Introduction : IP Source Guard (IPSG) permits IP traffic from certain IP addresses, dropping the rest of IP traffic preventing IP spoofing attacks.
IPSG will only allow the traffic as permitted by DHCP snooping table of that interface. If the user later puts a different static IP address, then that traffic will be dropped.
Environment : This Article applies to Aruba Mobility Switches of Version 7.3 and above.
Note:
1. For IP Source Guard to work, DHCP snooping must be enabled on that vlan.
2. IPSG can only filter IP traffic. L-2 traffic (ARP etc) will still be allowed through.
Configuration Steps : First enable DHCP snooping on the VLAN:
1. Create a dhcp-snooping profile:
(ArubaS2500-24P) #configure t
(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile new
(ArubaS2500-24P) (dhcp-snooping-profile "new") #enable
(ArubaS2500-24P) (dhcp-snooping-profile "new") #exit
(ArubaS2500-24P) (config) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter Value
--------- -----
DHCP Snooping Enabled
2. Enable it on a vlan:
(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-profile new
(ArubaS2500-24P) (VLAN "1") #exit
3. Create a port security profile and enable IPSG in it:
(ArubaS2500-24P) (config) #interface-profile port-security-profile try
(ArubaS2500-24P) (Port security profile "try") #ip-src-guard
4. Apply the port-security-profile to the interface:
(ArubaS2500-24P) (Port security profile "try") #exit
(ArubaS2500-24P) (config) #interface gigabitethernet 0/0/20
(ArubaS2500-24P) (gigabitethernet "0/0/20") #port-security-profile try
(ArubaS2500-24P) (gigabitethernet "0/0/20") #exit
Answer :
1. IPSG needs DHCP snooping to work.
2. IPSG can only drop L-3 traffic.
3. It should only be enabled on Downstream ports which connect to end devices. Should never be enabled on the ports which connect to Servers / uplink as these devices seldom use DHCP.
Verification :
Always verify that DHCP snooping table and IPSG table are populated with correct entries:
(ArubaS2500-24P) #show dhcp-snooping-database
Total DHCP Snoop Entries : 1
Learnt Entries : 1, Static Entries : 0
DHCP Snoop Table
----------------
MAC IP BINDING-STATE LEASE-TIME VLAN-ID INTERFACE
--- -- ------------- ---------- ------- ---------
f0:1f:af:52:44:09 10.1.1.251 Dynamic entry 2013-12-28 21:26:40 (PST) 1 gigabitethernet0/0/20
ArubaS2500-24P) #show ip source-guard interface gigabitethernet 0/0/20 detail
IPSG allowed users on the interface
-----------------------------------
IP Address Mac Address VLAN
---------- ----------- ----
10.1.1.251 f0:1f:af:52:44:09 1
Troubleshooting :
1. Make sure DHCP snooping is enabled on the vlan to which the port belongs:
(ArubaS2500-24P) #show vlan
---- ----------- -----
1 VLAN0001 GE0/0/0-23 GE0/1/0-1
(ArubaS2500-24P) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter Value
--------- -----
DHCP Snooping Enabled
2. . Make sure that the client machine is using the DHCP to get the IP leases.
3. Confirm that the DHCP snooping table contains the entry for that port with correct IP address.
(ArubaS2500-24P) #show dhcp-snooping-database
Total DHCP Snoop Entries : 1
Learnt Entries : 1, Static Entries : 0
DHCP Snoop Table
----------------
MAC IP BINDING-STATE LEASE-TIME VLAN-ID INTERFACE
--- -- ------------- ---------- ------- ---------
f0:1f:af:52:44:09 10.1.1.251 Dynamic entry 2013-12-28 21:26:40 (PST) 1 gigabitethernet0/0/20
4. Verify that IPSG is enabled on that interface:
(ArubaS2500-24P) #show ip source-guard interface gigabitethernet 0/0/20
IPSG interface Info
-------------------
Interface IPSG
---------- ----
GE0/0/20 Enabled
5. Confirm that Vlan, MAC addresse and IP address are correctly visible in IPSG info for that port:
ArubaS2500-24P) #show ip source-guard interface gigabitethernet 0/0/20 detail
IPSG allowed users on the interface
-----------------------------------
IP Address Mac Address VLAN
---------- ----------- ----
10.1.1.251 f0:1f:af:52:44:09 1