IP spoofing attacks and IP Source Guard (IPSG)
IP address spoofing attack is a type of attack when an attacker assumes the source Internet Protocol (IP) address of IP datagram packets to make it appear as though the packet is coming from another valid IP address. In IP address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender.
When enabled, the IP Source Guard (IPSG) feature can mitigate IP spoofing attacks. IP Source Guard (IPSG) feature can help ensure that the network devices utilize only their assigned IP addresses.
IP Source Guard (IPSG) feature uses the information in the DHCP Snooping binding database to dynamically create Port ACL's. IP Source Guard (IPSG) can use static IP binding entries also. The IP Source Guard (IPSG) feature permits only Internet Protocol (IP) traffic which has a source IP address matching the entry in the DHCP Snooping binding database. Thus IP Source Guard (IPSG) feature prevents a network device from transmitting an IP datagram using a different source IP address other than which it was assigned via Dynamic Host Configuration Protocol (DHCP).
Make sure that you have configured DHCP snooping feature properly before these configuration steps. Click the following link to learn how to configure DHCP snooping.
How to enable IP Source Guard (IPSG) feature with IP source check
OmniSecuSW1#configure terminal OmniSecuSW1(config)#interface gigabitethernet 0/0 OmniSecuSW1(config-if)#ip verify source OmniSecuSW1(config-if)#exit OmniSecuSW1(config)#exit OmniSecuSW1#
How to verify IP Source Guard (IPSG) with the IP source check
OmniSecuSW1#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Et0/0 ip active 172.16.10.175 1
How to enable IP Source Guard (IPSG) feature with IP and MAC source check
OmniSecuSW1#configure terminal OmniSecuSW1(config)#interface gigabitethernet 0/0 OmniSecuSW1(config-if)#switchport port-security OmniSecuSW1(config-if)#ip verify source port-security OmniSecuSW1(config-if)#exit OmniSecuSW1(config)#exit OmniSecuSW1#
How to verify IP Source Guard (IPSG) with the IP and MAC source check
OmniSecuSW1#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Et0/0 ip-mac active 172.16.10.175 00:00:AB:5E:C9:00 1
How to view the IP source bindings
OmniSecuSW1#show ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:00:AB:99:88:00 172.16.10.178 689555 dhcp-snooping 1 Ethernet0/3
00:00:AB:9D:BC:00 172.16.10.176 689549 dhcp-snooping 1 Ethernet0/1
00:00:AB:5E:C9:00 172.16.10.175 689539 dhcp-snooping 1 Ethernet0/0
00:00:AB:D4:02:00 172.16.10.177 689555 dhcp-snooping 1 Ethernet0/2
Total number of bindings: 4