Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
3
Replies

Question: IP Source Guard functionality

tschafferx
Level 1
Level 1

‎08-03-2018 03:06 AM - edited ‎03-08-2019 03:49 PM

Hi Cisco community,

 

I have a question regarding the security of IPSG. Am I correct in the assumption that IPSG enabled with the interface command (ip verify source) and DHCP-snooping database would not prevent ARP-spoofing attacks as of the reason that these are Layer 2, and IPSG only checks IPv4 addresses entering that port (layer 3 packet). Is that correct?

I know DAI could solve the problem, but I want to know how much security IPSG provides.

 

Thank you in advance!

Labels:
0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎08-03-2018 04:21 AM

Hi there,

IPSG and DAI are both access-layer security features which require the DHCP snooping database to function. As you point out they operate at different layers and should be considered complementary to one another.

 

The security that IPSG provides comes from inspecting the DHCP snooping database and creating a PVACL on the configured switchport. This prevents a user from configuring an IP address which has not been offered/ accepted via DHCP or allowed by static IP source binding configuration on the switch.

 

cheers,

Seb.

0 Helpful

tschafferx
Level 1
Level 1
In response to Seb Rupik

‎08-03-2018 04:27 AM

Thank you for the answer. That basically confirms that IPSG does not prevent ARP-Spoofing by itself.

0 Helpful

PaulSmith
Level 1
Level 1
In response to tschafferx

‎08-05-2018 07:56 PM

Yes that's right. That is why you can still get a DHCP address while IPSG is enabled.

 

In regards to IPSG, the PVACL blocks IP traffic the same way a normal ACL would.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card