**Cisco IP Source Guard (IPSG)**
**Purpose:**
IP Source Guard is a security feature on Cisco switches
designed to prevent IP address spoofing attacks. It restricts IP traffic on
untrusted switch ports by filtering traffic based on the DHCP snooping binding
database or manually configured IP-to-MAC bindings.
**How It Works:**
1. **DHCP Snooping Dependency:** IPSG relies on the DHCP
snooping binding table to learn valid IP-MAC-interface bindings.
2. **Traffic Filtering:** When enabled on an access or
untrusted port, the switch drops any IP traffic with a source IP address that
does not match a valid binding in the DHCP snooping table (or a static
entry).
3. **Dynamic Enforcement:** Initially, only DHCP packets are
allowed. After a client receives a valid IP via DHCP, subsequent traffic from
that client is permitted only if the source IP matches the assigned address.
**Benefits:**
- Prevents attackers from spoofing another host’s IP
address.
- Limits malicious traffic from unauthorized IP
addresses.
- Works in conjunction with DHCP snooping and Dynamic ARP
Inspection (DAI) for layered security.
**Typical Use:**
Deployed on access switch ports in enterprise networks to
ensure endpoint integrity and mitigate man-in-the-middle or spoofing-based
attacks.
**Configuration Note:**
IPSG is configured at the interface level (`ip verify
source`) and is most effective when DHCP snooping is already enabled.
Let's see the configuration:-
Topology:-
Goal:- Configure the topology as per the diagram
- Configure the IP addresses on PCs 192.168.1.51/24 - 192.168.1.53/24
- Configure VLAN 50 and assign ports Ethernet 0/0 - 0/3
- Configure the IP address to VLAN 50
- Configure portfast and portsecurity on the range Ethernet 0/0 - 0/3
- Configure DHCP snooping on VLAN 50
- Configure static mapping binding IP to MAC
- Verify with the show commands
PC1> show ip
NAME : PC1[1]
IP/MASK : 192.168.1.51/24
GATEWAY : 192.168.1.50
DNS :
MAC : 00:50:79:66:68:00
LPORT : 10004
RHOST:PORT : 127.0.0.1:10005
MTU: : 1500
PC2> show ip
NAME : PC2[1]
IP/MASK : 192.168.1.52/24
GATEWAY : 192.168.1.50
DNS :
MAC : 00:50:79:66:68:01
LPORT : 10006
RHOST:PORT : 127.0.0.1:10007
MTU: : 1500
PC3> show ip
NAME : PC3[1]
IP/MASK : 192.168.1.53/24
GATEWAY : 192.168.1.50
DNS :
MAC : 00:50:79:66:68:02
LPORT : 10008
RHOST:PORT : 127.0.0.1:10009
MTU: : 1500
PC4> show ip
NAME : PC4[1]
IP/MASK : 192.168.1.54/24
GATEWAY : 192.168.1.50
DNS :
MAC : 00:50:79:66:68:03
LPORT : 10010
RHOST:PORT : 127.0.0.1:10011
MTU: : 1500
switch(config)#vlan 50
switch(config-vlan)#name internetworks
switch(config-vlan)#interface range ethernet 0/0 - 3
switch(config-if-range)#switchport
switch(config-if-range)#switchport mode access
switch(config-if-range)#switchport access vlan 50
switch(config-if-range)#exit
switch#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et1/0, Et1/1, Et1/2, Et1/3
Et2/0, Et2/1, Et2/2, Et2/3
Et3/0, Et3/1, Et3/2, Et3/3
10 VLAN0010 active
50 internetworks active Et0/0, Et0/1, Et0/2, Et0/3
switch(config)#interface vlan 50
switch(config-if)#ip address 192.168.1.50 255.255.255.0
switch(config-if)#no shutdown
switch(config-if)#exit
switch#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.50 - aabb.cc80.0100 ARPA Vlan50
Internet 192.168.1.51 0 0050.7966.6800 ARPA Vlan50
Internet 192.168.1.52 0 0050.7966.6801 ARPA Vlan50
Internet 192.168.1.53 0 0050.7966.6802 ARPA Vlan50
switch(config)#interface range ethernet 0/0 - 3
switch(config-if-range)#switchport port-security
switch(config-if-range)#ip verify source port-security
switch(config-if-range)#exit
switch(config)#ip dhcp snooping
switch(config)#ip dhcp snooping vlan 50
switch(config)#end
switch(config)# ip source binding 0050.7966.6800 vlan 50 192.168.1.51 interface ethernet 0/0
switch(config)# ip source binding 0050.7966.6801 vlan 50 192.168.1.52 interface ethernet 0/1
switch(config)# ip source binding 0050.7966.6802 vlan 50 192.168.1.53 interface ethernet 0/2
switch(config)#end
switch#show ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ---------- ----------
00:50:79:66:68:00 192.168.1.51 infinite static 50 Ethernet0 /0
00:50:79:66:68:01 192.168.1.52 infinite static 50 Ethernet0 /1
00:50:79:66:68:02 192.168.1.53 infinite static 50 Ethernet0 /2
Total number of bindings: 3
switch#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Et0/0 ip-mac active 192.168.1.51 00:50:79:66:68:00 50
Et0/1 ip-mac active 192.168.1.52 00:50:79:66:68:01 50
Et0/2 ip-mac active 192.168.1.53 00:50:79:66:68:02 50
Et0/3 ip-mac active deny-all deny-all 50
No comments:
Post a Comment