ip-source-guard
Syntax
ip-source-guard;
Hierarchy Level
For platforms with ELS:
[edit vlans vlan-name forwarding-options dhcp-security]
For platforms without ELS:
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Description
Perform IP source guard checking on packets sent from access interfaces. Validate source IP addresses and source MAC addresses on all VLANs or on the specified VLAN or VLAN range. Forward packets with valid addresses and drop those with invalid addresses.
ip-source-guard—Enable IP source guard checking.no-ip-source-guard—(Not available in[edit vlans vlan-name forwarding-options dhcp-security]) Disable IP source guard checking.
If you configure IP source guard at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level:
IP source guard can be configured only for a specific VLAN, not for a list or a range of VLAN IDs.
DHCP snooping is automatically enabled.
See Configuring IP Source Guard (ELS) for more information about this configuration.
If you configure IP source guard at the [edit ethernet-switching-options secure-access-port
vlan (all | vlan-name] hierarchy level:
You must enable DHCP snooping on all VLANs if you configure IP source guard on all VLANs.
You must enable DHCP snooping for the specific VLAN if you configure IP source guard on that specific VLAN. Otherwise, the default behavior of no DHCP snooping applies to that VLAN.
See Enabling DHCP Snooping (non-ELS) for more information about this configuration.
On EX9200 switches, IP source guard is not supported in an MC-LAG scenario.
Default
Disabled.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.2.
Hierarchy level [edit vlans vlan-name forwarding-options dhcp-security] introduced in Junos OS Release 13.2X50-D10. (See Using the Enhanced Layer
2 Software CLI for information about ELS.)