Understanding and Configuring IP Source Guard in Nebula switch
Feature Introduction
IP Source Guard (IPSG) is an Ethernet solution that prevents IP conflicts or IP spoofing within networks. This feature is particularly crucial in environments where network security and reliability are paramount. Its primary functions are to enable DHCP Snooping and ARP Inspection, ensuring that each cloud-managed switch maintains its own IPSG client table. This capability is vital for office networks to prevent IP spoofing and incorrect IP configurations that could disrupt services or compromise network security.
Note: IP Source Guard feature supports in 💎Nebula Pro organization.
How does it work?
IP Source Guard in Nebula cloud-managed switches involves:
- DHCP Snooping:
- ARP Inspection:
- Static IP bindings
Use this to create static bindings in the binding table.
How to configure the IP Source Guard?
Follow these steps:
- Navigate to Site-wide > Configure > Switch > Switch settings and enable IP source guard.
- By selecting the 📝edit button on the Protected ports, you would be redirected to Site-wide > Configure > Switch > Switch ports interface and it will automatically filter to display the selected ports. Switch port being filtered: Note: Do NOT configure IPSG on an uplink port, as this may cause disconnection between the client device and Nebula.
- Enable IPSG protected on the desired ports.
(Note: Avoid enabling IPSG protected if multiple devices are connected behind that port, such as a switch, AP, firewall, or a trusted DHCP server.) - For trusted devices (e.g., printers, NAS) with static IPs, add them to the Allowed client list (Whitelist). There are two methods for inputting whitelist clients:
- Method 1: Manual Input Client
Click + Add client to define the IPv4 address, MAC address, and VLAN of the static client. - Method 2: Adding Existing Blocked/DHCP client
Click Run button on switch Client table, then it will display a pop-up window showing the current client table. Select the DHCP-snooping or Block entries and click Transfer to add these to the allowed client list
- Method 1: Manual Input Client
How to track the IPSG block record?
Navigate to Site-wide > Monitor > Switch > Event log, and search for the keyword “ARP Inspection” to track the events.
Notes:
- Correct Configuration Importance: Incorrect setup can affect network connectivity, so ensure that IP Source Guard is only enabled on ports connected to end devices.
- Network Security Enhancement: By using IP Source Guard, administrators can significantly improve network security, managing both DHCP and ARP packet authorization efficiently.
Kay
See how you've made an impact in Zyxel Community this year!
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight