Fortinet 548B Switch User Manual


 
- 350 -
Syntax
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option allow-untrusted
no - This command disallows DHCP packet received form untrusted port with option 82 data.
Default Setting
Disabled
Command Mode
Global Config
7.19 IP Source Guard (IPSG) Commands
IP Source Guard (IPSG) is a security feature that filters IP packets based on source ID. The source ID
may be either the source IP address or a {source IP address, source MAC address} pair. The DHCP
snooping binding database and static IPSG entries identify authorized source IDs. You can configure:
Whether enforcement includes the source MAC address.
Static authorized source IDs.
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all
IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping
process. When a client receives a valid IP address from the DHCP server, or when a static IP source
binding is configured by the user, a per-port and VLAN Access Control List is installed on the port. This
process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic
with a source IP address other than that in the IP source binding is filtered out. This filtering limits a host’s
ability to attack the network by claiming a neighbor host's IP address.
IPSG can be enabled on physical or LAG ports. IPSG is disabled by default. If you enable IPSG on a port
where DHCP snooping is disabled or where DHCP snooping is enabled but the port is trusted, all IP traffic
received on that port is dropped depending on the admin-configured IPSG entries. IPSG cannot be
enabled on a port-based routing interface.
7.19.1 Show Commands
7.19.1.1 show ip verify
This command displays the IPSG interface configurations on all ports.
Syntax