BigIron RX Series Configuration Guide 101153-1002253-01IP source guard 35IP source guard is used on client ports to prevent IP source address spoofing. Generally, IP sourceguard is used together with DHCP snooping and Dynamic ARP Inspection on untrusted ports.When IP source guard is first enabled, the client port allows only DHCP packets, and blocks allother IP traffic. When the system learns a valid IP address on the port, the client port then allows IPtraffic. Client ports permit only the traffic with valid source IP addresses.The system learns of a valid IP address from ARP. (For information on how the ARP table ispopulated, refer to “ARP entries” on page 1002) When it learns a valid IP address, the system loadsa per-port IP ACL entry permitting the learned source IP address on the port.When a new IP source entry binding on the port is created or deleted, the per-port IP ACL will berecalculated and reapplied in hardware to reflect the change in IP source binding.By default, if the IP source guard is enabled without any IP source binding on the port, an ACL thatdenies all IP traffic is loaded on the port. Similarly, when the IP source guard is disabled, any IPsource per-port IP ACL will be removed from the interface.Limits and restrictionsCurrent implementation with this feature has the following limitations:• Works only on routing and virtual interface ports, and does not support Layer 2 switching-onlyports in VLANs without an assigned IP address on the router.• Does not support auto-saving of the learnt ARP entries when DAI is enabled. You mustmanually save the ARP entries before a reboot.• Does not provide CLI to disable check for source MAC and source IP in DAI.Enabling IP source guardDHCP Snooping should be configured before you enable the IP source guard feature.The default setting is disabled. To enable IP source guard on an untrusted port, enter the followingcommands.BigIron RX(config)# interface ethernet 1/4BigIron RX(config-if-e10000-1/4)# source guard enableThe commands change the CLI to the interface configuration level for port 1/4 and enable IPsource guard on the port.Syntax: [no] source guard enableDisplaying learned IP addressesTo display all IP source bindings configured on all interfaces on a switch, enter a command such asthe following.Syntax: show ip source guard ethernet <port-num>BigIron RX#show ip source guard eth 5/20IP source guard on ethernet 5/20: Enabled