set antispoof ip-inspection

Use this command to enable or disable anti-spoofing IP source guard on a port or range of ports.

Syntax

set antispoof ip-inspection {enable | disable | inspection-only} port-string

Parameters

enable Enables anti-spoofing IP source guard on the specified port or ports.
disable Disables anti-spoofing IP source guard on the specified port or ports.
inspection-only Specifies that packets will be snooped, but anti-spoofing IP source guard will not be used to populate the source MAC address to source IP address binding table.
port-string The port to configure for anti-spoofing IP source guard.

Defaults

Anti-spoofing IP address inspection is disabled on all ports by default.

Mode

All command modes.

Usage

A malicious user can spoof a user‘s IP address, allowing the malicious user to bypass security features on the network based on a user‘s subnet, such as authentication based upon IP address. The malicious user would then have access to network resources that would otherwise be denied to the user. Such a user could flood a victim with traffic from many different source IP addresses for the purpose of denying other users access to network resources.

When IP source guard is enabled, all IP packets are inspected. The source MAC address and source IP address are compared against the contents of the binding table, and a check is performed to ensure that the user‘s MAC address has been authenticated and exists in the multiauth session table.

If the address combination is not currently in the binding table and the user‘s MAC address has been authenticated and exists in the multiauth session table, a new entry for this address combination is added to the binding table. If the address combination is not currently in the binding table the violation counter is incremented. If the threshold is met, any configured actions are taken against the user. Actions can include sending a Syslog message, sending a notification, or quarantining the user based upon a quarantine policy. Thresholds and actions are configured in an anti-spoofing class using set antispoof class threshold-index.

When IP source guard is enabled, packets are both inspected and used to populate the source MAC address to IP address binding table. If IP source guard is set to inspection only, packets are only inspected and a new binding is not entered into the binding table. Reception of IP packets on the switch is limited to the bound addresses in the binding table.

Enabling IP source guard allows anti-spoofing protection when a switch resides outside of the DHCP or ARP server paths.

Examples

This example shows how to enable anti-spoofing IP address inspection on ports ge.1.2 through ge.1.5:

System(rw)->set antispoof ip-inspection enable ge.1.2-5

This example shows how to configure anti-spoofing IP address inspection on ports ge.1.2 through ge.1.5 for packet inspection only:

System(rw)->set antispoof ip-inspection inspection-only ge.1.2-5