Cisco Nexus 5000 Series Configuration Manual

Download Configuration manual of Cisco Nexus 5000 Series Network Router, Switch for Free or View it Online on All-Guides.com.

Cisco Nexus 5000 Series Configuration manual - Page 1
1
Cisco Nexus 5000 Series Configuration manual - Page 2
2
Cisco Nexus 5000 Series Configuration manual - Page 3
3
Cisco Nexus 5000 Series Configuration manual - Page 4
4
Cisco Nexus 5000 Series Configuration manual - Page 5
5
Cisco Nexus 5000 Series Configuration manual - Page 6
6
Configuring IP Source Guard
This chapter describes how to configure IP Source Guard on the Cisco Nexus 5000 Series switch.
This chapter includes the following sections:
Information About IP Source Guard, page 1
Licensing Requirements for IP Source Guard, page 2
Prerequisites for IP Source Guard, page 2
Guidelines and Limitations for IP Source Guard, page 2
Default Settings for IP Source Guard, page 2
Configuring IP Source Guard, page 3
Displaying IP Source Guard Bindings, page 5
Configuration Example for IP Source Guard, page 5
Additional References for IP Source Guard, page 5
Information About IP Source Guard
IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC
address of each packet matches one of two sources of IP and MAC address bindings:
Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.
Static IP source entries that you configure.
Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses
the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker
would have to spoof both the IP address and the MAC address of a valid host.
You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source
Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially
enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:
DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results
of inspecting the packet.
Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.0(3)N1(1)
1