V-253960

Discussion

IP Source Guard provides source IP address filtering on an untrusted layer 2 interface to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access interfaces. Initially, all IP traffic on the protected interface is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address. This requirement is applicable to VLANs with active access interfaces assigned but not to switches that only trunk the VLANs between switches.

Check Content

Review the switch configuration to verify that IP Source Guard is enabled on all user-facing or untrusted VLANs. Configuring IP Source Guard automatically enables DHCP snooping.

Devices like printers, servers, and VoIP phones are under enterprise control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in non-user-facing VLANs.

Verify IP Source Guard on user-facing or untrusted VLANs.
[edit vlans]
<untrusted VLAN name> {
    vlan-id <VLAN ID>;
    forwarding-options {
        dhcp-security {
            ip-source-guard;
        }
    }
}
Note: IP Source Guard depends upon DHCP snooping or static MAC address bindings.

If the switch does not have IP Source Guard enabled on all user-facing or untrusted VLANs, this is a finding.