Cisco Support Community
Community Member

ip source guard

Hi all, I have heard of ip source guard, can anyone tell me what it is ?

bjw Silver

Re: ip source guard

Simply put, it provides layer 2 port protection to ensure that a specific Host IP is the only device allowed to work on a layer 2 switch port. This is combined with IP DHCP Snooping and also IP Arp inspection can be used to ensure that only devices with Valid MAC/IP combinations are allowed to communicate on a switch.

See this snippet :

Overview of IP Source Guard

Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.


CreatePlease to create content