Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 315

Brocade ICX 6650 Security Configuration Guide
295
53-1002601-01
IP source guard
When IP Source Guard is first enabled, only DHCP packets are allowed and all other IP traffic is 
blocked. When the system learns a valid IP address, IP Source Guard then allows IP traffic. Only the 
traffic with valid source IP addresses are permitted. The system learns of a valid IP address from 
DHCP Snooping. When it learns a valid IP address, the system permits the learned source IP 
address. 
When a new IP source entry binding on the port is created or deleted, the ACL will be recalculated 
and reapplied in hardware to reflect the change in IP source binding. By default, if IP Source Guard 
is enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on 
the port.
Configuration notes and feature limitations 
for IP source guard
•
To run IP Source Guard, you must first enable support for ACL filtering based on VLAN 
membership or VE port membership. To do so, enter the following commands at the Global 
CONFIG Level of the CLI.
Brocade(config)# enable ACL-per-port-per-vlan
Brocade(config)# write memory
Brocade(config)# exit
Brocade# reload
NOTE
You must save the configuration and reload the software to place the change into effect.
•
Brocade devices support IP Source Guard together with IPv4 ACLs (similar to ACLs for Dot1x), 
as long as both features are configured at the port-level or per-port-per-VLAN level. Brocade 
devices do not support IP Source Guard and IPv4 ACLs on the same port if one is configured at 
the port-level and the other is configured at the per-port-per-VLAN level.
•
IP source guard and IPv6 ACLs are supported together on the same device, as long as they are 
not configured on the same port or virtual Interface.
•
The following limitations apply when configuring IP Source Guard on Layer 3 devices:
-
You cannot enable IP Source Guard on a tagged port on a Layer 3 device. To enable IP 
Source Guard on a tagged port, enable it on a per-VE basis.
-
You cannot enable IP Source Guard on an untagged port with VE on a Layer 3 device. To 
enable IP Source Guard in this configuration, enable it on a per-VE basis.
-
There are no restrictions for Layer 2, either on the port or per-VLAN.
•
You cannot enable IP Source Guard on a port that has any of the following features enabled:
-
MAC address filter
-
Rate limiting
-
Trunk port
-
802.1x with ACLs
-
Multi-device port authentication with ACLs
•
A port on which IP Source Guard is enabled limits the support of IP addresses, VLANs, and ACL 
rules per port. An IP Source Guard port supports a maximum of:
•
64 IP addresses
•
64 VLANs
