NetProtocol Xpert, profile picture
Uploaded byNetProtocol Xpert
957 views

IP Source Guard

IP Source Guard (IPSG) helps prevent IP spoofing attacks by dropping any traffic that does not match the bindings in the DHCP Snooping database or configured static IP bindings. IPSG creates ACLs dynamically on each port to block unauthorized traffic. It must be enabled on all access ports along with DHCP Snooping to be effective. Static IP/MAC bindings can also be configured for devices not using DHCP.

Embed presentation

IP SOURCE GUARD Security
•IPSG helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. •By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to. •Today, we’ll see how IPSG can mitigate this hijacking attack.
•Firstly we need to configure DHCP Snooping as a prerequisite. So just to recap, here’s the config: SW1(config)#ip dhcp snooping SW1(config)#ip dhcp snooping vlan 1 SW1(config)#int fa0/11 SW1(config-if)#ip dhcp snooping trust SW1(config)#int fa0/24 SW1(config-if)#ip dhcp snooping limit rate 20 IPSG Enabled
•IPSG is configured at the access layer and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis (these can’t be viewed in the running-configuration). •Any traffic which doesn’t match the binding entries is dropped in hardware. However, the port won’t go into the errdisable state – it won’t even display a violation message at the console. •IPSG is supported on layer two ports and cannot be used on layer 3 ports or SVIs.
•Configuration commands vary slightly between Catalyst 6500/4500 and lower-end switches. We used a 3550 for this example. When enabling IPSG, there are two checks which can be put in place. 1. The first is to verify that the source IP address in the incoming packet matches the IP binding in the DHCP Snooping database (or static binding), and 2. the second check uses port security to verify the source MAC address is what the switch expects it to be. Let’s go ahead and enable IPSG with the IP source check first: SW1(config)#int fa0/24 SW1(config-if)#ip verify source
Now that that’s enabled, we verify: SW1#sh ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan ——— ———– ———– ————— —————– ———- Fa0/24 ip active 172.16.1.11 1 We can see that the “Filter-type” is “ip”, so our IP source check is functioning. Now, in order to use the MAC address check we must first enable port security on access interface fa0/24: SW1(config)#int fa0/24 SW1(config-if)#switchport port-security SW1(config-if)#ip verify source port-security
The last line of configuration has the port-security parameter attached to it which adds the MAC check. Let’s verify again: SW1#sh ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan ——— ———– ———– ————— —————– ———- Fa0/24 ip-mac active 172.16.1.11 00:1B:78:4C:05:28 1 We can see that the “Filter-type” is now “ip-mac”, and our client’s MAC address is listed in the Mac-address column. But what if we have some hosts on our network with static IPs, or we’re not running DHCP? We can create static bindings instead of using the DHCP Snooping database. Let’s create one for interface fa0/14:
When using static bindings, we still need to enable DHCP Snooping for the VLAN the hosts reside in. SW1#sh mac address-table int fa0/14 Vlan Mac Address Type Ports —- ———– ——– —– 1 5c26.0a70.c59a DYNAMIC Fa0/14
We find the MAC address of our new client, add an ip source binding, and enable IPSG on the interface: SW1(config)#ip source binding ? H.H.H binding MAC address SW1(config)#ip source binding 5c26.0a70.c59a vlan 1 172.16.1.55 int fa0/14 SW1(config)#int fa0/14 SW1(config-if)#switchport port-security SW1(config-if)#ip verify source port-security
Let’s verify our bindings and the IPSG table: We can see both our DHCP Snooping database entry and our static IP source binding appear in the tables.
•For IPSG to be effective, it needs to be enabled on all access ports at the network edge, not just those hosting devices we want to protect. •When IPSG is enabled, there must either be a static IP/MAC binding or an entry in the DHCP Snooping binding table for every interface or traffic will be dropped. •If IPSG was not enabled on port fa0/21 for example, an attacker could connect to that port and assume the IP address of a machine on the network. Sure, this could be mitigated with a tight port-security configuration, but there would still be a hole in the IPSG implementation. •The best solution uses IPSG, DHCP Snooping, Port-Security and Dynamic ARP configuration hand-in-hand.
FOLLOW US @ 12  www.facebook.com/NetProtocolXpert  www.instagram.com/netprotocol_xper t  plus.google.com/collection/k8HMDB  twitter.com/NPX_cisco  www.linkedin.com/company/netproto col-xpert  netprotocolxpert.blogspot.in  remote.com/netprotocolxpert  www.netprotocolxpert.in

