IP Source Guard (IPSG) protect against

IP Source Guard (IPSG) is a security feature that restricts IP traffic on non-routed, Layer 2 interfaces by filtering traffic based on the source IP address and source MAC address of a packet. It is designed to prevent IP spoofing attacks where an attacker tries to use the IP address of a legitimate host to gain unauthorized access to the network.

Here's how IPSG protects against such attacks:

1. IP Address Verification: When a device is connected to a network, it sends an IP packet to the network. IPSG checks the source IP address and the source MAC address in the packet against a list of valid IP and MAC address bindings. This list is maintained in an IP source binding table.

2. Blocking Unauthorized Traffic: If the IP and MAC address are not in the IP source binding table, the packet is considered unauthorized and is blocked by IPSG. This prevents an attacker from sending packets with a spoofed IP address.

3. Dynamic Learning of IP and MAC Address Bindings: IPSG can dynamically learn the IP and MAC address bindings in two ways: through DHCP snooping if the host uses DHCP to obtain its IP address, or through manual configuration by the network administrator.

4. Integration with Other Security Features: IPSG works best when it is used in conjunction with other security features like DHCP snooping and Dynamic ARP Inspection (DAI). DHCP snooping builds the IP source binding table that IPSG uses, while DAI ensures that ARP packets are not spoofed.

In summary, IP Source Guard protects against IP spoofing attacks by verifying the source IP and MAC address of each packet and blocking unauthorized traffic.