IP Source Guard

You can use IP Source Guard together with Dynamic ARP Inspection on untrusted ports.

The Ruckus implementation of the IP Source Guard technology supports configuration on a port, specific VLAN memberships on a port (Layer 2 devices only), and specific ports on a Virtual Ethernet (VE) interface (Layer 3 devices only).

When IP Source Guard is first enabled, only DHCP packets are allowed, while all other IP traffic is blocked. IP Source Guard allows IP traffic when the system learns valid IP addresses. Only traffic with valid source IP addresses are permitted. The system learns of a valid IP address from DHCP snooping. The system permits a learned source IP address when it learns a valid IP address.

When a new IP source entry binding on the port is created or deleted, the ACL is recalculated and reapplied in the hardware to reflect the change in IP source bindings. By default, if IP Source Guard is enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on the port.

Contents

IP Source Guard