IP source guard
IP source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IP source guard allows traffic from the following sources:
- Static entries—IP addresses that have been manually associated with MAC addresses.
- Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IP source guard is disabled. You must enable it on each port that you want protected. If you enable IP source guard and then disable it, all static and dynamic entries are removed for that interface.
There is a maximum of 2,048 IP source guard entries. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.
To see which models support this feature, refer to the FortiSwitch feature matrix.
NOTE: IP source guard does not work with VLAN translation.
Configuring IP source guard consists of the following steps:
- Enabling IP source guard
- Configuring IP source-guard static entries
- Checking the IP source-guard entries
- (Optional) Checking the IP source-guard violation log
Enabling IP source guard
You must enable IP source guard before you can configure it.
To enable IP source guard:
config switch interface
edit <port_name>
set ip-source-guard enable
end
For example:
config switch interface
edit port6
set ip-source-guard enable
end
To reset IP source-guard violations for a specific switch interface:
execute source-guard-violation reset interface <interface_name>
Configuring IP source-guard static entries
After you enable IP source guard, you can configure static entries by binding IPv4 addresses with MAC addresses. For IP source-guard dynamic entries, you need to configure DHCP snooping. See DHCP snooping.
Using the GUI:
- Go to Switch > IP Source Guard.
- Select Configure for the interface that you want to add IP source guard to.
- In the Description field, add a description of the configuration.
- Select +.
- Required. In the Name field, enter a name for the binding entry.
- Required. In the IP address field, enter the IPv4 address to bind to the MAC address. Masks are not supported.
- Required. In the MAC address field, enter the MAC address to bind to the IPv4 address.
- Select Configure to save your configuration.
Using the CLI:
config switch ip-source-guard
edit <port_name>
config binding-entry
edit <id>
set ip <xxx.xxx.xxx.xxx>
set mac <XX:XX:XX:XX:XX:XX>
next
end
next
end
For example:
config switch ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20
set mac 00:21:cc:d2:76:72
next
end
next
end
Checking the IP source-guard entries
After you configure IP source guard, you can check the database entries. Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.
Using the GUI:
Go to Switch > Monitor > IP Source Guard.
Using the CLI:
diagnose switch ip-source-guard hardware entry list
Checking the IP source-guard violation log
If you want to see events that violate the IP source-guard settings, enable the IP source-guard violation log.
The IP source-guard violation log contains a maximum of 128 entries with a maximum of 5 entries per port, even if more violations have occurred. The maximum values cannot be changed.
To enable the IP source-guard violation log:
config switch global
set log-source-guard-violations enable
set source-guard-violation-timer <1-1500 minutes>
end
To display all IP source-guard violations:
get switch ip-source-guard-violations all
To display IP source-guard violations for a specific switch interface:
get switch ip-source-guard-violations interface <interface_name>
To reset all IP source-guard violations:
execute source-guard-violation reset all
To reset IP source-guard violations for a specific switch interface:
execute source-guard-violation reset interface <interface_name>