The following provides a list of guidelines to follow if you use IP Source Guard (IPSG):
You can enable IP Source Guard (IPSG) only on a port that is DHCP Snooping and Dynamic ARP Inspection untrusted.
The port must be a member of a VLAN. DHCP Snooping must be enabled globally and on the VLAN. You must also enable Dynamic ARP Inspection on the same VLAN.
You cannot enable IPSG on MLT, SMLT, DMLT or LAG ports.
You cannot enable IPSG on a brouter port.
You cannot enable IPSG on ports that are members of a private VLAN.
You cannot remove a port that is IPSG-enabled from a VLAN. Similarly, you cannot delete a VLAN that has at least one port that is IPSG-enabled.
A maximum of 10 IP addresses are allowed on each IPSG-enabled port. Correspondingly, a maximum of 10 IP filters are automatically created for each of those ports. When this number is reached, no more filters are set up and all traffic is dropped.
For more information about the supported number of IP filters on each platform, see VOSS Release Notes.
On VSP 4900 Series, IPv6 Security Filters and IPv6 Source Guard cannot coexist with Application Telemetry:
If there are IPv6 Security Filters or IPv6 Source Guard configurations on the system, the switch blocks you from enabling Application Telemetry.
If you do enable Application Telemetry, the switch blocks you from configuring IPv6 Security Filters or IPv6 Source Guard.