How to Block Unknown Devices to Access the Switch by Using IP Source Guard

Introduction:

IP Source Guard is to filter the IP packets based on the IP-MAC Binding entries. Only the packets matched to the IP-MAC Binding rules can be processed, which can enhance the bandwidth utility and the network security. In some situation, customers may want to limit the unknown devices to join the existing network. We can use the IP Source Guard and IP-MAC Binding to achieve this requirement.

Application Scenario:

As shown in the picture above, we assume that the host A is a legal PC that can access the switch. And when an unknown device want to join the network, it will be blocked. This article will instruct how to achieve this requirement by using IP Source Guard and IP-MAC Binding, and here we take T3700G-28TQ as example.

Configuration Steps:

1. Designate static IP for your devices or get IP automatically from the DHCP server.

2. IP-MAC Binding

3. Enable IP Source Guard

Here are the detailed configuration steps:

Step1: you can designate static IP address for your devices or let them get IP address automatically from the front DHCP server. But in this situation, we recommend you to designate static IP address for your devices manually.

Step2: IP-MAC Binding

To enable IP Source Guard, we should create IP-MAC Binding entries first. The IP-MAC Binding function allows you to bind the IP address, MAC address, VLAN ID and the connected Port of the host together. There are three methods to create IP-MAC Binding entries: Manual Binding, ARP scanning and DHCP Snooping.

Note:

1. In this application scenario, we cannot use DHCP Snooping, because the DHCP Snooping has higher priority than IP Source Guard. That is to say, when we apply DHCP Snooping and IP Source Guard at the same time, all the devices even the untrusted ones can still get IP address from the front DHCP server and then forward packets normally.

2. If you still want to use DHCP Snooping and IP Source Guard at the same time, you need to limit the IP allocation in the front DHCP server to make sure only the legal devices can get the IP address.

We can use the Manual Binding and ARP scanning individually or simultaneously. Here we instruct the two methods respectively.

1. Manual Binding

Go to Network Security-->IP-MAC Binding -->Manual Binding

As is shown in the picture, we enter the Host Name, IP Address, MAC Address, VLAN ID and choose the Protect Type as IP Source Guard and select the port the host A connects to and then click Bind to save.

2）ARP Scanning

Connect all your devices to the switch and then go to Network Security-->IP-MAC Binding --> ARP Scanning

Designate the range of the IP address and VLAN to scan, here we take 192.168.1.1~192.168.1.254 and VLAN 1 as example, you should fill the blank according to your real scenario.

After the scanning, all the devices in the range will be showed in the table, choose the entries you want to bind and select the Protect Type as IP Source Guard and then click Apply to save.

Step3: Enable IP Source Guard

Go to Network Security--> IP Source Guard

Select the ports you want to apply IP Source Guard and choose the Security Type as SIP or SIP+MAC.

Note:

1. IP Source Guard cannot be enabled for LAG members.

2. If you choose SIP, only the packets with its source IP address and port number matched to the IP-MAC binding rules can be processed; If you choose SIP+MAC, only the packets with its source IP address, port number and source MAC address matched to the IP-MAC binding rules can be processed.

Test: we can use Ping command to test the connection in the unknown devices as shown in the picture below.

Before we enable IP Source Guard:

After we enable IP Source Guard: