5

Displaying IP Source Binding Information, page 81-6

Note •

•

For complete syntax and usage information for the commands used in this chapter, see these publications: http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html

Cisco IOS Release 15.4SY supports only Ethernet interfaces. Cisco IOS Release 15.4SY does not support any WAN features or commands.

Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Participate in the Technical Documentation Ideas forum

Prerequisites for IP Source Guard

None.

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY

81-1

Chapter 81 IP Source Guard

Restrictions for IP Source Guard

Restrictions for IP Source Guard

Because the IP source guard feature is supported only in hardware, IP source guard is not applied if there are insufficient hardware resources available. These hardware resources are shared by various other ACL features that are configured on the system. The following restrictions apply to IP source guard:

• Supported only on ingress Layer 2 ports.

•

•

•

Supported only in hardware; not applied to any traffic that is processed in software.

Does not support filtering of traffic based on MAC address.

Is not supported on private VLANs.

Information About IP Source Guard

•

•

•

•

•

•

Overview of IP Source Guard, page 81-2

IP Source Guard Interaction with VLAN-Based Features, page 81-2

Channel Ports, page 81-3

Layer 2 and Layer 3 Port Conversion, page 81-3

IP Source Guard and Voice VLAN, page 81-3

IP Source Guard and Web-Based Authentication, page 81-3

Overview of IP Source Guard

IP source guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic

DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied.

This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address.

IP source guard is a port-based feature that automatically creates an implicit port access control list

(PACL).

IP Source Guard Interaction with VLAN-Based Features

Use the access-group mode command to specify how IP source guard interacts with VLAN-based features (such as VACL and Cisco IOS ACL and RACL).

In prefer port mode, if IP source guard is configured on an interface, IP source guard overrides other

VLAN-based features. If IP source guard is not configured on the interface, other VLAN-based features are merged in the ingress direction and applied on the interface.

In merge mode, IP source guard and VLAN-based features are merged in the ingress direction and applied on the interface. This is the default access-group mode.

81-2

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY

Chapter 81 IP Source Guard

Default Settings for IP Source Guard

Channel Ports

IP source guard is supported on Layer 2 port-channel interfaces but not on the port members. When IP source guard is applied to a Layer 2 port-channel channel interface, it is applied to all the member ports in the EtherChannel.

Layer 2 and Layer 3 Port Conversion

When an IP source guard policy is configured on a Layer 2 port, if the port is reconfigured as a Layer 3 port, the IP source guard policy no longer functions but is still present in the configuration. If the port is reconfigured as a Layer 2 port, the IP source guard policy becomes effective again.

IP Source Guard and Voice VLAN

IP source guard is supported on a Layer 2 port that belongs to a voice VLAN. For IP source guard to be active on the voice VLAN, DHCP snooping must be enabled on the voice VLAN. In merge mode, the IP source guard feature is merged with VACL and Cisco IOS ACL configured on the access VLAN.

IP Source Guard and Web-Based Authentication

You can configure IP source guard and web-based authentication (see Chapter 86, “Web-Based

Authentication”

) on the same interface. Other VLAN-based features are not supported when IP Source

Guard and web-based authentication are combined.

Default Settings for IP Source Guard

None.

How to Configure IP Source Guard

To enable IP source guard, perform this task:

Command

Step 1 Router(config)# ip dhcp snooping

Step 2 Router(config)# ip dhcp snooping vlan number

[ number ]

Step 3 Router(config)# interface interface-name

Step 4 Router(config-if)# no ip dhcp snooping trust

Purpose

Enables DHCP snooping globally.

Enables DHCP snooping on your VLANs.

Selects the interface to be configured.

Use the no keyword to configure the interface as untrusted.

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY

81-3

Chapter 81 IP Source Guard

How to Configure IP Source Guard

Command

Step 5 Router(config-if)# ip verify source vlan dhcp-snooping [ port-security ]

Step 6 Router(config-if)# exit

Step 7 Router(config)# ip source binding mac_address vlan vlan-id ip-address interface interface_name

Step 8 Router(config)# end

Step 9 Router# show ip verify source [ interface interface_name ]

Purpose

Enables IP source guard, source IP address filtering on the port. The following are the command parameters:

• vlan applies the feature to only specific VLANs on the interface. The dhcp-snooping option applies the feature to all VLANs on the interface that have

DHCP snooping enabled.

• port-security enables MAC address filtering. This feature is currently not supported.

Returns to global configuration mode.

(Optional) Configures a static IP binding on the port.

Exits configuration mode.

Verifies the configuration.

81-4

Note The static IP source binding can only be configured on a Layer 2 port. If you enter the ip source binding vlan interface command on a Layer 3 port, you receive this error message:

Static IP source binding can only be configured on switch port.

The no keyword deletes the corresponding IP source binding entry. This command requires an exact match of all the required parameters in order for the deletion to be successful.

