IP Source Guard

Table 1. IP Source Guard product support

Feature

Product

Release introduced

IP Source Guard (IPv4)

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.1

VSP 7400 Series

VOSS 8.0

IP Source Guard (IPv6)

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.1

VSP 7400 Series

VOSS 8.0

IP Source Guard (IPSG) is a Layer 2 port-to-port feature that works closely with DHCP Snooping. It prevents IP spoofing by allowing only IP addresses obtained using DHCP Snooping. When you enable IPSG on an untrusted port with DHCP Snooping enabled, an IP filter is automatically created or deleted for that port based on the information stored in the corresponding DHCP Snooping binding table entry. When a connecting client receives a valid IP address from the DHCP server, the filter installed on the port allows traffic only from that assigned IP address.

You can configure IPSG on a port using the command line interface (CLI), the Enterprise Device Manager (EDM), or SNMP.

Note

Note

The switch supports configuration of IP Source Guard for both IPv4 and IPv6 addresses.

The following table shows how IPSG works with DHCP Snooping.

Table 2. IP Source Guard and DHCP snooping

IP Source Guard configuration state

DHCP snooping configuration state

DHCP snooping Binding Entry action (untrusted ports)

IP Source Guard action

change from disabled to enabled

enabled

creates a binding entry

creates a filter for the IP address using the IP address from the binding table entry

enabled

enabled

creates a binding entry

creates a filter for the IP address using the IP address from the binding table entry

enabled

enabled

deletes a binding entry

deletes the IP filter and installs a default filter to block all IP traffic on the port

enabled

enabled

deletes binding entries when one of the following conditions occur:
  • a DHCP release packet is received

  • the port link is down

  • the lease time has expired

  • the port is removed from the VLAN

  • the VLAN is deleted

  • the port is set as trusted

  • the binding entries are manually deleted

deletes the corresponding IP filter and installs a default filter to block all IP traffic

change from enabled to disabled

enabled

not applicable

deletes the installed IP filter for the port

disabled

enabled

creates a binding entry

disabled

enabled

deletes a binding entry