Overview of IPSG
Definition
IP source guard (IPSG) implements source IP address filtering based on Layer 2 interfaces. IPSG is used to prevent network access from malicious hosts using stolen IP addresses. In addition, IPSG prevents unauthorized hosts from accessing or attacking networks with forged IP addresses.
Purpose
As networks continue to increase in scale, many attackers are forging source IP addresses to initiate network attacks (IP address spoofing attacks). Some attackers steal the IP addresses of authorized users to obtain network access rights and access networks. As a result, authorized users are unable to access networks or unauthorized users may intercept sensitive information. IPSG provides a mechanism to effectively defend against IP address spoofing attacks.
Figure 1 illustrates how IPSG defends against attacks. A malicious host steals an authorized host's IP address to obtain network access rights. IPSG is configured on the Switch's user-side interface or VLAN. With this configuration, the Switch checks the IP packets received by the interface and discards the packets from malicious hosts to prevent IP address spoofing attacks.
