No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPSG

Configuring IPSG

IPSG enables the device to check the received IP packets against the binding entries, preventing network attacks based on source IP address spoofing.

Pre-configuration Tasks

Before configuring IPSG, complete the following task:
  • Configuring an IP address for the interface to ensure that the link protocol is in the Up state.

Configuration Procedure

To configure IPSG, you must configure a binding table and enable IP packet check. All other configuration tasks are optional and are not listed in sequence. You can configure them as required.

Configuring a Binding Table

Context

IPSG enables the device to check IP packets against the binding table, including dynamic and static entries.

If user IP addresses are dynamically allocated by DHCP, a dynamic binding table is generated after DHCP snooping is enabled. If user IP addresses are configured statically, static binding entries are configured manually.

Procedure
  • For users dynamically obtaining IP addresses through DHCP:

    1. Run:
      system-view

      The system view is displayed.

    2. Run:

      dhcp enable

      DHCP is enabled globally.

      By default, DHCP is disabled globally.

    3. Run:

      dhcp snooping enable

      DHCP snooping is globally enabled.

      By default, DHCP snooping is disabled globally.

    4. Enter the VLAN or interface view.

      • Run:
        vlan vlan-id

        The VLAN view is displayed.

      • Run:
        interface interface-type interface-number

        The interface view is displayed.

    5. Run:

      dhcp snooping enable

      DHCP snooping is enabled in a VLAN or on an interface.

      By default, DHCP snooping is disabled in a VLAN or on an interface.

    6. Configure the trusted interface.

      • Run:
        dhcp snooping trusted interface interface-type interface-number

        The interface in the VLAN is configured as the trusted interface.

      • Run:
        dhcp snooping trusted

        The interface is configured as the trusted interface.

      By default, interfaces are untrusted after DHCP snooping is enabled.

      NOTE:

      The interface directly or indirectly connected to the server is generally configured as the trusted interface. After DHCP snooping is enabled and the trusted interface is configured, the interface on the user side generates dynamic binding entries based on DHCP ACK messages.

    7. Run:
      commit

      The configuration is committed.

  • For users using manually configured IP addresses:

    1. Run:
      system-view

      The system view is displayed.

    2. Run:
      user-bind static { ip-address { start-ip [ to end-ip ] } &<1-10> | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ inner-vlan inner-vlan-id ] ]

      A static binding entry is configured.

      By default, no static binding table is configured.

    3. Run:
      commit

      The configuration is committed.

Configuring IP Packet Check

Context

IPSG enables the device to check IP packets in the VLAN and on the interface.

Procedure
  • In the VLAN:
    1. Run:
      system-view

      The system view is displayed.

    2. Run:
      vlan vlan-id

      The VLAN view is displayed.

    3. Run:

      ip source check user-bind enable

      IP packet check is enabled.

      By default, IP packet check is disabled in the VLAN.

    4. Run:

      ip source check user-bind check-item { ip-address | mac-address | interface }*

      IP packet check items are configured.

      By default, the device checks the source IP address, source MAC address, and interface number in IP packets in the VLAN view.

      NOTE:

      This command is valid only for dynamic binding entries. IPSG enables the device to check all the static binding entries.

    5. Run:
      commit

      The configuration is committed.

  • On the interface:
    1. Run:
      system-view

      The system view is displayed.

    2. Run:
      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      ip source check user-bind enable

      IP packet check is enabled.

      By default, IP packet check is disabled on the interface.

    4. Run:

      ip source check user-bind check-item { ip-address | mac-address | vlan }*

      IP packet check items are configured.

      By default, the device checks the source IP address, source MAC address, and VLAN ID in IP packets in the interface view.

      NOTE:

      This command is valid only for dynamic binding entries. IPSG enables the device to check all the static binding entries.

    5. Run:
      commit

      The configuration is committed.

(Optional) Configuring the Alarm Function of IP Packet Check

Context

You can enable the alarm function of IP packet check on the device. When the number of discarded IP packets reaches the alarm threshold, an alarm is generated.

Procedure
  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    ip source check user-bind alarm enable

    Alarm function of IP packet check is enabled.

    By default, the alarm function of IP packet check is disabled.

  4. Run:

    ip source check user-bind alarm threshold threshold

    The alarm threshold for the number of discarded IP packets is set.

    By default, the alarm threshold for the number of discarded IP packets is 100.

  5. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  1. Run the display user-bind static { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] to view static binding entries.
  2. Run the display ip source check user-bind [ vlan vlan-id | interface interface-type interface-number ] command to view IPSG configurations.
  3. Run the display ip source check user-bind status [ dynamic | static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id ] * [ valid | invalid ] [ slot slot-id ] command to view IPSG binding entries and IPSG status.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58743

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next