Support User Manuals

Dell FCX624-E Laptop User Manual

Open as PDF

of 1494

PowerConnect B-Series FCX Configuration Guide 1361

53-1002266-01

IP source guard

39

When a new IP source entry binding on the port is created or deleted, the ACL will be recalculated

and reapplied in hardware to reflect the change in IP source binding. By default, if IP Source Guard

is enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on

the port.

Configuration notes and feature limitations

• To run IP Source Guard, you must first enable support for ACL filtering based on VLAN

membership or VE port membership. To do so, enter the following commands at the Global

CONFIG Level of the CLI.

PowerConnect(config)#enable ACL-per-port-per-vlan

PowerConnect(config)#write memory

PowerConnect(config)#exit

PowerConnect#reload

NOTE

You must save the configuration and reload the software to place the change into effect.

• PowerConnect B-Series FCX devices do not support IP Source Guard and dynamic ACLs on the

same port.

• Dell PowerConnect devices support IP Source Guard together with IPv4 ACLs (similar to ACLs

for Dot1x), as long as both features are configured at the port-level or per-port-per-VLAN level.

Dell PowerConnect devices do not support IP Source Guard and IPv4 ACLs on the same port if

one is configured at the port-level and the other is configured at the per-port-per-VLAN level.

• IP source guard and IPv6 ACLs are supported together on the same device, as long as they are

not configured on the same port or virtual Interface.

• The following limitations apply when configuring IP Source Guard on Layer 3 devices:

• You cannot enable IP Source Guard on a tagged port on a Layer 3 device. To enable IP

Source Guard on a tagged port, enable it on a per-VE basis.

• You cannot enable IP Source Guard on an untagged port with VE on a Layer 3 device. To

enable IP Source Guard in this configuration, enable it on a per-VE basis.

• There are no restrictions for Layer 2, either on the port or per-VLAN.

• You cannot enable IP Source Guard on a port that has any of the following features enabled:

• MAC address filter

• Rate limiting

• Trunk port

• 802.1x with ACLs

• Multi-device port authentication with ACLs

• A port on which IP Source Guard is enabled limits the support of IP addresses, VLANs, and ACL

rules per port. An IP Source Guard port supports a maximum of:

• 64 IP addresses

• 64 VLANs

• 64 rules per ACL

previous next