BigIron RX Series Configuration Guide 99353-1001986-01IP source guard 35By default, if the IP source guard is enabled without any IP source binding on the port, an ACL thatdenies all IP traffic is loaded on the port. Similarly, when the IP source guard is disabled, any IPsource per-port IP ACL will be removed from the interface.Limits and restrictionsCurrent implementation with this feature has the following limitations:• Works only on routing and virtual interface ports, and does not support Layer 2 switching-onlyports in VLANs without an assigned IP address on the router.• Does not support auto-saving of the learnt ARP entries when DAI is enabled. You mustmanually save the ARP entries before a reboot.• Does not provide CLI to disable check for source MAC and source IP in DAI.Enabling IP source guardDHCP Snooping should be configured before you enable the IP source guard feature.The default setting is disabled. To enable IP source guard on an untrusted port, enter the followingcommands.BigIron RX(config)# interface ethernet 1/4BigIron RX(config-if-e10000-1/4)# source guard enableThe commands change the CLI to the interface configuration level for port 1/4 and enable IPsource guard on the port.Syntax: [no] source guard enableDisplaying learned IP addressesTo display all IP source bindings configured on all interfaces on a switch, enter a command such asthe following.Syntax: show ip source guard ethernet <port-num>BigIron RX#show ip source guard eth 5/20IP source guard on ethernet 5/20: Enabled