Restrictions for IP Source Guard
-
IP Source Guard (IPSG) configuration is supported only on interface level at 12 bridge domain interfaces.
-
IPSG configuration works only if DHCP snooping binding is enabled.
-
Only IP filtering is supported. IP MAC filter mode is not supported.
-
IPSG configuration is not supported on port-channels, trunk EFP, and on BDI interfaces.
-
IPSG is not supported on routed interfaces, layer2 and layer3 VPN and VRF.
-
IPSG is supported only on video template.
-
The IPSG entries are in IPv4 Tunnel TCAM region of ASIC. Since this a sharing model, any feature contributing more entries in this region impacts the scalability of other features.
-
IPv6 is not supported. IPv4 and IPv6 packets that have IPv6 as first header is included under this restriction.
-
Due to IPv4 tunnel TCAM region space limitation, only 1000 TCAM entries are supported. So, only 1000 IPSG entries are supported (including permit and deny entry). This impacts only the IP packets. Layer2 packets flow is not affected.
-
If PBR and IPSG are enabled in a node at the same time, 1000 entries are shared by PBR and IPSG based on first come, first serve basis. If PBR is not enabled in the node, IPSG can be scaled to 1000.
-
As IPSG and PBR share the same region, for a particular interface, these features are mutually exclusive.
-
PBR is not supported on BDI that is associated with the IPSG enabled interface.
-
ACL on EFP and IPSG perform the same functionality, that is, to deny or permit traffic on the EFP. So, when both of these features are enabled in the same EFP, both lookups are launched in parallel. So, either of the features deny the non-matching traffic. When ACL gives permit action and IPSG gives deny action for the same traffic, packets get denied, and vice versa. Only when both the features give permit action, traffic is permitted. Hence, though there is no restriction for configuring both the features on the same EVC, ideally these two features should be considered mutually exclusive.