Hi everybody
I quoted following from above link:
1)The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings
2)When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
does ip source binding table consists of dhcp bindings and manually configured bindings?
Does ip source guard check src ip against that single ip source binding table ? or it also checks against dhcp bindings( what is the point Ip source binding table already entries based on dhcp binding?
=======================================================
If we want to to use ip source guard feature to check both src ip and mac then we have to use :
ip verify source port-security
Please consider the bolded paragraph below:
When you enable both IP source guard and port security by using the ip verify source port-security interface configuration command, there are two caveats: so if have configue port security as:
switchport port-security
switchport port-security mac-address sticky
If this switch receives a dhcp message, it will not learn the mac address. it will learn the client mac address when it receives first non dhcp traffic.
Why do we need to enable port security if want to use ip source guard feature to detect spoof src ip and mac? We could simply use ip
source binding table to see if src ip and src mac match an entry, if not packet will be dropped. We could acheive the same result ( dropping packets containing spoofed src ip and mac ) without using port security.
I will appreciate any input.
thanks.
