What is IP Source Guard and how to enable it?

Aruba Employee

Introduction : IP Source Guard (IPSG)  permits IP traffic from certain IP addresses, dropping the rest of IP traffic preventing  IP spoofing attacks.

IPSG will only allow the traffic as permitted by DHCP snooping table of that interface. If the user later puts a different static IP address, then that traffic will be dropped.

 

Environment : This Article applies to Aruba Mobility Switches of Version 7.3 and above.

Note:

1. For IP Source Guard to work, DHCP snooping must be enabled on that vlan.
2. IPSG can only filter IP traffic. L-2 traffic (ARP etc) will still be allowed through.

 

Configuration Steps : First enable DHCP snooping on the VLAN:

1. Create a dhcp-snooping profile:

(ArubaS2500-24P) #configure t
(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile new
(ArubaS2500-24P) (dhcp-snooping-profile "new") #enable
(ArubaS2500-24P) (dhcp-snooping-profile "new") #exit

(ArubaS2500-24P) (config) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled

2. Enable it on a vlan:

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-profile new
(ArubaS2500-24P) (VLAN "1") #exit


3. Create a port security profile and enable IPSG in it:

(ArubaS2500-24P) (config) #interface-profile port-security-profile try
(ArubaS2500-24P) (Port security profile "try") #ip-src-guard

4. Apply the port-security-profile to the interface:

(ArubaS2500-24P) (Port security profile "try") #exit
(ArubaS2500-24P) (config) #interface gigabitethernet 0/0/20
(ArubaS2500-24P) (gigabitethernet "0/0/20") #port-security-profile try
(ArubaS2500-24P) (gigabitethernet "0/0/20") #exit

 

Answer :

 

1. IPSG needs DHCP snooping to work.
2. IPSG can only drop L-3 traffic.
3. It should only be enabled on Downstream ports which connect to end devices. Should never be enabled on the ports which connect to Servers / uplink as these devices seldom use DHCP.

 

Verification :

 

Always verify that DHCP snooping table and IPSG table are populated with correct entries:

(ArubaS2500-24P) #show dhcp-snooping-database
Total DHCP Snoop Entries : 1
Learnt Entries : 1, Static Entries : 0
DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 21:26:40 (PST)  1        gigabitethernet0/0/20



ArubaS2500-24P) #show ip source-guard interface gigabitethernet 0/0/20 detail
IPSG allowed users on the interface
-----------------------------------
IP Address  Mac Address        VLAN
----------  -----------        ----
10.1.1.251  f0:1f:af:52:44:09  1

 

 

Troubleshooting :

 

1. Make sure DHCP snooping is enabled on the vlan to which the port belongs:

(ArubaS2500-24P) #show vlan
----  -----------  -----
1     VLAN0001     GE0/0/0-23 GE0/1/0-1

(ArubaS2500-24P) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled


2. . Make sure that the client machine is using the DHCP to get the IP leases.

3. Confirm that the DHCP snooping table contains the entry for that port with correct IP address.

(ArubaS2500-24P) #show dhcp-snooping-database
Total DHCP Snoop Entries : 1
Learnt Entries : 1, Static Entries : 0
DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 21:26:40 (PST)  1        gigabitethernet0/0/20

4. Verify that IPSG is enabled on that interface:

(ArubaS2500-24P) #show ip source-guard interface gigabitethernet 0/0/20
IPSG interface Info
-------------------
Interface   IPSG
----------  ----
GE0/0/20    Enabled

5. Confirm that Vlan, MAC addresse and IP address are correctly visible in IPSG info for that port:

ArubaS2500-24P) #show ip source-guard interface gigabitethernet 0/0/20 detail
IPSG allowed users on the interface
-----------------------------------
IP Address  Mac Address        VLAN
----------  -----------        ----
10.1.1.251  f0:1f:af:52:44:09  1

Version history
Revision #:
1 of 1
Last update:
‎07-08-2014 04:15 PM
Updated by:
 
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: