You can enable IP Source Guard (IPSG) only on a port that is DHCP Snooping and Dynamic ARP Inspection untrusted.
The port must be a member of a VLAN. DHCP Snooping must be enabled globally and on the VLAN. You must also enable Dynamic ARP Inspection on the same VLAN.
You cannot enable IPSG on MLT, SMLT, DMLT or LAG ports.
You cannot enable IPSG on a brouter port.
You cannot enable IPSG on ports that are members of a private VLAN.
You cannot remove a port that is IPSG enabled from a VLAN. Similarly, you cannot delete a VLAN that has at least one port that is IPSG enabled.
A maximum of 10 IP addresses are allowed on each IPSG enabled port. Correspondingly, a maximum of 10 IP filters are automatically created for each of those ports. When this number is reached, no more filters are set up and all traffic is dropped.
On the switch, the total number of IP filters must not exceed 256. This limit includes both IP filters that are automatically created on IPSG ports and the manually created ACLs.
IPv6 Security Filters and IPv6 Source Guard cannot coexist with Application Telemetry:
If there are IPv6 Security Filters or IPv6 Source Guard configurations on the system, the switch blocks you from enabling Application Telemetry.
If you do enable Application Telemetry, the switch blocks you from configuring IPv6 Security Filters or IPv6 Source Guard.
Note
This restriction applies to the VSP 4450 Series, VSP 7200 Series, and VSP 8000 Series platforms only.