Cisco Nexus 5000 Series Configuration Manual
Configuring ip source guard
Hide thumbs
Also See for Nexus 5000 Series:
- Cli configuration manual (660 pages) ,
- Configuration manual (334 pages) ,
- Command reference manual (196 pages)
Table of Contents
Advertisement
Quick Links
Configuring IP Source Guard
This chapter describes how to configure IP Source Guard on the Cisco Nexus 5000 Series switch.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•
Information About IP Source Guard
IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC
address of each packet matches one of two sources of IP and MAC address bindings:
• Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.
• Static IP source entries that you configure.
Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses
the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker
would have to spoof both the IP address and the MAC address of a valid host.
You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source
Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially
enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:
• DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results
Configuring IP Source Guard, page 3
of inspecting the packet.
Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.0(3)N1(1)
1
Advertisement
Table of Contents
Related Manuals for Cisco Nexus 5000 Series
Summary of Contents for Cisco Nexus 5000 Series
-
Page 1: Table Of Contents
Configuring IP Source Guard This chapter describes how to configure IP Source Guard on the Cisco Nexus 5000 Series switch. This chapter includes the following sections: • Information About IP Source Guard, page 1 • Licensing Requirements for IP Source Guard, page 2 •... -
Page 2: Licensing Requirements For Ip Source Guard
Licensing Requirements for IP Source Guard • IP traffic from static IP source entries that you have configured in the Cisco NX-OS device. The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry. -
Page 3: Configuring Ip Source Guard
Step 3 [no] ip verify source dhcp-snooping-vlan Enables IP Source Guard on the interface. The no option disables IP Source Guard on the interface. Example: switch(config-if)# ip verify source dhcp-snooping vlan Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.0(3)N1(1) - Page 4 Displays IP-MAC address bindings for the interface specified, including static IP source entries. Static entries Example: appear with the term in the Type column. switch(config)# show ip dhcp snooping binding interface ethernet 2/3 Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.0(3)N1(1)
-
Page 5: Displaying Ip Source Guard Bindings
Additional References for IP Source Guard Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature. Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.0(3)N1(1) - Page 6 Configuring IP Source Guard Additional References for IP Source Guard Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.0(3)N1(1)