Feature |
Product |
Release introduced |
---|---|---|
IP Source Guard (IPv4) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7400 Series |
VOSS 8.0 |
|
IP Source Guard (IPv6) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7400 Series |
VOSS 8.0 |
IP Source Guard (IPSG) is a Layer 2 port-to-port feature that works closely with DHCP Snooping. It prevents IP spoofing by allowing only IP addresses obtained using DHCP Snooping. When you enable IPSG on an untrusted port with DHCP Snooping enabled, an IP filter is automatically created or deleted for that port based on the information stored in the corresponding DHCP Snooping binding table entry. When a connecting client receives a valid IP address from the DHCP server, the filter installed on the port allows traffic only from that assigned IP address.
You can configure IPSG on a port using the command line interface (CLI), the Enterprise Device Manager (EDM), or SNMP.
Note
The switch supports configuration of IP Source Guard for both IPv4 and IPv6 addresses.
The following table shows how IPSG works with DHCP Snooping.
IP Source Guard configuration state |
DHCP snooping configuration state |
DHCP snooping Binding Entry action (untrusted ports) |
IP Source Guard action |
---|---|---|---|
change from disabled to enabled |
enabled |
creates a binding entry |
creates a filter for the IP address using the IP address from the binding table entry |
enabled |
enabled |
creates a binding entry |
creates a filter for the IP address using the IP address from the binding table entry |
enabled |
enabled |
deletes a binding entry |
deletes the IP filter and installs a default filter to block all IP traffic on the port |
enabled |
enabled |
deletes binding entries when one of the following conditions
occur:
|
deletes the corresponding IP filter and installs a default filter to block all IP traffic |
change from enabled to disabled |
enabled |
not applicable |
deletes the installed IP filter for the port |
disabled |
enabled |
creates a binding entry |
|
disabled |
enabled |
deletes a binding entry |