IP Antecedent Guard

IP Antecedent Guard

IP Antecedent Guard is a aegis affection that restricts IP cartage on untrusted Layer 2 ports by clarification cartage based

on the DHCP concern bounden database or manually configured IP antecedent bindings. This affection helps prevent

IP bluffing attacks back a host tries to bluff and use the IP abode of addition host. Any IP cartage advancing into

the interface with a antecedent IP abode added than that assigned (via DHCP or changeless configuration) will be filtered

out on the untrusted Layer 2 ports.

The IP Antecedent Guard affection is enabled in aggregate with the DHCP concern affection on untrusted Layer 2

interfaces. It builds and maintains an IP antecedent bounden table that is abstruse by DHCP concern or manually

configured (static IP antecedent bindings). An access in the IP antecedent bounden table contains the IP abode and the

associated MAC and VLAN numbers. The IP Antecedent Guard is accurate on Layer 2 ports only, including access

and block ports.

Example 4-9 shows how to accredit the IP Antecedent Guard with activating antecedent IP and MAC abode filtering.

Example 4-9. IP Antecedent Guard Agreement Example 1

Switch(config)#interface GigabitEthernet1/0/1

Switch(config-if)#ip verify antecedent port-security

Example 4-10 shows how to accredit the IP Antecedent Guard with a changeless antecedent IP abode and MAC address

filtering mapped on VLAN 5.

Example 4-10. IP Antecedent Guard Agreement Example 2

Switch(config)# ip antecedent bounden 0011.0011.0011 vlan 5 10.1.1.11 interface

GigabitEthernet1/0/2

Use the appearance ip verify antecedent command to affectation the IP Antecedent Guard agreement and the appearance ip

source bounden command to affectation the IP antecedent bindings on the switch.