Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ip-source-guard

Syntax

Hierarchy Level

  • For platforms with ELS:

  • For platforms without ELS:

Description

Perform IP source guard checking on packets sent from access interfaces. Validate source IP addresses and source MAC addresses on all VLANs or on the specified VLAN or VLAN range. Forward packets with valid addresses and drop those with invalid addresses.

  • ip-source-guard—Enable IP source guard checking.

  • no-ip-source-guard—(Not available in [edit vlans vlan-name forwarding-options dhcp-security]) Disable IP source guard checking.

If you configure IP source guard at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level:

  • IP source guard can be configured only for a specific VLAN, not for a list or a range of VLAN IDs.

  • DHCP snooping is automatically enabled.

See Configuring IP Source Guard (ELS) for more information about this configuration.

If you configure IP source guard at the [edit ethernet-switching-options secure-access-port vlan (all | vlan-name] hierarchy level:

  • You must enable DHCP snooping on all VLANs if you configure IP source guard on all VLANs.

  • You must enable DHCP snooping for the specific VLAN if you configure IP source guard on that specific VLAN. Otherwise, the default behavior of no DHCP snooping applies to that VLAN.

See Enabling DHCP Snooping (non-ELS) for more information about this configuration.

Note:

On EX9200 switches, IP source guard is not supported in an MC-LAG scenario.

Default

Disabled.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 9.2.

Hierarchy level [edit vlans vlan-name forwarding-options dhcp-security] introduced in Junos OS Release 13.2X50-D10. (See Using the Enhanced Layer 2 Software CLI for information about ELS.)