user manual
27-2
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 27 Configuring IP Source Guard
Information About IP Source Guard
You can enable IPSG when DHCP snooping is enabled on an untrusted interface. After IPSG is enabled 
on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets 
allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL 
allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. 
Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface. 
The IP source binding table bindings are learned by DHCP snooping or are manually configured (static 
IP source bindings). An entry in this table has an IP address with its associated MAC address and VLAN 
number. The switch uses the IP source binding table only when IPSG is enabled.
You can configure IPSG with source IP address filtering or with source IP and MAC address filtering.
Source IP Address Filtering
When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch 
forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database 
or a binding in the IP source binding table. 
When a DHCP snooping binding or static IP source binding is added, changed, or deleted on an interface, 
the switch modifies the port ACL by using the IP source binding changes and re-applies the port ACL to 
the interface. 
If you enable IPSG on an interface on which IP source bindings (dynamically learned by DHCP snooping 
or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP 
traffic on the interface. If you disable IPSG, the switch removes the port ACL from the interface.
Source IP and MAC Address Filtering
IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when 
the source IP and MAC addresses match an entry in the IP source binding table.
When address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of 
an IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch 
drops all other types of packets except DHCP packets.
The switch uses port security to filter source MAC addresses. The interface can shut down when a 
port-security violation occurs.
IP Source Guard for Static Hosts
IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous 
IPSG used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic 
received from a host without a valid DHCP binding entry is dropped. This security feature restricts IP 
traffic on nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database 
and on manually configured IP source bindings. The previous version of IPSG required a DHCP 
environment for IPSG to work. 
IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device 
tracking-table entries to install port ACLs. The switch creates static entries based on ARP requests or 
other IP packets to maintain the list of valid hosts for a given port. You can also specify the number of 
hosts allowed to send traffic to a given port. This is equivalent to port security at Layer 3.










