Sunday, December 31, 2017

Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.b IP Source Guard

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.


      -    Restricts IP traffic on non-routed ports
      -    Filters Layer 2 traffic by leveraging the DHCP snooping binding database and on manuall configured IP source bindings
      -    Can be used to prevent traffic attacks whens host tries to use its neighbour address
      -    IP Source Guard can be enabled when DHCP snooping is enabled on an untrusted
      -    Once enabled, IPSG blocks all IP traffic received on an interface except for DHCP packets allowed by DHCP snooping
      -    Leverages port ACL
      -    Port ACLs only allow IP traffic whose source IP is in the IP source binding table and denies all other traffic
      -    IP source binding table bindings are learned by DHCP snooping or manually configured (tatic IP source bindings)
      -    Works on Layer 2 ports, including trunks and access ports
      -    Can use either source IP address filtering or source IP and MAC address filtering

              - Source IP Address filtering
                  -    Filtering done based on source IP address
                  -    IP traffic is forwarded when the source IP matches in an entry in the DHCP snooping binding database or a binding in the IP source binding table

              - Source IP and MAC Address Filtering
                  -    Traffic filtered based on the source IP and MAC address
                  -    The switch forward traffic only if the source IP and MAC address matches an entry in the IP source binding table
                  -    The switch uses port security to filter source MAC addresses
                  -    Interface can shutdown when port-security violation occurs
          -    IP SourceGuard is not supported on EtherChannels
          -    Can leverage 802.1x port based authentication
          -    In a stack environment, IP Source Guard is configred on the stack member interface


References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html   
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

No comments:

Post a Comment