Hi everybody
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swdhcp82.html
I quoted following from above link:
1)The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings
2)When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
does ip source binding table consists of dhcp bindings and manually configured bindings?
Does ip source guard check src ip against that single ip source binding table ? or it also checks against dhcp bindings( what is the point Ip source binding table already entries based on dhcp binding?
=======================================================
If we want to to use ip source guard feature to check both src ip and mac then we have to use :
ip verify source port-security
Please consider the bolded paragraph below:
Step 3 | ip verify source or ip verify source port-security | Enable IP source guard with source IP address filtering. Enable IP source guard with source IP and MAC address filtering. Note When you enable both IP source guard and port security by using the ip verify source port-security interface configuration command, there are two caveats: ⢠The DHCP server must support option 82, or the client is not assigned an IP address. ⢠The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic. |
so if have configue port security as:
switchport port-security
switchport port-security mac-address sticky
If this switch receives a dhcp message, it will not learn the mac address. it will learn the client mac address when it receives first non dhcp traffic.
Why do we need to enable port security if want to use ip source guard feature to detect spoof src ip and mac? We could simply use ip
source binding table to see if src ip and src mac match an entry, if not packet will be dropped. We could acheive the same result ( dropping packets containing spoofed src ip and mac ) without using port security.
I will appreciate any input.
thanks.