< Home

Example for Configuring IPSG Based on a Static Binding Table to Prevent Unauthorized Hosts from Accessing the Intranet

Networking Requirements

In Figure 1, hosts access the Internet through a switch. The gateway is the egress device of the enterprise network and all hosts on the network use static IP addresses. The administrator has configured interface rate limiting on the switch, and requires that the hosts use fixed IP addresses to access the intranet through fixed interfaces. To ensure network security, the administrator does not allow external hosts to access the intranet without permission.

Figure 1 Configuring IPSG based on a static binding table to prevent unauthorized hosts from accessing the intranet

Configuration Roadmap

The requirements can be met by configuring IPSG on the Switch. The configuration roadmap is as follows:

  1. Specify the VLAN to which the interfaces belong.
  2. Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses, MAC addresses, and interfaces.
  3. Configure GE0/0/4 as a trusted interface. The Switch does not perform an IPSG check on the packets received by this trusted interface. Therefore, the packets returned by the gateway will not be discarded.
  4. Enable IPSG in the VLAN connected to hosts so that Host_1 and Host_2 access the intranet using fixed IP addresses through fixed interfaces. In addition, external host Host_3 cannot access the intranet.

Procedure

  1. Specify the VLAN to which the interfaces belong. 

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface gigabitethernet 0/0/1 
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2 
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3 
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 10
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4 
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/4] quit

  2. Create static binding entries for Host_1 and Host_2. 

    [Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 0/0/1
[Switch] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface gigabitethernet 0/0/2

  3. Configure the upstream interface GE0/0/4 as a trusted interface. 

    [Switch] dhcp enable
[Switch] dhcp snooping enable
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] dhcp snooping trusted
[Switch-GigabitEthernet0/0/4] quit

  4. Enable IPSG in VLAN 10 connected to hosts. 

    [Switch] vlan 10
[Switch-vlan10] ip source check user-bind enable
[Switch-vlan10] quit

  5. Verify the configuration.

    Run the display dhcp static user-bind all command on the Switch to view binding entries of Host_1 and Host_2.

    [Switch] display dhcp static user-bind all
DHCP static Bind-table:                                                         
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
--------------------------------------------------------------------------------
10.0.0.1                        0001-0001-0001  --  /--  /--    GE0/0/1
10.0.0.2                        0002-0002-0002  --  /--  /--    GE0/0/2
--------------------------------------------------------------------------------
Print count:           2          Total count:           2

    Host_1 and Host_2 can access the intranet. After the IP addresses of the hosts are changed or the hosts connect to other interfaces, they cannot access the intranet.

    When Host_3 with IP address 10.0.0.3 connects to GE0/0/3, Host_3 cannot access the intranet, indicating that external hosts cannot access the intranet without permission. If Host_3 needs to access the intranet, add the entry of Host_3 to the static binding table.

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 10
#
dhcp enable 
#
dhcp snooping enable
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet0/0/1
user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface GigabitEthernet0/0/2
#
vlan 10
 ipv4 source check user-bind enable
 ipv6 source check user-bind enable   
#
interface GigabitEthernet0/0/1
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/2
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/3
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10
 dhcp snooping trusted
#
return

Related Content

Videos

Bind IP and MAC Addresses

Parent Topic: Configuration Examples for IPSG
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic