[Enterprise Switch] How to configure static ip(IPv4) source-guard Follow
IPv4 Source Guard is a security feature that filters IPv4 traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic entries in the DHCPv4 Snooping table when enabled.
This article introduces how to configure the static IPv4 Source-Guard.
About DHCPv4 snooping and IP source-guard application please refer to below.
[Enterprise Switch] DHCP snooping and IP source-guard application
Support models
ECS4620 series, ECS4510 series, ECS4130 series, ECS4120 series, ECS4100 series, ECS5520 series, ECS4530 series, ECS2100 series, ECS2110 series, ECS3510 series.
Simple Topology
Command instructions
2. show ip source-guard binding
5. ip source-guard max-binding
7. clear ip source-guard binding blocked
Simple Example for binding entries at MAC Table
Simple Example for binding entries at ACL Table
1. show ip source-guard
Command :
Console#show ip source-guard
This command will show whether the source guard is enabled or disabled on each interface.
Console#show ip source-guard
ACL Table MAC Table
Interface Filter-type Filter-table Max-binding Max-binding
--------- ----------- ------------ ----------- -----------
Eth 1/1 DISABLED ACL 5 16
Eth 1/2 DISABLED ACL 5 16
Eth 1/3 DISABLED ACL 5 16
Eth 1/4 DISABLED ACL 5 16
Eth 1/5 DISABLED ACL 5 16
Eth 1/6 DISABLED ACL 5 16
Eth 1/7 DISABLED ACL 5 16
Eth 1/8 DISABLED ACL 5 16
Eth 1/9 DISABLED ACL 5 16
Eth 1/10 DISABLED ACL 5 16
Eth 1/11 DISABLED ACL 5 16
Eth 1/12 DISABLED ACL 5 16
Q: What is the difference between binding at ACL Table and Mac Table?
A: ACL Table is using the chip to record the source-guard entry.
MAC Table is using the software to record the source-guard entry.
2. show ip source-guard binding
Command :
Console#show ip source-guard binding ?
blocked Blocked record in MAC mode
dhcp-snooping DHCP Snooping binding entry
static Static binding entry
<cr>
Console#show ip source-guard binding
MAC Address IP Address Type VLAN Interface
----------------- --------------- -------------- --------- ---------
This command will show the source guard binding table.
3. ip source-guard
Command :
Console#configure
Console(config)#interface ethernet 1/3
Console(config-if)#ip source-guard ?
max-binding Limits max binding entries
mode Sets binding table mode
sip Enable IP source guard with source IP address filtering
sip-mac Enable IP source guard with source IP and MAC address filtering
Console(config-if)#ip source-guard sip-mac
Console(config-if)#
This command can configure the switch to filter ingress traffic based on source IP address, or source IP address and corresponding MAC address.
Console#show ip source-guard
ACL Table MAC Table
Interface Filter-type Filter-table Max-binding Max-binding
--------- ----------- ------------ ----------- -----------
Eth 1/1 DISABLED ACL 5 16
Eth 1/2 DISABLED ACL 5 16
Eth 1/3 SIP-MAC ACL 5 16
Eth 1/4 DISABLED ACL 5 16
Eth 1/5 DISABLED ACL 5 16
4. ip source-guard binding
Command :
Console#configure
Console(config)#ip source-guard binding mode mac 00-00-00-00-00-01 vlan 1 192.168.2.2 interface ethernet 1/3
Console(config)#
This command can add a static address to the source-guard binding table.
Console#show ip source-guard binding
MAC Address IP Address Type VLAN Interface
----------------- --------------- -------------- --------- ---------
00-00-00-00-00-01 192.168.2.2 static-mac 1 Eth 1/3
5. ip source-guard max-binding
Command :
Console#configure
Console(config)#interface ethernet 1/3
Console(config-if)#ip source-guard max-binding 2
Console(config-if)#ip source-guard mode mac max-binding 3
Console(config-if)#
This command can set the maximum number of entries that can be bound to an interface.
Console#show ip source-guard
ACL Table MAC Table
Interface Filter-type Filter-table Max-binding Max-binding
--------- ----------- ------------ ----------- -----------
Eth 1/1 DISABLED ACL 5 16
Eth 1/2 DISABLED ACL 5 16
Eth 1/3 SIP-MAC ACL 2 3
Eth 1/4 DISABLED ACL 5 16
Eth 1/5 DISABLED ACL 5 16
6. ip source-guard mode
Command :
Console#configure
Console(config)#interface ethernet 1/3
Console(config-if)#ip source-guard mode ?
acl Filters binding from ACL table
mac Filters binding from MAC table
Console(config-if)#ip source-guard mode mac
Console(config-if)#
This command can set the source-guard learning mode to search for addresses in the ACL binding table or the MAC address binding table.
Console#show ip source-guard
ACL Table MAC Table
Interface Filter-type Filter-table Max-binding Max-binding
--------- ----------- ------------ ----------- -----------
Eth 1/1 DISABLED ACL 5 16
Eth 1/2 DISABLED ACL 5 16
Eth 1/3 SIP-MAC MAC 2 3
Eth 1/4 DISABLED ACL 5 16
Eth 1/5 DISABLED ACL 5 16
7. clear ip source-guard binding blocked
Command :
Console#clear ip source-guard binding blocked
This command can remove all blocked records.
*Please note: ip source-guard blocked record table will only record the log when filter-table is using mode MAC.
Simple Example for binding entries at MAC Table
Use a PC (MAC: 8c-84-01-83-61-db / IP: 192.168.2.2) connect to switch at port#5.
Please use the simple configuration below,
Console#configure
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip-mac
//This configuration means we use the Filter-type need to match source-IP plus mac-address
Console(config-if)#ip source-guard mode mac
//This configuration means we use the Filter-table from MAC table
Console(config-if)#exit
Console(config)#ip source-guard binding mode mac 8c-84-01-83-61-db vlan 1 192.168.2.5 interface ethernet 1/5
//This configuration means we add a static entry
After the configure, use the PC (MAC: 8c-84-01-83-61-db / IP: 192.168.2.2) to ping the switch.
Check the ip source-guard binding blocked record
*Please note: ip source-guard blocked record table will only record the log when filter-table is mode MAC.
Result: because we set the Filter-type need to match source-IP plus mac-address, but PC's IP doesn't match the IP which we set, so PC cannot ping to the switch.
Simple Example for binding entries at ACL Table
Use a PC (MAC: 8c-84-01-83-61-db / IP: 192.168.2.2) connect to switch at port#3.
Please use the simple configuration below,
Console#configure
Console(config)#interface ethernet 1/3
Console(config-if)#ip source-guard sip-mac
//This configuration means we use the Filter-type need to match source-IP plus mac-address
Console(config-if)#ip source-guard mode acl
//This configuration means we use the Filter-table from ACL table
Console(config-if)#exit
Console(config)#ip source-guard binding mode acl 8c-84-01-83-61-db vlan 1 192.168.2.4 interface ethernet 1/3
//This configuration means we add a static entry
After the configure, use the PC (MAC: 8c-84-01-83-61-db / IP: 192.168.2.2) to ping the switch.
Result: because we set the Filter-type need to match source-IP plus mac-address, but PC's IP doesn't match the IP which we set, so PC cannot ping to the switch.
* The ACL mode used to complement the shortcomings of MAC mode
As above case that if the the MAC learned or registered in MAC address table with valid way, then the switch will not block the traffic. ACL mode could prevent this kind of case.
Comments
0 comments
Please sign in to leave a comment.