Did You Know?

Hierarchical approvals let your manager know what people are trying to transfer

CONNEXITE
leafleafleafMan illustrationFlower illustration
Updated on May 4, 2026

Configuring Ip Source Guard

Estimated reading: 2 minutes 1 views

Summary: Networking › Switching › Edge › Synapse

Overview of Ip Source Guard

IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings: Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table; Static IP source entries that you configure. Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access.

Note

  • Only support L2 port for port security, such as physical port and L2 AP port.
  • Do not support AP member port configuration port security function.

Configuring

  • Enabling Ip Source Guard
SWITCH(config-if)#ip verify source
SWITCH(config-if)#no ip verify source

Enables IP Source Guard on the interface.

SWITCH(config)# ip source binding XXXX.XXXX.XXXX vlan VALUE A.B.C.D interface IFNAME
SWITCH(config)#no ip source binding XXXX.XXXX.XXXX vlan VALUE A.B.C.D interface IFNAME

Creates a static IP source binding entry for the current interface.

Example:

SWITCH(config)# ip source binding 0001.0001.0001 vlan 1 1.1.1.10 interface gigabitEthernet0/1

A single port can be configured with a maximum of 128 entries.

Examples

Example 1:This is an example of Ip Source Guard typical application. Ip Source Guard is enabled on the interface gigabitEthernet0/1, and we enter 3 static binding entrys on the interface. When the interface gigabitEthernet0/1 receives a packet, If the IP address and the MAC address of the packet differs from the list of static entrys, the packet will be dropped.

SWITCH(config)#interface gigabitEthernet0/1
SWITCH(config-if)#ip verify source
SWITCH(config)#ip source binding 0001.0001.0001 vlan 1 1.1.1.10 interface gigabitEthernet0/1
SWITCH(config)#ip source binding 0001.0001.0002 vlan 1 1.1.1.11 interface gigabitEthernet0/1
SWITCH(config)#ip source binding 0001.0001.0003 vlan 1 1.1.1.12 interface gigabitEthernet0/1

Display Information

  • Display Ip Verify Source Binding Rules
SWITCH#show ip verify source

interface Filter-type Filter IP-address Mac-address vlan ——————————————————————— GiE0/1 Ip Permit 1.1.1.1 0001.0001.0001 1 GiE0/1 Ip Deny All All All GiE0/2 Ip Deny All All All

SWITCH#show ip verify source interface gigabitEthernet0/1

interface Filter-type Filter IP-address Mac-address vlan ———————————————————————————————– GiE0/1 Ip Permit 1.1.1.1 0001.0001.0001 1 GiE0/1 Ip Deny All All All

SWITCH#show ip source binding

interface vlan IP-address Mac-address Lease Type ———————————————————————————————– GiE0/1 1 1.1.1.1 0001.0001.0001 infinite static GiE0/2 1 1.1.2.1 0001.0002.0001 infinite static

SWITCH#show ip source binding interface gigabitEthernet0/1

interface vlan IP-address Mac-address Lease Type ———————————————————————————————– GiE0/1 1 1.1.1.1 0001.0001.0001 infinite static

Related articles

Share this Doc

Configuring Ip Source Guard

Or copy link

Powered By EazyDocs