Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
10
Helpful
4
Replies

IP source guard

sivam siva
Level 3
Level 3

‎12-12-2018 04:47 AM - edited ‎03-08-2019 04:47 PM

Hi

 

cisco press CCNP book says below lines for ip source guard, where i have doubt in that

"The source MAC address must be identical to the MAC address learned on the
switch port and by DHCP snooping. Port security is used to filter traffic."

 

when packet comes to the switch it checks the source mac of packet by comparing with the learned mac which is  through dhcp snooping or ip device tracking or static entry.

Please anyone tell me what is the use of port security here ? how its filter the traffic by coordinate with source guard ? 

 

Thanks in advance

 

Labels:
0 Helpful
4 Replies 4

mkazam001
Level 3
Level 3

‎12-12-2018 05:18 AM

IPSG is configured at the access layer and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis (these can’t be viewed in the running-configuration). Any traffic which doesn’t match the binding entries is dropped in hardware. However, the port won’t go into the errdisable state – it won’t even display a violation message at the console.

With port security you can configure number of device macs allowed on port as well as an action - eg, shutdown the port.

regards, mk

paul driver
VIP
VIP

‎12-12-2018 05:48 AM - edited ‎12-12-2018 05:53 AM

Hello

Just like to add that IPSG  can be used at a layer 2 or layer 3 perspective, you can configure it to validate on ip address or ip address and mac-address..

 

Having IPSG check just on the ip address will validate the interface ip address of the host and any change to this hosts mac-address will not be verified against the dhcp binding table or any static bindings

 

int x/x
ip verify source

 


Having IPSG check on the ip and mac address will validate the interface ip address of the host and the mac address in dhcp binding table (or static bindings) thus any change to either ip or mac will cause a IPSG violation 
int x/x
ip verify source port-security
switchport port-security

 

 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

sivam siva
Level 3
Level 3

‎12-13-2018 03:07 AM

Hello @paul driver @mkazam001

Thanks for your reply

My question is what is the use of configuring port security with IPSG

IPSG can check the source Mac address against the DHCP snooping binding table, like checking source IP right?
What is the idea behind it how it's plays filtering roles with IPSG?

0 Helpful

paul driver
VIP
VIP
In response to sivam siva

‎12-13-2018 05:55 AM

Hello

ipsg by default helps spoofing of an hosts IP address but you can also enable it as stated to check the validity of the learned mac address via dhcp snooping or static filtering

 

My understanding the port-security of IPSG enables this mac- address filtering 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card