Hi Tushar,IP Source gaurd

tusharp81 · ‎09-17-2014

Dear All ,

My organisation has a requirement that if any user change the IP of his system , he should not able to access anything from his machine .

I have read that IP source guard feature on cisco can be used to achieve the same .

Can some body explain the process . Also if i have a unmanaged switch( 24 port ) connected to the Cisco L2 switch . so can i enable IP source guard for multiple source IP's on single port .

Kindly revert urgently .

Rgds,

Tushar

Mohit Sahai · ‎09-19-2014

Hello Tushar,

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address. IP Source Guard is a port-based feature that automatically creates an implicit port access control list (PACL).

Below is the CCO document for your reference..

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html

Regards,

Mohit

tusharp81 · ‎09-19-2014

Hey thanks a lot Mohit ,

Actually , I have read the document but not getting a clear idea on how to configure this for a environment in which static IP addressing is used . Can u please share the sample configuration .

i.e suppose I have a cisco 24 port switch and on al the 24 ports i have a static ip assigned to the systems . now i want that no user shoudl change his ip address hence I want to bind each ip address to the port it is connected hence if user tries to change the ip address , he would not get network access .

Awaiting your reverts .

Also in DHCP scope , if we reserved some ip address statically to assign to particular scope and if that reserved IP machine is off , then can other user give the reserved ip address to his system .

pls revert .

thanks

Mohit Sahai · ‎09-20-2014

Hi Tushar,

IP Source gaurd uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

"Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client"

This means a user can access network if his Mac address-IP Address entry exists in DHCP Snooping table or Static IP Binding.

So answering your second question "Also in DHCP scope , if we reserved some ip address statically to assign to particular scope and if that reserved IP machine is off , then can other user give the reserved ip address to his system ."

Answer: If the reserved IP machine is off, other user cannot access the network until he gets the IP address from the DHCP server and his Mac address-IP Address entry appear in DHCP Snooping table.

I dont have any config to show you but the below link may help you to configure this.

http://packetpushers.net/ccnp-studies-configuring-ip-source-guard/

Please let me know if it is helpfull for you.

Regards,
Mohit

Mohit Sahai · ‎11-06-2014

Hello Tushar,

Did my previous reply helped you?

Regards,

Mohit

tusharp81 · ‎12-16-2014

Hey Mohit ,

Thanks a lot for your resolution .

Rgds,

Tushar

Mohit Sahai · ‎12-16-2014

Hi Tushar,

Thanks for your feedback.

** Please rate the post if you find it helpfull

Regards,

Mohit

IP Source guard feature enabling