Ip source guard, Limits and restrictions, Enabling ip source guard – Brocade BigIron RX Series Configuration Guide User Manual

Page 1171: Ip source guard 3, Displaying learned ip addresses

Advertising
background image

BigIron RX Series Configuration Guide

1093

53-1002484-04

IP source guard

36

IP source guard

You can use IP Source Guard together with Dynamic ARP Inspection on untrusted ports. Refer to

“DHCP snooping”

on page 1088 and

“Dynamic ARP inspection”

on page 1083.

IP source guard is used on client ports to prevent IP source address spoofing. Generally, IP source
guard is used together with DHCP snooping and Dynamic ARP Inspection on untrusted ports.

When IP source guard is first enabled, the client port allows only DHCP packets, and blocks all
other IP traffic. When the system learns a valid IP address on the port, the client port then allows IP
traffic. Client ports permit only the traffic with valid source IP addresses.

The system learns of a valid IP address from ARP. (For information on how the ARP table is
populated, refer to

“ARP entries”

on page 1085) When it learns a valid IP address, the system loads

a per-port IP ACL entry permitting the learned source IP address on the port.

When a new IP source entry binding on the port is created or deleted, the per-port IP ACL will be
recalculated and reapplied in hardware to reflect the change in IP source binding.

By default, if the IP source guard is enabled without any IP source binding on the port, an ACL that
denies all IP traffic is loaded on the port. Similarly, when the IP source guard is disabled, any IP
source per-port IP ACL will be removed from the interface.

Limits and restrictions

Current implementation with this feature has the following limitations:

Works only on routing and virtual interface ports, and does not support Layer 2 switching-only
ports in VLANs without an assigned IP address on the router.

Does not support auto-saving of the learnt ARP entries when DAI is enabled. You must
manually save the ARP entries before a reboot.

Does not provide CLI to disable check for source MAC and source IP in DAI.

Enabling IP source guard

DHCP Snooping should be configured before you enable the IP source guard feature.

The default setting is disabled. To enable IP source guard on an untrusted port, enter the following
commands.

BigIron RX(config)# interface ethernet 1/4

BigIron RX(config-if-e10000-1/4)# source guard enable

The commands change the CLI to the interface configuration level for port 1/4 and enable IP
source guard on the port.

Syntax: [no] source guard enable

Displaying learned IP addresses

To display all IP source bindings configured on all interfaces on a switch, enter a command such as
the following.

Advertising
Popular Brands
Popular manuals