Fortinet black logo

Administration Guide

IP source guard

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:183637
Download PDF

IP source guard

IP source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.

IP source guard allows traffic from the following sources:

  • Static entries—IP addresses that have been manually associated with MAC addresses.
  • Dynamic entries—IP addresses that have been learned through DHCP snooping.

By default, IP source guard is disabled. You must enable it on each port that you want protected. If you enable IP source guard and then disable it, all static and dynamic entries are removed for that interface.

There is a maximum of 2,048 IP source guard entries. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.

To see which models support this feature, refer to the FortiSwitch feature matrix.

NOTE: IP source guard does not work with VLAN translation.

Configuring IP source guard consists of the following steps:

  1. Enabling IP source guard
  2. Configuring IP source-guard static entries
  3. Checking the IP source-guard entries
  4. (Optional) Checking the IP source-guard violation log

Enabling IP source guard

You must enable IP source guard before you can configure it.

To enable IP source guard:

config switch interface

edit <port_name>

set ip-source-guard enable

end

For example:

config switch interface

edit port6

set ip-source-guard enable

end

To reset IP source-guard violations for a specific switch interface:

execute source-guard-violation reset interface <interface_name>

Configuring IP source-guard static entries

After you enable IP source guard, you can configure static entries by binding IPv4 addresses with MAC addresses. For IP source-guard dynamic entries, you need to configure DHCP snooping. See DHCP snooping.

Using the GUI:
  1. Go to Switch > IP Source Guard.
  2. Select Configure for the interface that you want to add IP source guard to.
  3. In the Description field, add a description of the configuration.
  4. Select +.
  5. Required. In the Name field, enter a name for the binding entry.
  6. Required. In the IP address field, enter the IPv4 address to bind to the MAC address. Masks are not supported.
  7. Required. In the MAC address field, enter the MAC address to bind to the IPv4 address.
  8. Select Configure to save your configuration.
Using the CLI:

config switch ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

For example:

config switch ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20

set mac 00:21:cc:d2:76:72

next

end

next

end

Checking the IP source-guard entries

After you configure IP source guard, you can check the database entries. Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.

Using the GUI:

Go to Switch > Monitor > IP Source Guard.

Using the CLI:

diagnose switch ip-source-guard hardware entry list

Checking the IP source-guard violation log

If you want to see events that violate the IP source-guard settings, enable the IP source-guard violation log.

The IP source-guard violation log contains a maximum of 128 entries with a maximum of 5 entries per port, even if more violations have occurred. The maximum values cannot be changed.

To enable the IP source-guard violation log:

config switch global

set log-source-guard-violations enable

set source-guard-violation-timer <1-1500 minutes>

end

To display all IP source-guard violations:

get switch ip-source-guard-violations all

To display IP source-guard violations for a specific switch interface:

get switch ip-source-guard-violations interface <interface_name>

To reset all IP source-guard violations:

execute source-guard-violation reset all

To reset IP source-guard violations for a specific switch interface:

execute source-guard-violation reset interface <interface_name>

IP source guard

IP source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.

IP source guard allows traffic from the following sources:

  • Static entries—IP addresses that have been manually associated with MAC addresses.
  • Dynamic entries—IP addresses that have been learned through DHCP snooping.

By default, IP source guard is disabled. You must enable it on each port that you want protected. If you enable IP source guard and then disable it, all static and dynamic entries are removed for that interface.

There is a maximum of 2,048 IP source guard entries. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.

To see which models support this feature, refer to the FortiSwitch feature matrix.

NOTE: IP source guard does not work with VLAN translation.

Configuring IP source guard consists of the following steps:

  1. Enabling IP source guard
  2. Configuring IP source-guard static entries
  3. Checking the IP source-guard entries
  4. (Optional) Checking the IP source-guard violation log

Enabling IP source guard

You must enable IP source guard before you can configure it.

To enable IP source guard:

config switch interface

edit <port_name>

set ip-source-guard enable

end

For example:

config switch interface

edit port6

set ip-source-guard enable

end

To reset IP source-guard violations for a specific switch interface:

execute source-guard-violation reset interface <interface_name>

Configuring IP source-guard static entries

After you enable IP source guard, you can configure static entries by binding IPv4 addresses with MAC addresses. For IP source-guard dynamic entries, you need to configure DHCP snooping. See DHCP snooping.

Using the GUI:
  1. Go to Switch > IP Source Guard.
  2. Select Configure for the interface that you want to add IP source guard to.
  3. In the Description field, add a description of the configuration.
  4. Select +.
  5. Required. In the Name field, enter a name for the binding entry.
  6. Required. In the IP address field, enter the IPv4 address to bind to the MAC address. Masks are not supported.
  7. Required. In the MAC address field, enter the MAC address to bind to the IPv4 address.
  8. Select Configure to save your configuration.
Using the CLI:

config switch ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

For example:

config switch ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20

set mac 00:21:cc:d2:76:72

next

end

next

end

Checking the IP source-guard entries

After you configure IP source guard, you can check the database entries. Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.

Using the GUI:

Go to Switch > Monitor > IP Source Guard.

Using the CLI:

diagnose switch ip-source-guard hardware entry list

Checking the IP source-guard violation log

If you want to see events that violate the IP source-guard settings, enable the IP source-guard violation log.

The IP source-guard violation log contains a maximum of 128 entries with a maximum of 5 entries per port, even if more violations have occurred. The maximum values cannot be changed.

To enable the IP source-guard violation log:

config switch global

set log-source-guard-violations enable

set source-guard-violation-timer <1-1500 minutes>

end

To display all IP source-guard violations:

get switch ip-source-guard-violations all

To display IP source-guard violations for a specific switch interface:

get switch ip-source-guard-violations interface <interface_name>

To reset all IP source-guard violations:

execute source-guard-violation reset all

To reset IP source-guard violations for a specific switch interface:

execute source-guard-violation reset interface <interface_name>