Configuration notes and feature limitations for IP Source Guard

The following configuration notes and feature limitations apply to IP Source Guard:

  • IP Source Guard is supported on LAGs and functions across reload.
  • Brocade ICX devices do not support IP Source Guard and dynamic ACLs on the same port.
  • Ruckus devices support IP Source Guard with IPv4 ACLs (similar to ACLs for dot1x), as long as both features are configured at the port level or per-port-per-VLAN level. Ruckus devices do not support IP Source Guard and IPv4 ACLs on the same port if one is configured at the port level and the other is configured at the per-port-per-VLAN level.
  • IP Source Guard and IPv6 ACLs are supported together on the same device, as long as they are not configured on the same port or virtual interface.
  • The following limitations apply when configuring IP Source Guard on Layer 3 devices:
    • You cannot enable IP Source Guard on a tagged port with a VE on a Layer 3 device. To enable IP Source Guard on a tagged port, enable it on a per-VE basis.
    • You cannot enable IP Source Guard on an untagged port with a VE on a Layer 3 device. To enable IP Source Guard in this configuration, enable it on a per-VE basis.
    • No restrictions exist for Layer 2 on the port or per-VLAN levels.
  • You cannot enable IP Source Guard on a port that has any of the following features enabled:
    • MAC address filter
    • Rate limiting
    • 802.1x with ACLs
    • MAC authentication
  • A port on which IP Source Guard is enabled limits the support of IP addresses, VLANs, and ACL rules per port. An IP Source Guard port supports the following maximums:
    • 64 IP addresses (When IP Source Guard is enabled on a port, DHCP entries are limited to 64 IP addresses per port.)
    • 64 VLANs
    • 64 rules per ACL
  • You can enable IP Source Guard on a range of ports within a given slot only. Enabling IP Source Guard across multiple slots is not supported.
  • The number of configured ACL rules affect the rate at which hardware resources are used when IP Source Guard is enabled. Use the show access-list hw-usage on command to enable hardware usage for an ACL, followed by the show access-list access-list-id command to determine the hardware usage for an ACL. Modifying the ACL rules ensures that more hardware resources are provided for IP Source Guard addresses. For example. 

	device# show access-list hw-usage on
		device# show access-list 100
		Extended IP access list 100 (hw usage : 2)
		deny ip any any (hw usage : 1)
  • If you enable IP Source Guard in a network topology that has DHCP clients, you must also enable DHCP snooping. If you do not enable DHCP snooping, all IP traffic, including DHCP packets, are blocked.
  • When you enable IP Source Guard in a network topology that does not have DHCP clients, you must create an IP source binding for each client that is allowed access to the network. Data packets are blocked if you do not create an IP source binding for each client.
  • IP Source Guard protection enables concurrent support with MAC authentication.
  • IP Source Guard is supported on a VE with or without an assigned IP address.
  • IP Source Guard supports multi-VRF instances.
Parent topic: IP Source Guard