Configuring IP Source Guard (ELS)
This task uses Junos OS with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switching device runs software that does not support ELS, see Configuring IP Source Guard (non-ELS). For ELS details, see Using the Enhanced Layer 2 Software CLI.
On EX9200 switches, IP source guard is not supported in an MC-LAG scenario.
You can use the IP source guard access port security feature to mitigate the effects of source IP address spoofing and source MAC address spoofing. If IP source guard determines that a host connected to an access interface has sent a packet with an invalid source IP address or source MAC address in the packet header, then IP source guard ensures that the switch does not forward the packet—that is, the packet is discarded.
You configure the IP source guard feature on a specific VLAN. When you configure IP source guard on a VLAN, the switch automatically enables DHCP snooping on that VLAN.
IPv6 source guard is supported on switches with support for DHCPv6 snooping. On these switches, configuring IP source guard or IPv6 source guard on a VLAN automatically enables DHCP snooping and DHCPv6 snooping on that VLAN.
Before you can configure IP source guard or IPv6 source guard on a VLAN, you must configure the VLAN. See the documentation that describes setting up basic bridging and a VLAN for your switch.
IP source guard and IPv6 source guard can be applied only to untrusted interfaces. Access interfaces are untrusted by default.
IP source guard and IPv6 source guard can be used together with 802.1X user authentication in single supplicant, single-secure supplicant, or multiple supplicant mode.
To configure IP source guard on a specific VLAN by using the CLI:
[edit vlans vlan-name forwarding-options dhcp-security] user@switch# set ip-source-guard
To configure IPv6 source guard on a specific VLAN by using the CLI:
[edit vlans vlan-name forwarding-options dhcp-security] user@switch# set ipv6-source-guard