Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 315

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

295

53-1002601-01

IP source guard

When IP Source Guard is first enabled, only DHCP packets are allowed and all other IP traffic is
blocked. When the system learns a valid IP address, IP Source Guard then allows IP traffic. Only the
traffic with valid source IP addresses are permitted. The system learns of a valid IP address from
DHCP Snooping. When it learns a valid IP address, the system permits the learned source IP
address.

When a new IP source entry binding on the port is created or deleted, the ACL will be recalculated
and reapplied in hardware to reflect the change in IP source binding. By default, if IP Source Guard
is enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on
the port.

Configuration notes and feature limitations
for IP source guard

To run IP Source Guard, you must first enable support for ACL filtering based on VLAN
membership or VE port membership. To do so, enter the following commands at the Global
CONFIG Level of the CLI.

Brocade(config)# enable ACL-per-port-per-vlan
Brocade(config)# write memory
Brocade(config)# exit
Brocade# reload

NOTE

You must save the configuration and reload the software to place the change into effect.

Brocade devices support IP Source Guard together with IPv4 ACLs (similar to ACLs for Dot1x),
as long as both features are configured at the port-level or per-port-per-VLAN level. Brocade
devices do not support IP Source Guard and IPv4 ACLs on the same port if one is configured at
the port-level and the other is configured at the per-port-per-VLAN level.

IP source guard and IPv6 ACLs are supported together on the same device, as long as they are
not configured on the same port or virtual Interface.

The following limitations apply when configuring IP Source Guard on Layer 3 devices:

-

You cannot enable IP Source Guard on a tagged port on a Layer 3 device. To enable IP
Source Guard on a tagged port, enable it on a per-VE basis.

-

You cannot enable IP Source Guard on an untagged port with VE on a Layer 3 device. To
enable IP Source Guard in this configuration, enable it on a per-VE basis.

-

There are no restrictions for Layer 2, either on the port or per-VLAN.

You cannot enable IP Source Guard on a port that has any of the following features enabled:

-

MAC address filter

-

Rate limiting

-

Trunk port

-

802.1x with ACLs

-

Multi-device port authentication with ACLs

A port on which IP Source Guard is enabled limits the support of IP addresses, VLANs, and ACL
rules per port. An IP Source Guard port supports a maximum of:

64 IP addresses

64 VLANs

Advertising
Popular Brands
Popular manuals