IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings: Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table; Static IP source entries that you configure. Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access.<\/p>\n
SWITCH(config-if)#ip verify source<\/code><\/pre>\nSWITCH(config-if)#no ip verify source<\/code><\/pre>\nEnables IP Source Guard on the interface.<\/p>\n
SWITCH(config)# ip source binding XXXX.XXXX.XXXX vlan VALUE A.B.C.D interface IFNAME<\/code><\/pre>\nSWITCH(config)#no ip source binding XXXX.XXXX.XXXX vlan VALUE A.B.C.D interface IFNAME<\/code><\/pre>\nCreates a static IP source binding entry for the current interface.<\/p>\n
Example:<\/h2>\nSWITCH(config)# ip source binding 0001.0001.0001 vlan 1 1.1.1.10 interface gigabitEthernet0\/1<\/code><\/pre>\nA single port can be configured with a maximum of 128 entries.<\/p>\n
Examples<\/h2>\n
Example 1\uff1aThis is an example of Ip Source Guard typical application. Ip Source Guard is enabled on the interface gigabitEthernet0\/1, and we enter 3 static binding entrys on the interface. When the interface gigabitEthernet0\/1 receives a packet, If the IP address and the MAC address of the packet differs from the list of static entrys, the packet will be dropped.<\/p>\n
SWITCH(config)#interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config-if)#ip verify source<\/code><\/pre>\nSWITCH(config)#ip source binding 0001.0001.0001 vlan 1 1.1.1.10 interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config)#ip source binding 0001.0001.0002 vlan 1 1.1.1.11 interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config)#ip source binding 0001.0001.0003 vlan 1 1.1.1.12 interface gigabitEthernet0\/1<\/code><\/pre>\nDisplay Information<\/h2>\n\n- Display Ip Verify Source Binding Rules<\/li>\n<\/ul>\n
SWITCH#show ip verify source<\/code><\/pre>\ninterface Filter-type Filter IP-address Mac-address vlan ——————————————————————— GiE0\/1 Ip Permit 1.1.1.1 0001.0001.0001 1 GiE0\/1 Ip Deny All All All GiE0\/2 Ip Deny All All All<\/p>\n
SWITCH#show ip verify source interface gigabitEthernet0\/1<\/code><\/pre>\ninterface Filter-type Filter IP-address Mac-address vlan ———————————————————————————————– GiE0\/1 Ip Permit 1.1.1.1 0001.0001.0001 1 GiE0\/1 Ip Deny All All All<\/p>\n
SWITCH#show ip source binding<\/code><\/pre>\ninterface vlan IP-address Mac-address Lease Type ———————————————————————————————– GiE0\/1 1 1.1.1.1 0001.0001.0001 infinite static GiE0\/2 1 1.1.2.1 0001.0002.0001 infinite static<\/p>\n
SWITCH#show ip source binding interface gigabitEthernet0\/1<\/code><\/pre>\ninterface vlan IP-address Mac-address Lease Type ———————————————————————————————– GiE0\/1 1 1.1.1.1 0001.0001.0001 infinite static<\/p>\n","protected":false},"excerpt":{"rendered":"
Networking \u203a Switching \u203a Edge \u203a Synapse<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":6349,"menu_order":23,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[115,119,116],"class_list":["post-6372","docs","type-docs","status-publish","hentry","doc_tag-connexite","doc_tag-network","doc_tag-synapse-cli-documentation","no-post-thumbnail"],"acf":[],"_links":{"self":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=6372"}],"version-history":[{"count":1,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6372\/revisions"}],"predecessor-version":[{"id":6420,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6372\/revisions\/6420"}],"up":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6349"}],"wp:attachment":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=6372"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/doc_tag?post=6372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}