beautypg.com

19 ip source guard (ipsg) commands, Ip source guard (ipsg) commands – Fortinet 548B User Manual

Page 350

background image

- 350 -

7.18.2.12 ip dhcp snooping information option allow-untrusted

This command ip dhcp snooping information option allow-untrusted is used to allow DHCP packet
received form untrusted port with option 82 data.

Syntax

ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option allow-untrusted

no - This command disallows DHCP packet received form untrusted port with option 82 data.

Default Setting

Disabled

Command Mode

Global Config

7.19

IP Source Guard (IPSG) Commands

IP Source Guard (IPSG) is a security feature that filters IP packets based on source ID. The source ID
may be either the source IP address or a {source IP address, source MAC address} pair. The DHCP
snooping binding database and static IPSG entries identify authorized source IDs. You can configure:

Whether enforcement includes the source MAC address.

Static authorized source IDs.

Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially,
all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping
process. When a client receives a valid IP address from the DHCP server, or when a static IP source
binding is configured by the user, a per-port and VLAN Access Control List is installed on the port. This
process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic
with a source IP address other than that in the IP source binding is filtered out. This filtering limits a
host’s ability to attack the network by claiming a neighbor host's IP address.

IPSG can be enabled on physical or LAG ports. IPSG is disabled by default. If you enable IPSG on a
port where DHCP snooping is disabled or where DHCP snooping is enabled but the port is trusted, all IP
traffic received on that port is dropped depending on the admin-configured IPSG entries. IPSG cannot
be enabled on a port-based routing interface.