Notas IP Source Guard

O IP Source Guard garante que o tráfego ingress num porta L2 é originada por um host legitimo, permitindo assim garantir a legitimidade do tráfego originado. Esta feature usa o DHCP snooping e static IP binding para fazer match dos IPs nas portas L2 untrusted.
Inicialmente todo o tráfego é bloqueado excepto os pacotes DHCP. Após um cliente receber o IP via DHCP ou através de uma entrada static, todo o tráfego e autorizado.

Sintaxe:

Router(config)# ip dhcp snooping
Router(config)# ip dhcp snooping vlan number [number]
Router(config)# interface interface-name
Router(config-if)# no ip dhcp snooping trust
Router(config-if)# ip verify source vlan dhcp-snooping
Router(config)# ip source binding mac-address vlan vlan-id ip-address interface interface-name

Exemplo:

Configurar a interface F1/6 em switch port access na VLan 10 e activar o IP Source Guard
Router(config)# ip dhcp snooping
Router(config)# ip dhcp snooping vlan 10 20
Router(config)# interface fa6/1
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 10
Router(config-if)# no ip dhcp snooping trust
Router(config-if)# ip verify source vlan dhcp-snooping

Router# show ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address     Vlan

———       ———–  –    ———-     —————         ————–       ———

fa6/1            ip                   active       10.0.0.1                                                  10

fa6/1            ip                   active       deny-all                                                  11-20

fa6/2            ip                   inactive-trust-port

fa6/3            ip                   inactive-no-snooping-vlan

fa6/4            ip                   active       10.0.0.2         aaaa.bbbb.cccc               10

fa6/4            ip                   active       11.0.0.1         aaaa.bbbb.cccd               11

Leave a Reply

Your email address will not be published. Required fields are marked *