Skip to content
AsterNOS
Ask AI

IPSG Configuration

IP Source Guard (IPSG) is a defense mechanism against IP address spoofing attacks. It checks whether a user on a specific VLAN interface is a legitimate user based on the source IP address and source MAC address in the IP packet. IPSG prevents malicious hosts from forging the IP addresses of legitimate hosts, ensuring that unauthorized hosts cannot access or attack the network by specifying their own IP addresses.

Explanation of Principles

Section titled “Explanation of Principles”

The method for user legitimacy checks involves comparing the source IP address and source MAC address in the IP packet with the static binding entries, DHCP Snooping entries, and ND Snooping security entries on the device. If there is a match with any of these entries, the IP packet is considered legitimate and forwarded. Otherwise, the packet is considered illegitimate and discarded.

For IP trusted interfaces, user legitimacy checks are not performed. For non-trusted interfaces, user legitimacy checks are necessary to prevent spoofed user attacks.

IPSG Configuration

Section titled “IPSG Configuration”
Configure TasksInstructions
Enable IPSGRequired
Configure IPSG trusted portsOptional

Enabling IPSG

Section titled “Enabling IPSG”
OperationCommandDescription
Enter the system configuration viewconfigure terminal
Enter the VLAN viewvlan ID
Enable IPSG functionipv4-source-check enable
ipv6-source-check enable

Configuring IPSG Trusted Ports

Section titled “Configuring IPSG Trusted Ports”

For interfaces configured as IP Source Guard (IPSG) trusted interfaces, if IPSG is enabled for a specific VLAN on that interface, then all IP packets received on that interface with the corresponding VLAN ID are allowed to pass through without any further inspection.

OperationCommandDescription
Enter the system configuration viewconfigure terminal
Enter the interface viewinterface ethernet interface-id
Configure IPSG trusted portsipv4-source-check trusted-interface vlan vlan-id
ipv6-source-check trusted-interface vlan vlan-id

Configuration Example

Section titled “Configuration Example”

Network requirements

Users access the network through the switch, all users are known to be under the same VLAN100, and all users access the network with IPv4 and IPv6 dual stack, the administrator wants to enable the security function on the switch to prevent illegal users from accessing the network through private IP addresses, where:

PC 4 is a silent terminal and needs to access the network by manually configuring the IP address

PC 2 is an illegal user with a simulated private IP address

Procedure

  1. Omit the creation of VLAN and VLANif interface configuration
  2. Enable DHCP relay function
sonic(config)# dhcp-relay test v4
sonic(config-dhcp-relay-test__v4)# down_link interface vlan 100
sonic(config-dhcp-relay-test__v4)# up_link interface 49
sonic(config-dhcp-relay-test__v4)# server_ip 10.10.1.1
sonic(config-dhcp-relay-test__v4)# loopback_interface loopback 0
sonic(config-dhcp-relay-test__v4)# exit
sonic(config)# dhcp-relay test1 v6
sonic(config-dhcp-relay-test__v6)# down_link interface vlan 100
sonic(config-dhcp-relay-test__v6)# up_link interface 49
sonic(config-dhcp-relay-test__v6)# server_ip 4005::1
sonic(config-dhcp-relay-test__v6)# loopback_interface loopback 0
sonic(config-dhcp-relay-test__v6)# exit
  1. Enabling DHCP Snooping
sonic(config)# dhcp snooping enable
sonic(config)# interface vlan 100
sonic(config-vlanif-100)# dhcp-snooping enable
  1. Configure the interface connected to DHCP Server as a trusted port
sonic(config)# interface ethernet 49
sonic(config-if-49)# dhcp-snooping enable
sonic(config-if-49)# dhcp-snooping trusted
  1. Enable IPSG function and configure Ethernet4 port as a trusted port
sonic(config)# vlan 100
sonic(config-vlan-100)# ipv4-source-check enable
sonic(config-vlan-100)# ipv6-source-check enable
sonic(config-vlan-100)# ipv4-source-check trusted-interface Ethernet4
sonic(config-vlan-100)# ipv6-source-check trusted-interface Ethernet4

Verify configuration

  1. View device configuration # View IPSG feature configuration
sonic# ipv4-source-check config
+--------------+--------------+----------------------+
| Interfaces   | Check mode   | Trusted interfaces   |
+==============+==============+======================+
| Vlan100      | true         | ['Ethernet1']        |
+--------------+--------------+----------------------+

# View IPSGv6 feature configuration

sonic# ipv6-source-check config
+--------------+--------------+----------------------+
| Interfaces   | Check mode   | Trusted interfaces   |
+==============+==============+======================+
| Vlan100      | true         | ['Ethernet1']        |
+--------------+--------------+----------------------+
  1. PC 1, PC 3, PC4 can access the network normally, PC 2 cannot access the network, and the packet loss statistics of the security function are counted.