More Related Content

PPTX
DHCP Snooping
byNetProtocol Xpert
 
PDF
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
bypoojaswami31
 
PPTX
VTP
byHaidar-Mohammed
 
PPTX
HSRP ccna
byMohamedJafar5
 
PDF
Cisco ospf
bysarasanandam
 
PDF
Cisco IPv6 Tutorial
bykriz5
 
DOCX
Ccna command
bySiddhartha Rajbhatt
 
PDF
Ccnp workbook network bulls
bySwapnil Kapate
 
DHCP Snooping
byNetProtocol Xpert
 
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
bypoojaswami31
 
VTP
byHaidar-Mohammed
 
HSRP ccna
byMohamedJafar5
 
Cisco ospf
bysarasanandam
 
Cisco IPv6 Tutorial
bykriz5
 
Ccna command
bySiddhartha Rajbhatt
 
Ccnp workbook network bulls
bySwapnil Kapate
 

What's hot

PDF
CCNA - Routing & Switching Commands
byEng. Emad Al-Atoum
 
PPTX
MPLS Layer 3 VPN
byNetProtocol Xpert
 
PPTX
Virtual Routing and Forwarding, (VRF-lite)
byNetProtocol Xpert
 
PDF
CCNA Lab Guide
bySalachudin Emir
 
PPTX
Dynamic ARP Inspection (DAI)
byNetProtocol Xpert
 
DOC
Cisco switch commands cheat sheet
by3Anetwork com
 
PDF
CCNA CheatSheet
byEng. Emad Al-Atoum
 
DOC
Basic command to configure mikrotik
byTola LENG
 
PDF
3 palo alto ngfw architecture overview
byMostafa El Lathy
 
PDF
IPv6
byPeter R. Egli
 
PDF
Difference between Routing & Routed Protocol
byNetwax Lab
 
PPTX
OSPF Basics
byMartin Bratina
 
PPTX
CCNP ROUTE V7 CH2
byChaing Ravuth
 
PDF
cours ospf
byEL AMRI El Hassan
 
PPT
DHCP
byKashif Latif
 
PPTX
Spanning tree protocol
byMuhammad Arshad
 
PPTX
Bgp protocol
bySmriti Tikoo
 
PPTX
Les Vpn
bymedalaa
 
PPTX
Dynamic routing protocols (CCNA)
byVarinder Singh Walia
 
PDF
Implementing cisco mpls
byMatiullah Jamil
 
CCNA - Routing & Switching Commands
byEng. Emad Al-Atoum
 
MPLS Layer 3 VPN
byNetProtocol Xpert
 
Virtual Routing and Forwarding, (VRF-lite)
byNetProtocol Xpert
 
CCNA Lab Guide
bySalachudin Emir
 
Dynamic ARP Inspection (DAI)
byNetProtocol Xpert
 
Cisco switch commands cheat sheet
by3Anetwork com
 
CCNA CheatSheet
byEng. Emad Al-Atoum
 
Basic command to configure mikrotik
byTola LENG
 
3 palo alto ngfw architecture overview
byMostafa El Lathy
 
IPv6
byPeter R. Egli
 
Difference between Routing & Routed Protocol
byNetwax Lab
 
OSPF Basics
byMartin Bratina
 
CCNP ROUTE V7 CH2
byChaing Ravuth
 
cours ospf
byEL AMRI El Hassan
 
DHCP
byKashif Latif
 
Spanning tree protocol
byMuhammad Arshad
 
Bgp protocol
bySmriti Tikoo
 
Les Vpn
bymedalaa
 
Dynamic routing protocols (CCNA)
byVarinder Singh Walia
 
Implementing cisco mpls
byMatiullah Jamil
 

Viewers also liked

PPTX
Root Bridge Or Root Switch
byNetProtocol Xpert
 
PPTX
TCLSH and Macro Ping Test on Cisco Routers and Switches
byNetProtocol Xpert
 
PPTX
OTV Configuration
byNetProtocol Xpert
 
PPTX
Reflexive Access List
byNetProtocol Xpert
 
PPS
Ppt
byNabeel Mustafa
 
PPTX
Types of interfaces in a Cisco Router
byNetProtocol Xpert
 
PPS
Root Bridges of India and Japan
