IP Source Guard and DHCP Snooping
IP Source Guard uses dynamic DHCP snooping and static IP source binding to match IP addresses
to hosts on untrusted Layer 2 access ports. At first, all IP traffic on the protected
port is blocked except for DHCP packets. After a client receives an IP address from the
DHCP server, or after s static IP source binding is configured, all traffic with that IP
source address is permitted from that client. Traffic from other hosts is denied. This
filtering limits a host's ability to attack the network by claiming a neighbor host's IP
address.
IP Source Guard uses the DHCP snooping binding database to permit or deny incoming IP
traffic. The binding database entry provides a valid source IP address, MAC address, and
VLAN information on interface, which IP Source Guard uses to install a TCAM rule in the
device.
- You can enable IP Source Guard only on untrusted Layer 2 access ports.
- You can configure IP Source Guard on physical and port channel interfaces.
- IP Source Guard uses hardware TCAM entries that are shared among other Access
Control List features.
- The installation of IP Source Guard entries depends on the availability of
hardware resources.
