Mental model
You’ve configured Port Security (locks the port to specific MACs), DHCP Snooping (blocks rogue DHCP servers), and DAI (blocks ARP spoofing). One attack vector remains: an attacker can still send packets with a forged source IP.
IP Source Guard (IPSG) plugs that hole. The switch validates the source IP of every IP packet against the DHCP Snooping binding table. If the (source IP, source MAC, port) combination doesn’t match, the packet is dropped.
That’s it. Same source-of-truth (the DHCP Snooping binding table) shared by DAI. Different validation target (source IP, not source ARP).
What attacks IPSG defeats
- Source IP spoofing for DDoS reflection — attacker forges source IP to be the victim, causes amplification responses to flood victim.
- Bypassing source-IP-based ACLs — attacker on Gi0/5 forges packets with the source IP of a trusted host on Gi0/1.
- Hiding identity in logs — every packet correctly labeled with the attacker’s actual IP.
With IPSG, an attacker can only ever send packets from the IPs/MACs legitimately bound to their port by DHCP Snooping.
How it builds on DHCP Snooping
Same dependency as DAI. IPSG uses the DHCP Snooping binding table:
| Client MAC | IP | Port | VLAN |
|---|---|---|---|
| aa:aa:aa:aa | 10.0.0.5 | Gi0/1 | 10 |
| bb:bb:bb:bb | 10.0.0.7 | Gi0/3 | 10 |
When an IP packet arrives on Gi0/3, IPSG checks the source IP against the binding entry for that port. Source 10.0.0.7? Allowed. Source 10.0.0.5 (the other user’s IP)? Dropped.
Two validation modes
| Mode | What it checks | Strictness |
|---|---|---|
| IP | Source IP must match binding | Standard |
| IP and MAC | Source IP AND source MAC must match | Stricter |
The IP-and-MAC mode prevents an attacker from forging the source IP even if they spoof their MAC to match what’s in the binding table — but it requires port-security to also be in place (which it should anyway).
Commands
! Prerequisites — DHCP Snooping must be enabled
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 10,20
! Enable IP Source Guard on the port
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# ip verify source
! Stricter — validate IP and MAC together
SW1(config-if)# ip verify source port-security
! (requires port-security configured on the same interface)
Static bindings (no DHCP)
If a host uses a static IP and doesn’t DHCP, you need to manually bind:
SW1(config)# ip source binding aaaa.bbbb.cccc vlan 10 192.168.1.50 interface GigabitEthernet0/5
Without this, IPSG drops the static host’s traffic — same as DAI’s behavior. The DHCP Snooping binding table and the IP Source Guard binding table both work from the same data; you populate it via DHCP observation OR static entries.
Verification
SW1# show ip verify source ! IPSG status per interface
SW1# show ip source binding ! the binding table IPSG uses
SW1# show ip dhcp snooping binding ! same table from DHCP Snooping's view
The first one is the daily driver — shows you which ports have IPSG enabled and which validation mode they use.
The Layer-2 security set — IPSG completes it
| Feature | Defends against | Source of truth |
|---|---|---|
| Port Security | Unauthorized MAC at access port | Static config / sticky learning |
| DHCP Snooping | Rogue DHCP servers | Tracks legitimate leases |
| DAI | ARP spoofing (e.g. “I am the gateway”) | DHCP Snooping bindings |
| IPSG | IP source spoofing | DHCP Snooping bindings |
Three of the four depend on DHCP Snooping for their binding table. Deploy them as a set — each plugs a different hole.
Common mistakes
-
Enabling IPSG without DHCP Snooping. The binding table is empty → IPSG drops everything → all access ports useless. Always enable DHCP Snooping first and confirm the binding table is populated.
-
Forgetting static IP hosts. Servers/printers with static IPs don’t appear in the snooping bindings → IPSG drops their traffic. Add manual
ip source bindingentries. -
Enabling on a trunk port. IPSG is for access ports. Trunks carry traffic from many hosts (potentially across many VLANs) — no clean binding to validate against. Don’t enable on trunks.
-
ip verify source port-securitywithout enabling port-security. The IP-and-MAC mode requires Port Security to also be active. Otherwise the MAC validation has no source. -
Forgetting the firewall doesn’t help here. IPSG operates at L2 on the switch. A perimeter firewall sees the same forged packets at L3 and might not detect the spoof. Defense-in-depth: filter at every layer where you can.
-
Manual bindings forgotten after a server change. New server, new MAC — old static binding doesn’t match, IPSG drops. Update the binding when hardware changes.
Lab to try tonight
- Set up a switch with DHCP Snooping already working. Verify the binding table is populated.
- Enable IPSG on an access port:
ip verify source. - From a client on that port (with DHCP-assigned IP), confirm normal traffic still works.
- Try to spoof — manually set a different IP on the client. Watch traffic drop.
- Add a host on another port with a static IP. Without manual binding, watch IPSG drop its traffic.
- Add
ip source binding ...for the static host. Verify traffic flows again. - Bonus: enable port-security AND IPSG with
port-securityflag. Verify both IP and MAC are now checked together.
Cheat strip
| Concept | Plain English |
|---|---|
| IPSG | Drop packets whose source IP doesn’t match the binding table |
| Binding source | DHCP Snooping table — shared with DAI |
ip verify source | Standard mode — IP only |
ip verify source port-security | Stricter — IP and MAC |
| Static hosts | Need ip source binding ... to be allowed |
| L2 security set | Port Security + DHCP Snooping + DAI + IPSG = full coverage |
| Trunks | Don’t enable IPSG on them — access ports only |