< Home

Configuring IPSG Based on a Static Binding Table

Context

IPSG based on a static binding table filters IP packets received by untrusted interfaces. This prevents malicious hosts from stealing the IP addresses of authorized hosts to access the network without permission. This function is applicable to a LAN where only a small number of hosts reside and the hosts use static IP addresses.

Configuration Procedure

Figure 1 Configuration flowchart of IPSG based on a static binding table

Perform the following operations on the switch to which users connect.

Procedure

  1. Create a static binding entry.

    Static binding entries include IPv4 and IPv6 entries. Choose one type of entries according to your network type.

    1. Run the system-view command to enter the system view.
    2. Run the user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command to configure a static binding entry.

      By default, no static binding entry is available on a switch.

      IPSG matches packets against all items in the static binding entry. Ensure that the created binding entry is correct and contains all the items to check. The switch forwards the packets from hosts only when the packets match all items in the binding entry, and discards the packets not matching the binding entry.

      The switch can bind multiple IP addresses or IP address segments to the same interface or MAC address.
      • To bind non-contiguous IP addresses, enter 1 to 10 IP addresses in start-ip. For example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12 interface gigabitethernet 0/0/1 to bind multiple IP addresses to the same interface.
      • To bind contiguous IP addresses, enter 1 to 10 IP address segments in start-ip to end-ip. When the keyword to is used, the IP address segments cannot overlap. For example, you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address 0001-0001-0001 to bind multiple IP addresses to the same MAC address.

      If a static binding entry is incorrect or the network rights of a bound host have been changed, you can run the undo user-bind static [ { ip-address { start-ip [ to end-ip ] } &<1-10> | ipv6-address [ start-ip [ to end-ip ] ] &<1-10> | ipv6-prefix [ prefix/prefix-length ] } | mac-address mac-address | interface interface-type interface-number | vlan vlan-id [ ce-vlan ce-vlan-id ] ] * command to delete the entry.

  2. (Optional) Configure a trusted interface.

    If the hosts on the network use static IP addresses, you do not need to configure trusted interfaces. However, if the upstream interface on the switch belongs to an IPSG-enabled VLAN, configure this interface as a trusted interface; otherwise, the return packets are discarded because they do not match the binding entries and service interruptions will occur. For details about how to troubleshoot this issue, see Services Are Abnormal Because the Upstream Interface Is Not Configured as a Trusted Interface. After the upstream interface is configured as a trusted interface, the switch forwards the packets received by the interface without checking them against the binding entries.

    1. Run the dhcp enable command to enable DHCP globally.

      By default, DHCP is disabled globally.

    2. Run the dhcp snooping enable command to enable DHCP snooping globally.

      By default, DHCP snooping is disabled globally.

    3. Run the dhcp snooping trusted command in the interface view or the dhcp snooping trusted interface interface-type interface-number command in the VLAN view to configure the interface as a trusted interface.

      By default, an interface is untrusted.

  3. Enable IPSG.

    IPSG does not take effect immediately after a binding entry is created. IPSG takes effect only after it is enabled on the specified interface (user-side interface) or VLAN. There are two ways to enable IPSG.

    • Enabling IPSG on an interface: IPSG checks all packets received by the interface against the binding entry. Choose this method if you need to check IP packets on the specified interfaces and trust other interfaces. This method is ideal if an interface belongs to multiple VLANs because you do not need to enable IPSG in each VLAN.

    • Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in the VLAN against the binding entry. Choose this method if you need to check IP packets in the specified VLANs and trust other VLANs. This method is ideal if multiple interfaces belong to the same VLAN because you do not need to enable IPSG on each interface.

    • If IPSG is enabled on an interface, IPSG takes effect only on this interface, and the switch does not perform an IPSG check on other interfaces.
    • If IPSG is enabled in a VLAN, IPSG takes effect only in this VLAN, and the switch does not perform an IPSG check in other VLANs.
    • If the device has insufficient ACL resources, the binding entry may fail to be created. However, you can still view IPSG configurations on the device using the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } verbose command. In the command output, check the IPSG Status field to determine whether IPSG is effective.
    1. Enter the interface or VLAN view.
      • Run the interface interface-type interface-number command to enter the interface view.
      • Run the vlan vlan-id command to enter the VLAN view.
    2. Run the ip source check user-bind enable, ipv4 source check user-bind enable, or ipv6 source check user-bind enable command to enable IP packet check on the interface or in the VLAN.

      By default, IP packet check is disabled on interfaces or in VLANs.

  4. (Optional) Configure IP packet check alarm.

    This step is valid only when IPSG is enabled on an interface in Step 3. After this alarm function is configured, the switch generates an alarm if the number of discarded IP packets exceeds the threshold.

    1. Run the system-view command to enter the system view.

    2. Run the interface interface-type interface-number command to enter the interface view.

    3. Run the ip source check user-bind alarm enable command to enable the IP packet check alarm.

      By default, IP packet check alarm is disabled.

    4. Run the ip source check user-bind alarm threshold threshold command to set the IP packet check alarm threshold.

      By default, the IP packet check alarm threshold is 100.

Verifying the Configuration

  • View the IPSG configuration on an interface.

    Run the display ip source check user-bind interface interface-type interface-number command to check the IPSG configuration on the interface.

  • View the static binding entries and status.

    Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view IPv4 static binding entries.

    Run the display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view IPv6 static binding entries.

    You can view the IPSG status by specifying the verbose parameter.
    • If the value of IPSG Status is IPv4 effective or IPv6 effective, IPSG of this entry takes effect.
    • If the value of IPSG Status is ineffective, IPSG of this entry does not take effect. This may be because hardware ACL resources are insufficient.
Parent Topic: Configuring IPSG
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >