Example for Configuring IPSG to Prevent Hosts with Dynamic IP Addresses from Changing Their Own IP Addresses
IPSG Overview
IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It filters IP packets based on the binding table on a switch. An entry in the binding table contains the IP address, MAC address, VLAN ID, and interface. Binding entries include static entries and dynamic entries. A static binding table is manually created, a dynamic binding table is the DHCP snooping binding table. When hosts obtain dynamic IP addresses, the switch automatically generates the dynamic binding entries according to the DHCP Reply packets. After a binding table is built, the switch matches the packets received by IPSG-enabled interfaces against binding entries. If the packets match binding entries, they are forwarded; otherwise, they are discarded. The packet matching options can be a combination of IP address, MAC address, VLAN ID, and interface. For example, the switch matches only IP addresses, both IP addresses and MAC addresses, or a combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the packets.
- Prevents malicious hosts from stealing authorized hosts' IP addresses to pose as the authorized hosts.
- Prevents unauthorized hosts from changing their own IP addresses to static IP addresses to access or attack the network.
For example, on a network where the hosts obtain IP addresses from a DHCP server, the hosts can access the network by using only the dynamic IP addresses, and cannot use static IP addresses to access the network, unless the administrator creates static binding entries for them.
Configuration Notes
- S2700-SI of V100R006C05 does not support IPSG.
- After hardware-based Layer 3 forwarding for
IPv4 packets is enabled in the following versions, the switches do
not support IPSG:
- V200R007C00, V200R008C00, V200R011 and later versions: S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC
- V200R009C00 and V200R010C00: S2720-EI, S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC
Networking Requirements
As shown in Figure 1, hosts access the intranet through ACC, and the Core functions as a DHCP server to allocate IP addresses to the hosts. The printer uses a static IP address. The gateway is the egress device of the intranet. The administrator does not want the hosts to access the intranet by using the IP addresses statically configured by themselves.
Data Plan
To perform the configuration, you need to the following data.
Item |
Data |
Description |
|---|---|---|
VLAN |
|
None |
Address pool |
10.1.1.0/24 |
None |
Gateway IP address of hosts |
VLANIF10: 10.1.1.1/24 |
None |
Configuration Roadmap
The configuration roadmap is as follows:
- Configure the DHCP server on the Core to allocate IP addresses to hosts.
- Configure DHCP snooping on the ACC to ensure that the hosts can obtain IP addresses from the valid DHCP server and the DHCP server can generate DHCP snooping dynamic binding entries, which record the bindings of IP addresses, MAC addresses, VLANs, and interfaces of hosts.
- Create a static binding entry for the printer on the ACC to ensure secure access of the printer.
- Enable IPSG in the VLAN to which the hosts belong to on the ACC to prevent the hosts from accessing the intranet with changed IP addresses.
Procedure
- Configure the DHCP server on the Core.
<HUAWEI> system-view [HUAWEI] sysname Core [Core] vlan batch 10 [Core] interface gigabitethernet 0/0/1 [Core-GigabitEthernet0/0/1] port link-type trunk [Core-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [Core-GigabitEthernet0/0/1] quit [Core] dhcp enable [Core] ip pool 10 [Core-ip-pool-10] network 10.1.1.0 mask 24 [Core-ip-pool-10] gateway-list 10.1.1.1 [Core-ip-pool-10] quit [Core] interface vlanif 10 [Core-Vlanif10] ip address 10.1.1.1 255.255.255.0 [Core-Vlanif10] dhcp select global [Core-Vlanif10] quit
- Configure DHCP snooping on the ACC.
# Specify the VLAN to which the interfaces belong.
<HUAWEI> system-view [HUAWEI] sysname ACC [ACC] vlan batch 10 [ACC] interface gigabitethernet 0/0/1 [ACC-GigabitEthernet0/0/1] port link-type access [ACC-GigabitEthernet0/0/1] port default vlan 10 [ACC-GigabitEthernet0/0/1] quit [ACC] interface gigabitethernet 0/0/2 [ACC-GigabitEthernet0/0/2] port link-type access [ACC-GigabitEthernet0/0/2] port default vlan 10 [ACC-GigabitEthernet0/0/2] quit [ACC] interface gigabitethernet 0/0/3 [ACC-GigabitEthernet0/0/3] port link-type access [ACC-GigabitEthernet0/0/3] port default vlan 10 [ACC-GigabitEthernet0/0/3] quit [ACC] interface gigabitethernet 0/0/4 [ACC-GigabitEthernet0/0/4] port link-type trunk [ACC-GigabitEthernet0/0/4] port trunk allow-pass vlan 10 [ACC-GigabitEthernet0/0/4] quit
# Enable DHCP snooping and configure GE0/0/4 connected to the DHCP server as a trusted interface.
[ACC] dhcp enable //Enable DHCP [ACC] dhcp snooping enable //Enable DHCP Snooping globally [ACC] vlan 10 [ACC-vlan10] dhcp snooping enable //Enable DHCP Snooping in VLAN 10 [ACC-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/4 //Configure a trusted interface [ACC-vlan10] quit
- Create a static binding entry for the printer.
[ACC] user-bind static ip-address 10.1.1.2 mac-address 0003-0003-0003 interface gigabitethernet 0/0/3 vlan 10 - Enable IPSG in VLAN 10 on the ACC.
[ACC] vlan 10 [ACC-vlan10] ip source check user-bind enable //Enable IPSG [ACC-vlan10] quit - Verify the configuration.
After the hosts go online, run the display dhcp snooping user-bind all command on the ACC to view dynamic binding entries of the hosts.
[ACC] display dhcp snooping user-bind all DHCP Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease -------------------------------------------------------------------------------- 10.1.1.254 0001-0001-0001 10 /-- /-- GE0/0/1 2014.08.17-07:31 10.1.1.253 0002-0002-0002 10 /-- /-- GE0/0/2 2014.08.17-07:34 -------------------------------------------------------------------------------- Print count: 2 Total count: 2
Run the display dhcp static user-bind all command on the ACC to view the static binding entry of the printer.
[ACC] display dhcp static user-bind all DHCP static Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping IP Address MAC Address VSI/VLAN(O/I/P) Interface -------------------------------------------------------------------------------- 10.1.1.2 0003-0003-0003 10 /-- /-- GE0/0/3 -------------------------------------------------------------------------------- Print count: 1 Total count: 1The hosts can access the intranet using the IP addresses dynamically allocated by the DHCP server. After the dynamic IP addresses of the hosts are changed to statically configured IP addresses that are different from the dynamic ones, the hosts cannot access the intranet.
Configuration Files
Configuration file of the Core
# sysname Core # vlan batch 10 # dhcp enable # ip pool 10 gateway-list 10.1.1.1 network 10.1.1.0 mask 255.255.255.0 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 dhcp select global # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # returnConfiguration file of the ACC
# sysname ACC # vlan batch 10 # dhcp enable # dhcp snooping enable user-bind static ip-address 10.1.1.2 mac-address 0003-0003-0003 interface GigabitEthernet0/0/3 vlan 10 # vlan 10 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet0/0/4 ip source check user-bind enable # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 # interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 10 # return