Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring IP Source Guard (non-ELS)

You can use the IP source guard access port security feature on EX Series switches to mitigate the effects of source IP address spoofing and source MAC address spoofing. If IP source guard determines that a host connected to an access interface has sent a packet with an invalid source IP address or source MAC address in the packet header, it ensures that the switch does not forward the packet—that is, the packet is discarded.

You enable the IP source guard feature on VLANs. You can enable it on a specific VLAN, on all VLANs, or on a VLAN range.

Note:

IP source guard applies only to access interfaces and only to untrusted interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or an interface set to dhcp-trusted, the CLI shows an error when you try to commit the configuration.

Note:

You can use IP source guard together with 802.1X user authentication in single supplicant, single-secure supplicant, or multiple supplicant mode.

While implementing 801.X user authentication in single-secure supplicant or multiple supplicant mode, use the following configuration guidelines:

  • If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership.

  • If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.

Configuring IP Source Guard

Before you configure IP source guard, be sure that you have:

Explicitly enabled DHCP snooping on the specific VLAN or specific VLANs on which you will configure IP source guard. See Enabling DHCP Snooping (non-ELS). If you configure IP source guard on specific VLANs rather than on all VLANs, you must also enable DHCP snooping explicitly on those VLANs. Otherwise, the default value of no DHCP snooping applies to that VLAN.

To configure IP source guard:

  • On a specific VLAN:

  • On all VLANs:

  • On a VLAN range:

    1. Set the VLAN range:

    2. Associate an interface with the VLAN-range and set the port mode to access:

    3. Enable IP source guard on the VLAN:

To commit these changes to the active configuration, type the commit command at the user prompt.

Configuring IPv6 Source Guard

Before you configure IPv6 source guard, be sure that you have:

  • Explicitly enabled DHCPv6 snooping on the specific VLAN or specific VLANs on which you will configure IPv6 source guard. See Enabling DHCP Snooping (non-ELS). If you configure IPv6 source guard on specific VLANs rather than on all VLANs, you must also enable DHCPv6 snooping explcitly on those VLANs. Otherwise, the default value of no DHCPv6 snooping applies to that VLAN.

  • Set the maximum number of IPv6 source guard sessions:

    Note:

    After setting or changing the maximum number of IPv6 source guard sessions and committing the configuration, you must reboot the switch for the configuration to take effect.

To configure IPv6 source guard:

  • On a specific VLAN:

  • On all VLANs:

  • On a VLAN range:

    1. Set the VLAN range):

    2. Associate an interface with a VLAN-range and set the port mode to access:

    3. Enable IPv6 source guard on the VLAN:

To commit these changes to the active configuration, type the commit command at the user prompt.

Disabling IP Source Guard

You can disable IP source guard for a specific VLAN after you have enabled the feature for all VLANs, or for all VLANs.

  • To disable IP source guard on a specific VLAN:

  • To disable IP source guard on all VLANs:

Note:

Replace no-ip-source-guard with no-ipv6-source-guard to disable IPv6 source guard.

Related Documentation