Switching

Expand all | Collapse all

how to disable ip-source-guard in some interfaces

  • 1.  how to disable ip-source-guard in some interfaces

    Posted 17 days ago
    We only want to enable "ip-source-guard" in one specific interface in a VLAN. could we do it?  In old Non-ELS switches only interfaces configured this knob apply the security check, but when migrate to new ELS switches we found the behaviour is changed.

    ELS switches configuration:
    lab# show vlans
    vlan100 {
               vlan-id 100;
               l3-interface irb.100;
               forwarding-options {
                          dhcp-security {
                                  ip-source-guard;
                                   group test {
                                              interface ge-0/0/6.0 {
                                                         static-ip 192.168.100.100 mac 84:b5:9c:ce:b9:4d;
                                              }
                                   }
                        }
    }

    In above configuration we found other interfaces discard all traffic due to traffic not hit entry  in the white list, we think because they are all in untrusted role because "ip-source-guard" is configured in this VLAN. how could we put other interfaces in trusted role or disable "ip-source-guard" in other interfaces? Thanks for your suuport.


  • 2.  RE: how to disable ip-source-guard in some interfaces

    Posted 17 days ago
    You could make a group under dhcp-security and put that interface under it. Then use some override knows to do this. Or make a static source binding there and under the vlan config.


  • 3.  RE: how to disable ip-source-guard in some interfaces

    Posted 17 days ago
    I see you did this already. Is that host getting its ip via dhcp or hard-coded?