IP spoofing attacks and IP Source Guard (IPSG)

IP address spoofing attack is a type of attack when an attacker assumes the source Internet Protocol (IP) address of IP datagram packets to make it appear as though the packet is coming from another valid IP address. In IP address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender.

When enabled, the IP Source Guard (IPSG) feature can mitigate IP spoofing attacks. IP Source Guard (IPSG) feature can help ensure that the network devices utilize only their assigned IP addresses.

IP Source Guard (IPSG) feature uses the information in the DHCP Snooping binding database to dynamically create Port ACL's. IP Source Guard (IPSG) can use static IP binding entries also. The IP Source Guard (IPSG) feature permits only Internet Protocol (IP) traffic which has a source IP address matching the entry in the DHCP Snooping binding database. Thus IP Source Guard (IPSG) feature prevents a network device from transmitting an IP datagram using a different source IP address other than which it was assigned via Dynamic Host Configuration Protocol (DHCP).

Make sure that you have configured DHCP snooping feature properly before these configuration steps. Click the following link to learn how to configure DHCP snooping.

How to enable IP Source Guard (IPSG) feature with IP source check

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip verify source
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

How to verify IP Source Guard (IPSG) with the IP source check

OmniSecuSW1#show ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Et0/0      ip           active       172.16.10.175                       1

How to enable IP Source Guard (IPSG) feature with IP and MAC source check

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#switchport port-security
OmniSecuSW1(config-if)#ip verify source port-security
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

How to verify IP Source Guard (IPSG) with the IP and MAC source check

OmniSecuSW1#show ip verify source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Et0/0      ip-mac       active       172.16.10.175    00:00:AB:5E:C9:00  1

How to view the IP source bindings

OmniSecuSW1#show ip source binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:00:AB:99:88:00   172.16.10.178    689555      dhcp-snooping   1     Ethernet0/3
00:00:AB:9D:BC:00   172.16.10.176    689549      dhcp-snooping   1     Ethernet0/1
00:00:AB:5E:C9:00   172.16.10.175    689539      dhcp-snooping   1     Ethernet0/0
00:00:AB:D4:02:00   172.16.10.177    689555      dhcp-snooping   1     Ethernet0/2
Total number of bindings: 4

<< Preventing ARP spoofing attacks with Dynamic ARP inspection (DAI)

What are PVLANs (Private VLANs) >>

Like us on

Share on

Search