IP Source is used to prevent IP Spoofing where an attacker impersonates another host by using it's IP address.
IPSG provide per-port filtering of the assigned source IP, it dynamically maintains per port VLAN ACL's based on the IP-to-MAC bindings set out in the DHCP Snooping database.
IPSG is applied on Untrusted ports and can filter a Source IP or a combination of Source IP and MAC address.
When a violation occurs the packet can be dropped and/or an alert be issued.
Apply IPSG to Access Layer interfaces
Configure IP Source Guard
First enable DHCP Snooping:
SW1(config)#ip dhcp snooping
Next, apply DHCP Snooping against a specific vlan (or vlans):
SW1(config)#ip dhcp snooping vlan [id]
Enable IPSG on a specific interface:
SW1(config-if)#ip verify source vlan [id] dhcp snooping*
- use this command to verify only source IP addresses
SW1(config-if)#ip verify source vlan [id] dhcp snooping port-security
- use this command to verify against source IP and MAC address
Optionally, you can also rate limit and interface
SW1(config-if)#switchport port-security limit rate [invalid-src-MAC] [rate]
You can also statically bind an IP address to a port:
SW1(config-if)#ip source binding [ip] vlan [id] interface [id]
Verify IP Source Guard
Use the following commands to verify your configuration:
SW1#show ip source binding
- Displays MAC-to-IP binding, type of binding, vlan membership, interface the binding applies to.
SW1#sh ip verify source
- Displays your interface, filter type and mode, IP addr, MAC addr, and VLAN
good one
ReplyDeleteYes, hiding IP is necessary many times...It Prevents identity theft,Prevent spyware/malware/viruses,Provide safe browsing from work computer,Bypass country restricted websites,Prevent spam,Safer online shopping....I use VPN to hide my IP and check in Ip-details.com for the changed IP.
ReplyDelete