How Can We Help?
Objective
IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighboring host. When IP Source Guard is enabled, the switch only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database. If the packet that a host sends matches an entry in the database, the switch forwards the packet. If the packet does not match an entry in the database it is dropped.
In a real time scenario, one way in which IP Source Guard is used is to help prevent man-in-the-middle attacks where an untrusted third party attempts to masquerade as a genuine user. Based on the addresses which are configured in the IP source guard binding database, only the traffic from the client with that IP address is allowed and the rest of the packets are dropped.
Note: DHCP Snooping should be enabled for IP Source Guard to function. In order to get more details on how to enable DHCP Snooping please refer to the article DHCP Snooping Configuration on SX500 Series Stackable Switches. It is also necessary to configure the binding database to specify which IP addresses are allowed. More details on this can be found in the article Configuration of DHCP Snooping Binding Database on SX500 Series Stackable Switches.
This article explains how to configure IP Source Guard on the Sx500 Series Stackable Switches.
Applicable Devices
• Sx500 Series Stackable Switches
Software Version
• v1.2.7.76
Configure IP Source Guard Settings
Globally Enable IP Source Guard Settings
Step 1. Log in to the web configuration utility and choose Security > IP Source Guard > Properties. The IP Source Guard Properties page opens:
Step 2. Check the Enable check box to enable IP Source Guard globally.
Step 3. Click Apply to apply the settings.
Edit Interface Settings for IP Source Guard
If the IP Source Guard is enabled on an untrusted port or LAG, the DHCP packets which are transmitted are allowed by the DHCP Snooping Database. If the IP address is enabled with a filter then packet transmission is allowed as follows:
• IPv4 Traffic — The IPv4 traffic which is associated with the source IP address of the particular port is allowed.
• Non IPv4 Traffic — All non-IPv4 traffic is allowed.
Step 1. Log in to the web configuration utility and choose Security > IP Source Guard > Interface Settings. The Interface Settings page opens:
Step 2. Choose an interface type from the Interface Type drop-down list and click Go in the Filter field.
The Interface Settings Table consists of the following parameters.
• Interface — Shows the Interface to which the IP Source Guard is applied.
• IP Source Guard — Shows whether IP Source Guard is enabled or not.
• DHCP Snooping Trusted Interface — Shows whether it is a DHCP trusted interface or not. Trusted interfaces can receive traffic only from within the network. IP Source Guard is usually configured on DHCP interfaces which are not trusted. An untrusted interface is an interface that is configured such that it can receive messages from outside the network.
Step 3. Click the radio button which corresponds to the interface to be edited and click Edit at the bottom of the page. The Edit Interface Settings window appears.
Step 4. Check Enable in the IP Source Guard field to enable IP Source Guard on the current interface.
Step 5. Click Apply. The changes are displayed.
Copy Interface Settings for IP Source Guard
Step 1. Log in to the web configuration utility and choose Security > IP Source Guard > Interface Settings. The Interface Settings page opens:
Step 2. Click the radio button for the desired interface and click Copy Settings. The Copy Settings window appears.
Step 3. Enter the interface(s) or range(s) of interfaces to which the chosen entry needs to be copied and click Apply. The settings are applied.