This section describes how to configure IP Source Guard to add a higher level of security to a port or ports by preventing IP spoofing.
Avaya recommends that you do not enable IP Source Guard on trunk ports.
Avaya recommends that you carefully manage the number of applications running on the Ethernet Routing Switch 8300 that use filters. For example, if you configure NSNA on ports and attempt to configure IP Source Guard on those same ports, the IP Source Guard configuration can fail due to the limited number of filters available.
Hardware resources can run out if IP Source Guard is enabled on trunk ports with a large number of VLANs, which have DHCP snooping enabled. If this happens, traffic sending can be interrupted for some clients. Avaya recommends that IP Source Guard not be enabled on trunk ports.
Before you can configure IP Source Guard, you must ensure the following:
Dynamic Host Control Protocol (DHCP) snooping is globally enabled.
For more information about, see Configuring DHCP snooping globally using EDM.
The port is a member of a Virtual LAN (VLAN) configured with DHCP snooping and dynamic Address Resolution Protocol (ARP) Inspection.
The port is an untrusted DHCP snooping and dynamic ARP Inspection port.
A minimum of 10 rules are available on the port.
The bsSourceGuardConfigMode MIB object exists.
This MIB object is used to control the IP Source Guard mode on an interface.
The following applications are not enabled:
IP Fix
Extensible Authentication Protocol over LAN (EAPoL)