beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 350

background image

NOTE
You must save the configuration and reload the software to place the change into effect.

• Brocade FCX devices do not support IP Source Guard and dynamic ACLs on the same port.
• Brocade devices support IP Source Guard together with IPv4 ACLs (similar to ACLs for Dot1x), as

long as both features are configured at the port-level or per-port-per-VLAN level. Brocade devices
do not support IP Source Guard and IPv4 ACLs on the same port if one is configured at the port-
level and the other is configured at the per-port-per-VLAN level.

• IP source guard and IPv6 ACLs are supported together on the same device, as long as they are not

configured on the same port or virtual Interface.

• The following limitations apply when configuring IP Source Guard on Layer 3 devices:

You cannot enable IP Source Guard on a tagged port on a Layer 3 device. To enable IP
Source Guard on a tagged port, enable it on a per-VE basis.

You cannot enable IP Source Guard on an untagged port with VE on a Layer 3 device. To
enable IP Source Guard in this configuration, enable it on a per-VE basis.

There are no restrictions for Layer 2, either on the port or per-VLAN.

• You cannot enable IP Source Guard on a port that has any of the following features enabled:

MAC address filter

Rate limiting

Trunk port

802.1x with ACLs

Multi-device port authentication

• A port on which IP Source Guard is enabled limits the support of IP addresses, VLANs, and ACL

rules per port. An IP Source Guard port supports a maximum of:

64 IP addresses. When IP Source Guard is enabled on a port, DHCP entries are limited to
64 IP addresses per port.

64 VLANs

64 rules per ACL

• The number of configured ACL rules affect the rate at which hardware resources are used when IP

Source Guard is enabled. Use the show access-list hw-usage on command to enable hardware
usage for an ACL, followed by a show access-listaccess-list-id command to determine the
hardware usage for an ACL.

device#show access-list hw-usage on

device#show access-list 100

Extended IP access list 100 (hw usage : 2)

deny ip any any (hw usage : 1)

To provide more hardware resource for IP Source Guard addresses, modify the ACL rules so that it
uses less hardware resource.

• If you enable IP Source Guard in a network topology that has DHCP clients, you must also enable

DHCP snooping. Otherwise, all IP traffic including DHCP packets will be blocked.

• When you enable IP Source Guard in a network topology that does not have DHCP clients, you

must create an IP source binding for each client that will be allowed access to the network.
Otherwise, data packets will be blocked. Refer to

Defining static IP source bindings

on page 351.

• Source Guard Protection enables concurrent support with multi-device port authentication.
• IP Source Guard is supported on a VE with or without an assigned IP address.
• IP Source Guard supports Multi-VRF (Virtual Routing and Forwarding) instances. For information,

refer to the "Configuring Multi-VRF" chapter in the FastIron Ethernet Switch Layer 3 Routing
Configuration Guide .

DHCP

350

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: