Configuring IPv4 source guard
IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IPv4 source guard allows traffic from the following sources:
- Static entries—IP addresses that have been manually associated with MAC addresses.
- Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.
If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.
IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard.
Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support this feature. |
Configuring IPv4 source guard consists of the following steps:
Enabling IPv4 source guard
You must enable IPv4 source guard in the FortiOS CLI before you can configure it.
To enable IPv4 source guard:
config switch-controller managed-switch
edit <FortiSwitch_serial_number
config ports
edit <port_name>
set ip-source-guard enable
next
end
end
For example:
config switch-controller managed-switch
edit S424DF4K15000024
config ports
edit port20
set ip-source-guard enable
next
end
end
Creating static entries
After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports.
To create static entries:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ip-source-guard
edit <port_name>
config binding-entry
edit <id>
set ip <xxx.xxx.xxx.xxx>
set mac <XX:XX:XX:XX:XX:XX>
next
end
next
end
next
end
For example:
config switch-controller managed-switch
edit S424DF4K15000024
config ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
next
end
next
end
next
end
Checking the IPv4 source-guard entries
After you configure IPv4 source guard , you can check the entries.
Static entries are manually added by the config switch ip-source-guard
command. Dynamic entries are added by DHCP snooping.
Use this command in the FortiOS CLI to display all IP source-guard entries:
diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>