byYoungerbrain ourway
 
PPT
Open Source Networking
byArtur Bergman
 
PPTX
Regular expression examples
byNetProtocol Xpert
 
PDF
PPPoE With Mikrotik and Radius
byDashamir Hoxha
 
PPT
Point-to-Point Protocol(PPP) CCN ppt
byNiaz Shaikh
 
PPT
Introduction to PPP
byFrank Fang Kuo Yu
 
PPTX
Point to-point protocol (ppp), PAP & CHAP
byNetProtocol Xpert
 
PPT
Chapter 2 point-to-point protocol (ppp)
byCliff Stephen Pike-Dimagiba
 
PPTX
Converting ipv4 to ipv6 and vice versa
byNetProtocol Xpert
 
PPT
Point to-point-protocol
byamigurumi21
 
PPTX
Password recovery cisco catalyst 3850
byNetProtocol Xpert
 
PPTX
Point To Point Protocol
byPhan Vuong
 
PPT
HDLC, PPP and SLIP
byNaveen Kumar
 
PPT
Mac layer
byShubham Kansal
 
Root Bridge Or Root Switch
byNetProtocol Xpert
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
byNetProtocol Xpert
 
OTV Configuration
byNetProtocol Xpert
 
Reflexive Access List
byNetProtocol Xpert
 
Ppt
byNabeel Mustafa
 
Types of interfaces in a Cisco Router
byNetProtocol Xpert
 
Root Bridges of India and Japan
byYoungerbrain ourway
 
Open Source Networking
byArtur Bergman
 
Regular expression examples
byNetProtocol Xpert
 
PPPoE With Mikrotik and Radius
byDashamir Hoxha
 
Point-to-Point Protocol(PPP) CCN ppt
byNiaz Shaikh
 
Introduction to PPP
byFrank Fang Kuo Yu
 
Point to-point protocol (ppp), PAP & CHAP
byNetProtocol Xpert
 
Chapter 2 point-to-point protocol (ppp)
byCliff Stephen Pike-Dimagiba
 
Converting ipv4 to ipv6 and vice versa
byNetProtocol Xpert
 
Point to-point-protocol
byamigurumi21
 
Password recovery cisco catalyst 3850
byNetProtocol Xpert
 
Point To Point Protocol
byPhan Vuong
 
HDLC, PPP and SLIP
byNaveen Kumar
 
Mac layer
byShubham Kansal
 

Similar to IP Source Guard

PDF
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
byJiunn-Jer Sun
 
PDF
Dhcp Snooping
byPrateek Baharani
 
PDF
1-300-206 (SENSS)=Firewall (642-618)
byMohmed Abou Elenein Attia
 
PDF
Catalyst Smart Operations : Simplify Your Network
byCisco Russia
 
PPT
Mitigating Layer2 Attacks
bydkaya
 
PPT
Cisco Security Training on ASA and FTD.ppt
byAniruddhSharma65
 
PPTX
Layer Two ( 2 ) Security of Cisco switch
byssuserb1479b
 
PPT
Cisco Security Training on ASA and FMC.ppt.ppt
byAniruddhSharma65
 
PDF
Fedv6tf-fhs
byTim Martin
 
PDF
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
bySalem Trabelsi
 
PPT
Cisco L3 security and CCIE training .ppt
byAniruddhSharma65
 
PPTX
Dhcp security #netseckh
byHEM Sothon
 
PPTX
Attack.pptx
byISMT College
 
PPTX
Security Concerns in LANs.pptx
byjoko
 
DOCX
Switchport port security explained with examples
byteameassefa
 
PDF
Defend Your DHCP Infrastructure Against Cyber Attacks - Network Security Feat...
byJiunn-Jer Sun
 
DOCX
Cisco ios order of operation
byIT Tech
 
PDF
2.3.8 lab---navigate-the-ios-by-using-tera-term-for-console-connectivity (1)
byJohn Rabidou
 
PDF
How to Prevent DHCP Spoofing
byKHNOG
 
PPTX
Pass4sure 640-554 Cisco IOS Network Security
byHecrocro
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
byJiunn-Jer Sun
 
Dhcp Snooping
byPrateek Baharani
 
1-300-206 (SENSS)=Firewall (642-618)
byMohmed Abou Elenein Attia
 
Catalyst Smart Operations : Simplify Your Network
byCisco Russia
 
Mitigating Layer2 Attacks
bydkaya
 
Cisco Security Training on ASA and FTD.ppt
byAniruddhSharma65
 
Layer Two ( 2 ) Security of Cisco switch
byssuserb1479b
 
Cisco Security Training on ASA and FMC.ppt.ppt
byAniruddhSharma65
 
Fedv6tf-fhs
byTim Martin
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
bySalem Trabelsi
 
Cisco L3 security and CCIE training .ppt
byAniruddhSharma65
 
Dhcp security #netseckh
byHEM Sothon
 
Attack.pptx
byISMT College
 
Security Concerns in LANs.pptx
byjoko
 
Switchport port security explained with examples
byteameassefa
 
Defend Your DHCP Infrastructure Against Cyber Attacks - Network Security Feat...
byJiunn-Jer Sun
 
Cisco ios order of operation
byIT Tech
 
2.3.8 lab---navigate-the-ios-by-using-tera-term-for-console-connectivity (1)
byJohn Rabidou
 
How to Prevent DHCP Spoofing
byKHNOG
 
Pass4sure 640-554 Cisco IOS Network Security
byHecrocro
 

More from NetProtocol Xpert

PPTX
Basic Cisco ASA 5506-x Configuration (Firepower)
byNetProtocol Xpert
 
PPTX
Common Layer 2 Threats, Attacks & Mitigation
byNetProtocol Xpert
 
PPTX
Storm-Control
byNetProtocol Xpert
 
PPTX
Password Recovery
byNetProtocol Xpert
 
PPTX
Application & Data Center
byNetProtocol Xpert
 
PPTX
Cisco ISR 4351 Router
byNetProtocol Xpert
 
PPTX
Cisco ASR 1001-X Router
byNetProtocol Xpert
 
PPTX
Securing management, control & data plane
byNetProtocol Xpert
 
PPTX
Avoid DNS lookup when mistyping a command
byNetProtocol Xpert
 
PPTX
Private VLANs
byNetProtocol Xpert
 
PPTX
MTU (maximum transmission unit) & MRU (maximum receive unit)
byNetProtocol Xpert
 
PPTX
Cisco OTV 
byNetProtocol Xpert
 
PPTX
OTV(Overlay Transport Virtualization)
byNetProtocol Xpert
 
PPTX
Eigrp is restricted to stub connections
byNetProtocol Xpert
 
PPTX
Cisco 2960x switch password recovery
byNetProtocol Xpert
 
PPTX
VMware ESXi 6.0 Installation Process
byNetProtocol Xpert
 
PPTX
EtherChannel Configuration
byNetProtocol Xpert
 
PPTX
EIGRP (Enhanced Interior Gateway Routing Protocol)
byNetProtocol Xpert
 
PPTX
OSPF External Route Summarization
byNetProtocol Xpert
 
PPTX
OSPF Internal Route Summarization
byNetProtocol Xpert
 
Basic Cisco ASA 5506-x Configuration (Firepower)
byNetProtocol Xpert
 
Common Layer 2 Threats, Attacks & Mitigation
byNetProtocol Xpert
 
Storm-Control
byNetProtocol Xpert
 
Password Recovery
byNetProtocol Xpert
 
Application & Data Center
byNetProtocol Xpert
 
Cisco ISR 4351 Router
byNetProtocol Xpert
 
Cisco ASR 1001-X Router
byNetProtocol Xpert
 
Securing management, control & data plane
byNetProtocol Xpert
 
Avoid DNS lookup when mistyping a command
byNetProtocol Xpert
 
Private VLANs
byNetProtocol Xpert
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
byNetProtocol Xpert
 
Cisco OTV 
byNetProtocol Xpert
 
OTV(Overlay Transport Virtualization)
byNetProtocol Xpert
 
Eigrp is restricted to stub connections
byNetProtocol Xpert
 
Cisco 2960x switch password recovery
byNetProtocol Xpert
 
VMware ESXi 6.0 Installation Process
byNetProtocol Xpert
 
EtherChannel Configuration
byNetProtocol Xpert
 
EIGRP (Enhanced Interior Gateway Routing Protocol)
byNetProtocol Xpert
 
OSPF External Route Summarization
byNetProtocol Xpert
 
OSPF Internal Route Summarization
byNetProtocol Xpert
 

Recently uploaded

PPTX
We-Optimized-Everything-Except-Decision-Quality-Maintenance-MaintWiz.pptx
byMaintWiz Technologies Private Limited
 
PPTX
Lubrication Neglect Causes More Downtime Than AI Ever Will Why Maintenance Fu...
byMaintWiz Technologies Private Limited
 
PDF
A Newbie’s Journey: Hidden MySQL Pain Points That Vitess Quietly Solves
byIgor Donchovski
 
PPTX
Explore how AI-powered maintenance checklists transform asset reliability and...
byMaintWiz Technologies Private Limited
 
PDF
comprehensive analysis of cross-chain bridges in the DeFi - Garima Singh
byGarima Singh
 
PDF
Formality - Logic Equivalence Checking - Part 2
byAmr Adel
 
PDF
EDIH TRAINING AI FOR COMPANIES: MODULE 4
byHristian Daskalov
 
PPTX
15288-incose_system engineering_MBSE.pptx
byCarlosMota581011
 
PPTX
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
PDF
CME397 SURFACE ENGINEERING UNIT 1 FULL NOTES
bykarthi keyan
 
PDF
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 2.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PDF
TechRush Hackathon 2026: A Platform for Innovation, Learning, and Real-World ...
byreshmi7103
 
PDF
Reality Check Deploying Computer Vision and LLMs at the Edge
byICS
 
PPTX
Applications of cloud computing in education
byhatimunwala5
 
PPT
psoc_unit_one_for_all_thoery_potion_are_coverd_in_the_this_unit_for_everything
bysabinesh200517
 
PDF
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
PDF
PROPOSED 5 BEDROOM DUPLEX DEVELOPMENT DRAWINGS..pdf
byjamessylvester167
 
PPTX
Fake News Detection System | Plagiarism detection
bysurajkanojiya13
 
PDF
(en/zhTW)All_Roads_Lead_to_IPC_DannyJiang
byDanny Jiang
 
We-Optimized-Everything-Except-Decision-Quality-Maintenance-MaintWiz.pptx
byMaintWiz Technologies Private Limited
 
Lubrication Neglect Causes More Downtime Than AI Ever Will Why Maintenance Fu...
byMaintWiz Technologies Private Limited
 
A Newbie’s Journey: Hidden MySQL Pain Points That Vitess Quietly Solves
byIgor Donchovski
 
Explore how AI-powered maintenance checklists transform asset reliability and...
byMaintWiz Technologies Private Limited
 
comprehensive analysis of cross-chain bridges in the DeFi - Garima Singh
byGarima Singh
 
Formality - Logic Equivalence Checking - Part 2
byAmr Adel
 
EDIH TRAINING AI FOR COMPANIES: MODULE 4
byHristian Daskalov
 
15288-incose_system engineering_MBSE.pptx
byCarlosMota581011
 
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
CME397 SURFACE ENGINEERING UNIT 1 FULL NOTES
bykarthi keyan
 
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 2.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
TechRush Hackathon 2026: A Platform for Innovation, Learning, and Real-World ...
byreshmi7103
 
Reality Check Deploying Computer Vision and LLMs at the Edge
byICS
 
Applications of cloud computing in education
byhatimunwala5
 
psoc_unit_one_for_all_thoery_potion_are_coverd_in_the_this_unit_for_everything
bysabinesh200517
 
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
PROPOSED 5 BEDROOM DUPLEX DEVELOPMENT DRAWINGS..pdf
byjamessylvester167
 
