Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring IP Source Guard (CLI Procedure)

You can use the IP source guard access port security feature on EX Series switches to mitigate the effects of source IP address spoofing and source MAC address spoofing. If IP source guard determines that a host connected to an access interface has sent a packet with an invalid source IP address or source MAC address in the packet header, it ensures that the switch does not forward the packet—that is, the packet is discarded.

You enable the IP source guard feature on VLANs. You can enable it on a specific VLAN, on all VLANs, or on a VLAN range.

Note: IP source guard applies only to access interfaces and only to untrusted interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or an interface set to dhcp-trusted, the CLI shows an error when you try to commit the configuration.

Note: You can use IP source guard together with 802.1X user authentication in single supplicant, single-secure supplicant or multiple supplicant mode.

If you are implementing 801.X user authentication in single-secure supplicant or multiple supplicant mode, use the following configuration guidelines:

  • If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership.
  • If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.

Before you configure IP source guard, be sure that you have:

Explicitly enabled DHCP snooping on the specific VLAN or specific VLANs on which you will configure IP source guard. See Enabling DHCP Snooping (CLI Procedure). If you configure IP source guard on specific VLANs rather than on all VLANs, you must also enable DHCP snooping explcitly on those VLANs. Otherwise, the default value of no DHCP snooping applies to that VLAN.

To enable IP source guard on a VLAN, all VLANs, or a VLAN range (a series of tagged VLANs) by using the CLI:

Note: Replace values displayed in italics with values for your configuration.

  • On a specific VLAN:
    [edit ethernet-switching-options secure-access port]
    user@switch#set vlan default ip-source-guard
  • On all VLANs:
    [edit ethernet-switching-options secure-access port]
    user@switch# set vlan all ip-source-guard

  • On a VLAN range:
    1. Set the VLAN range (the VLAN name is employee):
      [edit vlans]
      user@switch# set employeevlan-range 100-101

    2. Associate an interface with a VLAN-range number (100 in the following example) and set the port mode to access:
      [edit interfaces]
      user@switch# set ge-0/0/6 unit 0 family ethernet-switching port-mode access vlan members100

    3. Enable IP source guard on the VLAN employee:
      [edit ethernet-switching-options secure-access port]
      user@switch# set vlan employee ip-source-guard

Note: You can use the no-ip-source-guard statement to disable IP source guard for a specific VLAN after you have enabled the feature for all VLANs.

To view results of the configuration steps before committing the configuration, type the show command at the user prompt.

To commit these changes to the active configuration, type the commit command at the user prompt.

 

Related Documentation

 

Published: 2014-04-23

Previous Page Next Page