Configuration Guide User guide

FastIron Configuration Guide 1943
53-1002494-02
IP source guard
When IP Source Guard is first enabled, only DHCP packets are allowed and all other IP traffic is
blocked. When the system learns a valid IP address, IP Source Guard then allows IP traffic. Only
the traffic with valid source IP addresses are permitted. The system learns of a valid IP address
from DHCP Snooping. When it learns a valid IP address, the system permits the learned source IP
address.
When a new IP source entry binding on the port is created or deleted, the ACL will be recalculated
and reapplied in hardware to reflect the change in IP source binding. By default, if IP Source Guard
is enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on
the port.
Configuration notes and feature limitations
for IP source guard
To run IP Source Guard, you must first enable support for ACL filtering based on VLAN
membership or VE port membership. To do so, enter the following commands at the Global
CONFIG Level of the CLI.
Brocade(config)#enable ACL-per-port-per-vlan
Brocade(config)#write memory
Brocade(config)#exit
Brocade#reload
NOTE
You must save the configuration and reload the software to place the change into effect.
Brocade FWS and FCX devices do not support IP Source Guard and dynamic ACLs on the same
port.
Brocade devices support IP Source Guard together with IPv4 ACLs (similar to ACLs for Dot1x),
as long as both features are configured at the port-level or per-port-per-VLAN level. Brocade
devices do not support IP Source Guard and IPv4 ACLs on the same port if one is configured at
the port-level and the other is configured at the per-port-per-VLAN level.
IP source guard and IPv6 ACLs are supported together on the same device, as long as they are
not configured on the same port or virtual Interface.
The following limitations apply when configuring IP Source Guard on Layer 3 devices:
You cannot enable IP Source Guard on a tagged port on a Layer 3 device. To enable IP
Source Guard on a tagged port, enable it on a per-VE basis.
You cannot enable IP Source Guard on an untagged port with VE on a Layer 3 device. To
enable IP Source Guard in this configuration, enable it on a per-VE basis.
There are no restrictions for Layer 2, either on the port or per-VLAN.
You cannot enable IP Source Guard on a port that has any of the following features enabled:
MAC address filter
Rate limiting
Trunk por t
802.1x with ACLs
Multi-device port authentication with ACLs
A port on which IP Source Guard is enabled limits the support of IP addresses, VLANs, and ACL
rules per port. An IP Source Guard port supports a maximum of: