DELL N3000 User Manual
Snooping and Inspecting Traffic
883
What Is IP Source Guard?
IPSG is a security feature that filters IP packets based on source ID. This
feature helps protect the network from attacks that use IP address spoofing to
compromise or overwhelm the network.
The source ID may be either the source IP address or a {source IP address,
The source ID may be either the source IP address or a {source IP address,
source MAC address} pair. You can configure:
• Whether enforcement includes the source MAC address
• Static authorized source IDs
• Static authorized source IDs
The DHCP snooping bindings database and static IPSG entries identify
authorized source IDs. IPSG can be enabled on physical and LAG ports.
If you enable IPSG on a port where DHCP snooping is disabled or where
If you enable IPSG on a port where DHCP snooping is disabled or where
DHCP snooping is enabled but the port is trusted, all IP traffic received on
that port is dropped depending on the admin-configured IPSG entries.
IPSG and Port Security
IPSG interacts with port security, also known as port MAC locking, (see "Port
Security (Port-MAC Locking)" on page 539) to enforce the source MAC
address. Port security controls source MAC address learning in the layer 2
forwarding database (MAC address table). When a frame is received with a
previously unlearned source MAC address, port security queries the IPSG
feature to determine whether the MAC address belongs to a valid binding.
If IPSG is disabled on the ingress port, IPSG replies that the MAC is valid. If
If IPSG is disabled on the ingress port, IPSG replies that the MAC is valid. If
IPSG is enabled on the ingress port, IPSG checks the bindings database. If
the MAC address is in the bindings database and the binding matches the
VLAN the frame was received on, IPSG replies that the MAC is valid. If the
MAC is not in the bindings database, IPSG informs port security that the
frame is a security violation.
In the case of an IPSG violation, port security takes whatever action it
In the case of an IPSG violation, port security takes whatever action it
normally takes upon receipt of an unauthorized frame. Port security limits the
number of MAC addresses to a configured maximum. If the limit
n is less
than the number of stations
m in the bindings database, port security allows
only
n stations to use the port. If n > m, port security allows only the stations
in the bindings database. For information about configuring the Port Security