Fake News Detection System | Plagiarism detection
bysurajkanojiya13
 
(en/zhTW)All_Roads_Lead_to_IPC_DannyJiang
byDanny Jiang
 

IP Source Guard

  • 1.
  • 2.
    •IPSG helps toprevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. •By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to. •Today, we’ll see how IPSG can mitigate this hijacking attack.
  • 3.
    •Firstly we needto configure DHCP Snooping as a prerequisite. So just to recap, here’s the config: SW1(config)#ip dhcp snooping SW1(config)#ip dhcp snooping vlan 1 SW1(config)#int fa0/11 SW1(config-if)#ip dhcp snooping trust SW1(config)#int fa0/24 SW1(config-if)#ip dhcp snooping limit rate 20 IPSG Enabled
  • 4.
    •IPSG is configuredat the access layer and uses the DHCP Snooping database, or static IP binding entries, to dynamically create ACLs on a per-port basis (these can’t be viewed in the running-configuration). •Any traffic which doesn’t match the binding entries is dropped in hardware. However, the port won’t go into the errdisable state – it won’t even display a violation message at the console. •IPSG is supported on layer two ports and cannot be used on layer 3 ports or SVIs.
  • 5.
    •Configuration commands varyslightly between Catalyst 6500/4500 and lower-end switches. We used a 3550 for this example. When enabling IPSG, there are two checks which can be put in place. 1. The first is to verify that the source IP address in the incoming packet matches the IP binding in the DHCP Snooping database (or static binding), and 2. the second check uses port security to verify the source MAC address is what the switch expects it to be. Let’s go ahead and enable IPSG with the IP source check first: SW1(config)#int fa0/24 SW1(config-if)#ip verify source
  • 6.
    Now that that’senabled, we verify: SW1#sh ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan ——— ———– ———– ————— —————– ———- Fa0/24 ip active 172.16.1.11 1 We can see that the “Filter-type” is “ip”, so our IP source check is functioning. Now, in order to use the MAC address check we must first enable port security on access interface fa0/24: SW1(config)#int fa0/24 SW1(config-if)#switchport port-security SW1(config-if)#ip verify source port-security
  • 7.
    The last lineof configuration has the port-security parameter attached to it which adds the MAC check. Let’s verify again: SW1#sh ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan ——— ———– ———– ————— —————– ———- Fa0/24 ip-mac active 172.16.1.11 00:1B:78:4C:05:28 1 We can see that the “Filter-type” is now “ip-mac”, and our client’s MAC address is listed in the Mac-address column. But what if we have some hosts on our network with static IPs, or we’re not running DHCP? We can create static bindings instead of using the DHCP Snooping database. Let’s create one for interface fa0/14:
  • 8.
    When using staticbindings, we still need to enable DHCP Snooping for the VLAN the hosts reside in. SW1#sh mac address-table int fa0/14 Vlan Mac Address Type Ports —- ———– ——– —– 1 5c26.0a70.c59a DYNAMIC Fa0/14
  • 9.
    We find theMAC address of our new client, add an ip source binding, and enable IPSG on the interface: SW1(config)#ip source binding ? H.H.H binding MAC address SW1(config)#ip source binding 5c26.0a70.c59a vlan 1 172.16.1.55 int fa0/14 SW1(config)#int fa0/14 SW1(config-if)#switchport port-security SW1(config-if)#ip verify source port-security
  • 10.
    Let’s verify ourbindings and the IPSG table: We can see both our DHCP Snooping database entry and our static IP source binding appear in the tables.
  • 11.
    •For IPSG tobe effective, it needs to be enabled on all access ports at the network edge, not just those hosting devices we want to protect. •When IPSG is enabled, there must either be a static IP/MAC binding or an entry in the DHCP Snooping binding table for every interface or traffic will be dropped. •If IPSG was not enabled on port fa0/21 for example, an attacker could connect to that port and assume the IP address of a machine on the network. Sure, this could be mitigated with a tight port-security configuration, but there would still be a hole in the IPSG implementation. •The best solution uses IPSG, DHCP Snooping, Port-Security and Dynamic ARP configuration hand-in-hand.
  • 12.
    FOLLOW US @ 12 www.facebook.com/NetProtocolXpert  www.instagram.com/netprotocol_xper t  plus.google.com/collection/k8HMDB  twitter.com/NPX_cisco  www.linkedin.com/company/netproto col-xpert  netprotocolxpert.blogspot.in  remote.com/netprotocolxpert  www.netprotocolxpert.in