Overview of IPSG
Some attacks on networks aim at source IP addresses by accessing and using network resources through spoofing IP addresses, stealing users' information or blocking authorized users from accessing networks. IPSG can prevent source address spoofing attacks.
IPSG enables the device to check IP packets against dynamic and static DHCP entries. Before the device forwards an IP packet, it compares the source IP address, source Media Access Control (MAC) address, interface, and Virtual Local Area Network (VLAN) information in the IP packet with entries in the binding table. If an entry is matched, the device takes the IP packet as a valid packet and forwards an IP packet. Otherwise, the device takes the IP packet as an attack packet and discards the packet.
As shown in Figure 14-1, an attacker sends bogus packets to modify the outbound interface in the MAC address table on the Switch. Then replies are sent from the server to the attacker.
To prevent these attacks, you can configure IPSG on the Switch to check incoming IP packets against the binding entries. IP packets that match the binding entries are forwarded, and IP packets that do not match the binding entries are discarded.
IPSG enables the device to check IP packets against the binding entries. The check items contain the source IP address, source MAC address, VLAN ID, and interface number. The device supports IPSG to check the combination of the following items:
- Interface and IP address
- Interface and MAC address
- Interface, IP address, and MAC address
- Interface, IP address, and VLAN ID
- Interface, MAC address, and VLAN ID
- Interface, IP address, MAC address, and VLAN ID
The NVE interface view supports only IP address check.
- VLAN ID and IP address
- VLAN ID and MAC address
- VLAN ID, IP address, and MAC address
- VLAN ID, IP address, and interface
- VLAN ID, MAC address, and interface
- VLAN ID, IP address, MAC address, and interface