Snooping and Inspecting Traffic 785What Is IP Source Guard?IPSG is a security feature that filters IP packets based on source ID. Thisfeature helps protect the network from attacks that use IP address spoofing tocompromise or overwhelm the network.The source ID may be either the source IP address or a {source IP address,source MAC address} pair. You can configure:• Whether enforcement includes the source MAC address• Static authorized source IDsThe DHCP snooping bindings database and static IPSG entries identifyauthorized source IDs. IPSG can be enabled on physical and LAG ports.If you enable IPSG on a port where DHCP snooping is disabled or whereDHCP snooping is enabled but the port is trusted, all IP traffic received onthat port is dropped depending on the admin-configured IPSG entries.IPSG and Port SecurityIPSG interacts with port security, also known as port MAC locking, (see"What is Port Security?" on page 513) to enforce the source MAC address.Port security controls source MAC address learning in the layer 2 forwardingdatabase (MAC address table). When a frame is received with a previouslyunlearned source MAC address, port security queries the IPSG feature todetermine whether the MAC address belongs to a valid binding.If IPSG is disabled on the ingress port, IPSG replies that the MAC is valid. IfIPSG is enabled on the ingress port, IPSG checks the bindings database. Ifthe MAC address is in the bindings database and the binding matches theVLAN the frame was received on, IPSG replies that the MAC is valid. If theMAC is not in the bindings database, IPSG informs port security that theframe is a security violation.In the case of an IPSG violation, port security takes whatever action itnormally takes upon receipt of an unauthorized frame. Port security limits thenumber of MAC addresses to a configured maximum. If the limitn is lessthan the number of stationsm in the bindings database, port security allowsonlyn stations to use the port. Ifn > m, port security allows only the stationsin the bindings database. For information about configuring the Port Securityfeature, see "Configuring 802.1X and Port-Based Security" on page 505.
