Example for Configuring IPSG Based on a Static Binding Table to Prevent Hosts from Changing Their Own IP Addresses
Networking Requirements
In Figure 1, hosts access the Internet through a switch. The gateway is the egress device of the enterprise network and all hosts on the network use static IP addresses. The administrator requires that the hosts can only use fixed IP addresses to access the Internet. The hosts cannot change their own IP addresses to access the Internet.
Configuration Roadmap
The requirements can be met by configuring IPSG on the Switch. The configuration roadmap is as follows:
- Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses and MAC addresses of the hosts.
- Enable IPSG on the interfaces connected to user hosts so that the hosts can only use the fixed IP addresses to go online. Enable the IP packet check alarm function on the interfaces. When the number of discarded packets reaches the threshold, the switch reports an alarm.
Procedure
- Create static binding entries for Host_1 and Host_2.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 [Switch] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002
- Enable IPSG and IP packet check alarm.
# Enable IPSG and IP packet check alarm on GE0/0/1 connected to Host_1 and set the alarm threshold to 200.
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] ip source check user-bind enable [Switch-GigabitEthernet0/0/1] ip source check user-bind alarm enable [Switch-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 200 [Switch-GigabitEthernet0/0/1] quit
# Enable IPSG and IP packet check alarm on GE0/0/2 connected to Host_2 and set the alarm threshold to 200.
[Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] ip source check user-bind enable [Switch-GigabitEthernet0/0/2] ip source check user-bind alarm enable [Switch-GigabitEthernet0/0/2] ip source check user-bind alarm threshold 200 [Switch-GigabitEthernet0/0/2] quit
- Verify the configuration.
Run the display dhcp static user-bind all command on the Switch to view static binding entries.
[Switch] display dhcp static user-bind all DHCP static Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping IP Address MAC Address VSI/VLAN(O/I/P) Interface -------------------------------------------------------------------------------- 10.0.0.1 0001-0001-0001 -- /-- /-- -- 10.0.0.11 0002-0002-0002 -- /-- /-- -- -------------------------------------------------------------------------------- Print count: 2 Total count: 2Host_1 and Host_2 can access the Internet using the statically configured IP addresses, and are prevented from accessing the Internet after changing their IP addresses.
Configuration Files
Switch configuration file
# sysname Switch # user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002 # interface GigabitEthernet0/0/1 ipv4 source check user-bind enable ipv6 source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200 # interface GigabitEthernet0/0/2 ipv4 source check user-bind enable ipv6 source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200 # return