Source IP address spoofing is a common attack on a network, for example, an attacker forges an authorized user and sends IP packets to the server or forges the source IP address of users for communication. As a result, authorized users cannot obtain network services, as shown in Figure 1-1.
To defend against IP/MAC spoofing attacks, you can enable DHCP snooping and configure IP source guard.
After DHCP snooping is enabled, the switch creates and maintains a DHCP snooping binding table. The binding table contains the IP address,
MAC address, VLAN ID, and interface number. After IP source guard is configured, only the received packets that match entries in the binding table
are forwarded. Otherwise, packets are discarded. See Figure 1-2.
Figure 1-2 Defense against IP/MAC spoofing attacks