I have two end hosts connected to an access port (via 3rd party, unmanaged switch). Both end hosts have static IPs. I have configured port security and ip source guard on that port in order to filter for both source IP and MAC, and configured static bindings. The relevant configuration is below:

!----------
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky MAC-A
switchport port-security mac-address sticky MAC-B
switchport port-security
ip verify source port-security
!
ip source binding MAC-A vlan 10 IP-A interface Gi1/0/1
ip source binding MAC-B vlan 10 IP-B interface Gi1/0/1
!----------

I noticed that, while IPSG blocks an end host on port Gi1/0/1, for whose IP no binding is configured, the MAC address of that end host does not have to match the IP in the binding statement, as long as it is learned on the port.

That is:

- With both binding statements configured, MAC-A can send traffic from source IP-B, and vice-versa
- With just the binding for IP-A/MAC-A configured, MAC-B can send traffic from source IP-A

I would have expected IPSG to check whether the IP in the packet header and MAC address in the frame exactly match the binding statement. But it seems like it "just" checks that:
a) a static binding exists for the source IP and
b) the source MAC is learned on the port

Is my understanding of IPSG source IP and MAC address filtering wrong, or is this some kind of bug?
This was observed on a WS-C2960X-48LPS-L running IOS version 15.2(2)E7.

Thank you all!

Patrick