Linksys SGE2000 Cisco Small Business SFE/SGE2xxx Series Managed Switches Admin - Page 144

Configuring Device Security Defining DHCP Snooping 4 Defining IP Source Guard IP Source Guard is a security feature that restricts the client IP traffic to those source IP addresses configured in the DHCP Snooping Binding Database and in manually configured IP source bindings. For example, IP Source Guard can help prevent traffic attacks caused when a host tries to use the IP address of its neighbor. • DHCP snooping must be enabled on the device's untrusted interfaces and on the relevant VLAN, in order to activate the IP source guard feature. • IP Source Guard must be enabled globally in the IP Source Guard Properties Page before it can be enabled on the device interfaces. • IP Source Guard uses Ternary Content Addressable Memory (TCAM) resources, requiring use of 1 TCAM rule per 1 IP Source Guard address entry. If the number of IP Source Guard entries exceeds the number of available TCAM rules, new IP source guard addresses remain inactive. • IP Source Guard cannot be configured on routed ports. • If IP Source Guard and MAC address filtering is enabled on a port, Port Security cannot be activated on the same port. • If a port is trusted, filtering of static IP addresses can be configured, although IP Source Guard is not active in that condition. • If a port's status changes from untrusted to trusted, the static IP address filtering entries remain but become inactive. The IP Source Guard section contains the following topics: • Configuring IP Source Guard Properties • Defining IP Source Guard Interface Settings • Querying the IP Source Binding Database Configuring IP Source Guard Properties The IP Source Guard Properties Page allows network managers to enable the use of IP Source Guard on the device. IP Source Guard must be enabled for the device before it can be enabled on individual ports or LAGs. To enable IP Source Guard: Cisco Small Business SFE/SGE Managed Switches Administration Guide 135