DHCP Snooping IP Source Guard
Overview
IPSG is a security feature that restricts IP traffic on non-routed, Layer 2 interfaces by filtering traffic based on the DHCP
Dynamic Host Configuration Protocol snooping binding database. Use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor. Enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP DHCP snooping binding table and denies all other traffic.
Topology
Figure 82. IP Source Guard Topology
.
Enable/Disable the Ingress DHCP-snoop TCAM Group
|
#configure terminal |
Enter Configure mode. |
|
(config)#hardware-profile filter dhcp-snoop enable |
Enable the ingress DHCP-snoop TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
|
(config)#hardware-profile filter dhcp-snoop disable |
Disable the ingress DHCP-snoop TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
Enable/Disable the Ingress DHCP-snoop-IPv6 TCAM Group
|
#configure terminal |
Enter Configure mode. |
|
(config)#hardware-profile filter dhcp-snoop-ipv6 disable |
Disable the ingress DHCP-snoop-IPv6 TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
|
(config)#hardware-profile filter dhcp-snoop-ipv6 disable |
Disable the ingress DHCP-snoop-IPv6 TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
Enable/Disable the Ingress IPSG TCAM group
|
#configure terminal |
Enter Configure mode. |
|
(config)#hardware-profile filter ipsg enable |
Enable the ingress IPSG TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
|
(config)#hardware-profile filter ipsg disable |
Disable the ingress IPSG TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
Enable/Disable the Ingress IPSG-IPV6 TCAM group
|
#configure terminal |
Enter Configure mode. |
|
(config)#hardware-profile filter ipsg-ipv6 enable |
Enable the ingress IPSG-IPv6 TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
|
(config)#hardware-profile filter ipsg-ipv6 disable |
Disable the ingress IPSG-IPv6 TCAM group |
|
(config)#commit |
Commit Candidate config to running-config |
Validation
OcNOS#show hardware-profile filters
Note: Shared count is the calculated number from available resources.
Dedicated count provides allocated resource to the group.
If group shares the dedicated resource with other groups, then dedicated
count of group will reduce with every resource usage by other groups.
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| Unit - TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
0 DHCP-SNOOP 5620 0 6 5626 1018 4608
0 DHCP-SNOOP-IPV6 5620 0 6 5626 1018 4608
0 IPSG 3327 0 1 3328 1024 2304
0 IPSG-IPV6 3327 0 1 3328 1024 2304