IPSG Configuration

introduction introduction ip source guard (ipsg) is a defense mechanism against ip address spoofing attacks it checks whether a user on a specific vlan interface is a legitimate user based on the source ip address and source mac address in the ip packet ipsg prevents malicious hosts from forging the ip addresses of legitimate hosts, ensuring that unauthorized hosts cannot access or attack the network by specifying their own ip addresses explanation of principles explanation of principles the method for user legitimacy checks involves comparing the source ip address and source mac address in the ip packet with the static binding entries, dhcp snooping entries, and nd snooping security entries on the device if there is a match with any of these entries, the ip packet is considered legitimate and forwarded otherwise, the packet is considered illegitimate and discarded for ip trusted interfaces, user legitimacy checks are not performed for non trusted interfaces, user legitimacy checks are necessary to prevent spoofed user attacks ipsg configuration ipsg configuration configure tasks instructions enable ipsg required configure ipsg trusted ports optional enabling ipsg enabling ipsg operation command description enter the system configuration view configure terminal enter the vlan view vlan id enable ipsg function ipv4 source check enable ipv6 source check enable configuring ipsg trusted ports configuring ipsg trusted ports for interfaces configured as ip source guard (ipsg) trusted interfaces, if ipsg is enabled for a specific vlan on that interface, then all ip packets received on that interface with the corresponding vlan id are allowed to pass through without any further inspection operation command description enter the system configuration view configure terminal enter the interface view interface ethernet interface id configure ipsg trusted ports ipv4 source check trusted interface vlan vlan id ipv6 source check trusted interface vlan vlan id configuration example configuration example network requirements network requirements users access the network through the switch, all users are known to be under the same vlan100, and all users access the network with ipv4 and ipv6 dual stack, the administrator wants to enable the security function on the switch to prevent illegal users from accessing the network through private ip addresses, where pc 4 is a silent terminal and needs to access the network by manually configuring the ip address pc 2 is an illegal user with a simulated private ip address procedure procedure omit the creation of vlan and vlanif interface configuration enable dhcp relay function sonic(config)# dhcp relay test v4 sonic(config dhcp relay test v4)# down link interface vlan 100 sonic(config dhcp relay test v4)# up link interface 49 sonic(config dhcp relay test v4)# server ip 10 10 1 1 sonic(config dhcp relay test v4)# loopback interface loopback 0 sonic(config dhcp relay test v4)# exit sonic(config)# dhcp relay test1 v6 sonic(config dhcp relay test v6)# down link interface vlan 100 sonic(config dhcp relay test v6)# up link interface 49 sonic(config dhcp relay test v6)# server ip 4005 1 sonic(config dhcp relay test v6)# loopback interface loopback 0 sonic(config dhcp relay test v6)# exit enabling dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface connected to dhcp server as a trusted port sonic(config)# interface ethernet 49 sonic(config if 49)# dhcp snooping enable sonic(config if 49)# dhcp snooping trusted enable ipsg function and configure ethernet4 port as a trusted port sonic(config)# vlan 100 sonic(config vlan 100)# ipv4 source check enable sonic(config vlan 100)# ipv6 source check enable sonic(config vlan 100)# ipv4 source check trusted interface ethernet4 sonic(config vlan 100)# ipv6 source check trusted interface ethernet4 verify configuration verify configuration view device configuration \# view ipsg feature configuration sonic# ipv4 source check config + + + + \| interfaces | check mode | trusted interfaces | +==============+==============+======================+ \| vlan100 | true | \['ethernet1'] | + + + + \# view ipsgv6 feature configuration sonic# ipv6 source check config + + + + \| interfaces | check mode | trusted interfaces | +==============+==============+======================+ \| vlan100 | true | \['ethernet1'] | + + + + pc 1, pc 3, pc4 can access the network normally, pc 2 cannot access the network, and the packet loss statistics of the security function are counted