Enable IP Source Guard on a Port for IPv4 Addresses

About this task

Enable IP Source Guard (IPSG) to add a higher level of security to a desired port by preventing IP spoofing. When you enable IPSG on the interface, filters are installed for IPv4 addresses that are already learned on that interface.

Before you begin

Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise, the system displays error messages.

  • DHCP Snooping is enabled globally.

  • The port on which you want to enable IPSG is a member of a VLAN that is configured with both DHCP Snooping and Dynamic ARP Inspection.

  • The port is an untrusted port enabled with both DHCP Snooping and Dynamic ARP Inspection.

  • The port has enough resources allocated to support the maximum number of 10 IP addresses allowed for IPSG.

Procedure

  1. In the navigation pane, expand Configuration > IP.
  2. Click Source Guard.
  3. Click the IP Source Guard-port tab.
  4. Double-click the Mode field
  5. Select ip from the list, to enable IPSG.
  6. Repeat the steps above to configure IPSG on additional ports.
  7. Click Apply to save your changes.
  8. Click Refresh to update the IP Source Guard-port tab.

IP Source Guard-port field descriptions

Use the data in the following table to use the IP Source Guard-port tab.

Name

Description

Port

Identifies the port on which to enable IPSG.

Mode

Displays whether IPSG is enabled on the port.

The default is disabled.

Origin

Specifies the origin of Source Guard configuration on the port. The supported values are:

  • config - Set by the user.

  • radius - Set by the Remote Authentication Dial-In User Service (RADIUS) attribute.