User Tools

Site Tools


tech:network:cisco:ip-source-guard:ip-source-guard

Cisco: IP source-guard

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 5.2.a [iv] IP source-guard
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.2 Network security
          • 4.2.a [iv] IP source-guard

IP source-guard Lab

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

IP source-guard Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
!
ip dhcp snooping information option
!
ip source binding 0024.c431.126e vlan 128 10.0.128.102 interface FastEthernet 1/0/2
!
interface range FastEthernet 1/0/1 - 3
 ip verify source
 !
 !ip verify source port-security
exit
interface FastEthernet 1/0/24
 ip dhcp snooping trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

duplicate address ping cause packet loss…

SW1 Console Log

R1(Victim) Console Log

R2(Victim) Console Log

dhcp server log

R3(Attacker) log

  1. IP source-guard prevents no binding found ip traffic
  2. but Attacker R3 address duplicated R1 or R2, ping issued by R3, then R1 or R2 ping loss…

I can't understand this feature advantage…

References

tech/network/cisco/ip-source-guard/ip-source-guard.txt · Last modified: 2019/09/16 10:57 by wnoguchi