Understanding and Configuring IP Source Guard in Nebula switch

Zyxel_Kay
Zyxel_Kay Posts: 1,210  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

Feature Introduction

IP Source Guard (IPSG) is an Ethernet solution that prevents IP conflicts or IP spoofing within networks. This feature is particularly crucial in environments where network security and reliability are paramount. Its primary functions are to enable DHCP Snooping and ARP Inspection, ensuring that each cloud-managed switch maintains its own IPSG client table. This capability is vital for office networks to prevent IP spoofing and incorrect IP configurations that could disrupt services or compromise network security.

Note: IP Source Guard feature supports in 💎Nebula Pro organization.

How does it work?

IP Source Guard in Nebula cloud-managed switches involves:

  1. DHCP Snooping: It processes DHCP packets between clients and servers, adding clients to the IPSG client table upon receiving DHCP Request and Acknowledgement on protected ports. It also helps in guarding against rogue DHCP servers by dropping DHCP offers received on protected ports.
  2. ARP Inspection: ARP Inspection allows the switch to manage ARP request packets, cross-referencing them with the IPSG client table to enforce network policies. Traffic from clients matching the table is permitted, while that from non-matching clients is blocked for 300 seconds.
  3. Static IP bindings
    Use this to create static bindings in the binding table.

How to configure the IP Source Guard?

Follow these steps:

  1. Navigate to Site-wide > Configure > Switch > Switch settings and enable IP source guard.
  2. By selecting the 📝edit button on the Protected ports, you would be redirected to Site-wide > Configure > Switch > Switch ports interface and it will automatically filter to display the selected ports. Switch port being filtered: Note: Do NOT configure IPSG on an uplink port, as this may cause disconnection between the client device and Nebula.
  3. Enable IPSG protected on the desired ports.
    (Note: Avoid enabling IPSG protected if multiple devices are connected behind that port, such as a switch, AP, firewall, or a trusted DHCP server.)
  4. For trusted devices (e.g., printers, NAS) with static IPs, add them to the Allowed client list (Whitelist). There are two methods for inputting whitelist clients:
    • Method 1: Manual Input Client
      Click + Add client to define the IPv4 address, MAC address, and VLAN of the static client.
    • Method 2: Adding Existing Blocked/DHCP client
      Click Run button on switch Client table, then it will display a pop-up window showing the current client table. Select the DHCP-snooping or Block entries and click Transfer to add these to the allowed client list

How to track the IPSG block record?

Navigate to Site-wide > Monitor > Switch > Event log, and search for the keyword “ARP Inspection” to track the events.

Notes:

  • Correct Configuration Importance: Incorrect setup can affect network connectivity, so ensure that IP Source Guard is only enabled on ports connected to end devices.
  • Network Security Enhancement: By using IP Source Guard, administrators can significantly improve network security, managing both DHCP and ARP packet authorization efficiently.

Kay

See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community