Switching

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

how to disable ip-source-guard in some interfaces

  • 1.  how to disable ip-source-guard in some interfaces

    Posted 07-07-2021 06:40
    We only want to enable "ip-source-guard" in one specific interface in a VLAN. could we do it?  In old Non-ELS switches only interfaces configured this knob apply the security check, but when migrate to new ELS switches we found the behaviour is changed.

    ELS switches configuration:
    lab# show vlans
    vlan100 {
               vlan-id 100;
               l3-interface irb.100;
               forwarding-options {
                          dhcp-security {
                                  ip-source-guard;
                                   group test {
                                              interface ge-0/0/6.0 {
                                                         static-ip 192.168.100.100 mac 84:b5:9c:ce:b9:4d;
                                              }
                                   }
                        }
    }

    In above configuration we found other interfaces discard all traffic due to traffic not hit entry  in the white list, we think because they are all in untrusted role because "ip-source-guard" is configured in this VLAN. how could we put other interfaces in trusted role or disable "ip-source-guard" in other interfaces? Thanks for your suuport.


  • 2.  RE: how to disable ip-source-guard in some interfaces

    Posted 07-07-2021 06:55
    You could make a group under dhcp-security and put that interface under it. Then use some override knows to do this. Or make a static source binding there and under the vlan config.


  • 3.  RE: how to disable ip-source-guard in some interfaces

    Posted 07-07-2021 09:21
    I see you did this already. Is that host getting its ip via dhcp or hard-coded?