This example shows how to enable per-Layer 2 port IP source guard on VLANs 10 through 20:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# ip dhcp snooping

Router(config)# ip dhcp snooping vlan 10 20

Router(config)# interface gigabitethernet 6/1

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 10

Router(config-if)# no ip dhcp snooping trust

Router(config-if)# ip verify source vlan dhcp-snooping

Router(config-if)# end

Router# show ip verify source interface gigabitethernet 6/1

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- ----------------- ----------

Gi6/1 ip active 10.0.0.1 10

Gi6/1 ip active deny-all 11-20

Router#

The output shows that there is one valid DHCP binding to VLAN 10.

This example shows how to configure an interface to use prefer port mode:

Router# configure terminal

Router(config)# interface gigabitethernet 6/1

Router(config-if)# access-group mode prefer port

This example shows how to configure an interface to use merge mode:

Router# configure terminal

Router(config)# interface gigabitEthernet 6/1

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY

Chapter 81 IP Source Guard

Displaying IP Source Guard PACL Information

Router(config-if)# access-group mode merge

Displaying IP Source Guard PACL Information

To display IP source guard PACL information for all interfaces on a switch, perform this task:

Command

Router# show ip verify source [ interface interface-name ]

Purpose

Displays IP source guard PACL information for all interfaces on a switch or for a specified interface.

This example shows that DHCP snooping is enabled on VLAN 10 through 20, interface fa6/1 is configured for IP filtering, and there is an existing IP address binding 10.0.01 on VLAN 10:

Router# show ip verify source interface fa6/1

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- --------fa6/1 ip active 10.0.0.1 10 fa6/1 ip active deny-all 11-20

Note The second entry shows that a default PACL (deny all IP traffic) is installed on the port for those snooping-enabled VLANs that do not have a valid IP source binding.

This example shows the displayed PACL information for a trusted port:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- --------fa6/2 ip inactive-trust-port

This example shows the displayed PACL information for a port in a VLAN not configured for DHCP snooping:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- --------fa6/3 ip inactive-no-snooping-vlan

This example shows the displayed PACL information for a port with multiple bindings configured for an

IP/MAC filtering:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- --------fa6/4 ip active 10.0.0.2 aaaa.bbbb.cccc 10 fa6/4 ip active 11.0.0.1 aaaa.bbbb.cccd 11 fa6/4 ip active deny-all deny-all 12-20

This example shows the displayed PACL information for a port configured for IP/MAC filtering but not for port security:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- --------fa6/5 ip active 10.0.0.3 permit-all 10 fa6/5 ip active deny-all permit-all 11-20

Note The MAC address filter shows permit-all because port security is not enabled, so the MAC filter cannot apply to the port/VLAN and is effectively disabled. Always enable port security first.

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY

81-5

Chapter 81 IP Source Guard

Displaying IP Source Binding Information

This example shows an error message when you enter the show ip verify source command on a port that does not have an IP source filter mode configured:

Router# show ip verify source interface fa6/6

IP Source Guard is not configured on the interface fa6/6.

This example shows how to display all interfaces on the switch that have IP source guard enabled:

Router# show ip verify source

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- --------fa6/1 ip active 10.0.0.1 10 fa6/1 ip active deny-all 11-20 fa6/2 ip inactive-trust-port fa6/3 ip inactive-no-snooping-vlan fa6/4 ip active 10.0.0.2 aaaa.bbbb.cccc 10 fa6/4 ip active 11.0.0.1 aaaa.bbbb.cccd 11 fa6/4 ip active deny-all deny-all 12-20 fa6/5 ip active 10.0.0.3 permit-all 10 fa6/5 ip active deny-all permit-all 11-20

Displaying IP Source Binding Information

To display all IP source bindings configured on all interfaces on a switch, perform this task:

Command

Router# show ip source binding [ ip_address ]

[ mac_address ] [ dhcp-snooping | static ]

[ vlan vlan_id ] [ interface interface_name ]

Purpose

Displays IP source bindings using the optional specified display filters.

The dhcp-snooping filter displays all VLANs on the interface that have DHCP snooping enabled.

This example shows how to display all IP source bindings configured on all interfaces on the switch.

Router# show ip source binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

00:02:B3:3F:3B:99 55.5.5.2 6522 dhcp-snooping 10 GigabitEthernet6/10

00:00:00:0A:00:0B 11.0.0.1 infinite static 10 GigabitEthernet6/10

Router#

Table 81-1 describes the fields in the

show ip source binding command output.

Table 81-1

Field

MAC Address

IP Address

Lease (seconds)

Type

VLAN

Interface show ip source binding Command Output

Description

Client hardware MAC address

Client IP address assigned from the DHCP server

IP address lease time

Binding type; static bindings configured from CLI to dynamic binding learned from DHCP snooping

VLAN number of the client interface

Interface that connects to the DHCP client host

81-6

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY

Chapter 81 IP Source Guard

Displaying IP Source Binding Information

Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Participate in the Technical Documentation Ideas forum

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY

81-7

Displaying IP Source Binding Information

Chapter 81 IP Source Guard

81-8

Supervisor Engine 2T Software Configuration Guide, Release 15.4SY