Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ip source binding table and ip source guard.

Hi everybody

I quoted following from above link:

1)The IP source binding table has bindings that are  learned by DHCP snooping or are manually configured (static IP source  bindings

2)When IPSG is enabled with this option, IP traffic  is filtered based on the source IP address. The switch forwards IP  traffic when the source IP address matches an entry in the DHCP snooping  binding database or a binding in the IP source binding table.

does ip source binding table consists of dhcp bindings and manually configured bindings?

Does ip source guard check src ip against that single  ip source binding table ? or it also checks against dhcp bindings( what is the point  Ip source binding table already entries based on dhcp binding?


If we want to to use ip source guard feature to check both src ip and mac then we have to use :

ip verify source port-security

Please consider the bolded paragraph below:

Step 3 

ip verify source


ip verify source port-security

Enable IP source guard with source IP address filtering.

Enable IP source guard with source IP and MAC address filtering.

Note When you enable both IP source guard and port security by using the ip verify source port-security interface configuration command, there are two caveats:

The DHCP server must support option 82, or the client is not assigned an IP address.

The  MAC address in the DHCP packet is not learned as a secure address. The  MAC address of the DHCP client is learned as a secure address only when  the switch receives non-DHCP data traffic.

so if have configue port security as:

switchport port-security

switchport port-security mac-address sticky

If this switch receives a dhcp message, it will not learn the mac address. it will learn the client mac address when it receives first non dhcp traffic.

Why do we need to enable port security if want to use ip source guard feature to detect spoof src ip and mac?  We could simply use ip

source binding table to see if src ip and src mac match an entry, if not packet will be dropped.   We could acheive the same result ( dropping packets containing spoofed src ip and mac ) without using port security.

I will appreciate any input.


CreatePlease to create content