Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

What is the function of IP source guard? Reply

GTAC-Sophia

Level 5

Ruijie Staff

What is the function of IP source guard?
3133 0 2022-7-14 14:40:17
Original
IP Source Guard maintains a hardware-based IP packet filtering database to filter packets, guaranteeing that only the users matching the database can access network resources.The hardware-based IP packet filtering database is the key for IP Source Guard to enable efficient security control in DHCP applications. This database is on the basis of DHCP Snooping database. After IP Source Guard is enabled, the DHCP Snooping database is synchronized with the hardware-based IP packet filtering database. In this way, IP Source Guard can strictly filter IP packets from clients on the device with DHCP Snooping enabled.  
By default, once IP Source Guard is enabled on a port, all the IP packets traveling through the port (except for DHCP packets) will be checked on the port. Only the users attaining IP addresses through DHCP and the configured static binding users can access the network.  IP Source Guard supports IP+MAC filtering or IP-based filtering. In the former case, IP Source Guard will check the source MAC and source IP addresses of all packets and only allow those packets matching the hardware-based IP packet filtering database to pass through. In the latter case, IP Source Guard checks the source IP addresses of IP packets.
Requirements
As shown in below, Core switch acts as the DHCP Server. Administrator wants to enable IP Source Guard to enhance the network security and prevent those users who configure illegal static IP address to accessing the network.
Network Topology


Configuration Tips
1. Core switch acts as
the
DHCP Server
2. Enable DHCP Snooping and IP Source Guard on Access switch to enhance network security
Configuration Example
Configuring Core switch:
1. Enable DHCP Service
Ruijie(config)#service dhcp
2. Assign IP address to Vlan 1 which is user gateway.
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.1.254 255.255.255.0
Ruijie(config-if-VLAN 1)#exit
3. Create DHCP pool .
Ruijie(config)#ip dhcp pool vlan1
Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0     
Ruijie(dhcp-config)#dns-server 218.85.157.99                  
Ruijie(dhcp-config)#default-router 192.168.1.254               
Ruijie(dhcp-config)#end
Ruijie#wr
Configuring Access switch:
1. Enable DHCP Snooping
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#ip dhcp snooping     ------>enable DHCP Snooping
2. Configure the port connected to DHCP Server as DHCP Snooping trust port
Ruijie(config)#interface gigabitEthernet 0/49
Ruijie(config-GigabitEthernet 0/49)#ip dhcp snooping trust    ------>By default , all ports are untrust port. Only trust port can forward DHCP Offer and Ack packets
3. Enable IP Source Guard on port connected to Users
Ruijie(config)#interface range fastEthernet 0/1-2                      ------>configure a range of interfaces
Ruijie(config-if-range)#ip verify source port-security                 ------>enable IP Source Guard in mode  "souce IP + MAC"
4. Configure static IP&MAC binding .Stations that matches the binding entry can pass IP Source Guard validation also.
Ruijie(config)#ip source binding 001a.a2bc.3a4d vlan 10 192.168.10.5 interface fa0/15
Ruijie(config)#interface fastEthernet 0/15
Ruijie(config-fastethernet 0/15)#ip verify source port-security                  ------>enable IP Source Guard in mode "souce IP + MAC"  
5 . Save Configuration   
Ruijie(config-if-range)#end
Ruijie#write
Verification
1. Display DHCP assignment


2. Display NIC status on station . Start -> Run -> cmd -> ipconfig/all



3. Display DHCP snooping binding table


4. Display IP Source Guard table



5. Use ping to test connectivity when station passes IP source Guard validation.



6. Display ARP table on station.


7. Execute "ipconfig/release" to release IP address assigned from DHCP, then configure static IP address


8. Confirm that we have assigned static IP address to station


9. There's no binding entry when we display IP source Guard table’



10. Use ping to test the connectivity when station doesn't pass the IP source Guard validation





RG-S5300-24GT4XS-E

Switch
There are no replies.
Related Posts
Product Model

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd