No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPSG Based on a Static Binding Table

Configuring IPSG Based on a Static Binding Table

IPSG based on a static binding table filters IP packets received by untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to access the network without permission.

Context

IPSG based on a static binding table is applicable to a LAN where a small number of hosts reside and the hosts use static IP addresses.

Configuration Process

Figure 13-10  Configuration flowchart of IPSG based on a static binding table

Perform the following operations on the device to which users connect.

Procedure

  1. Create a static binding entry.

    Static binding entries include IPv4 and IPv6 entries. Choose one type of entries according to your network type.

    1. Run the system-view command to enter the system view.
    2. Run the user-bind static { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command to configure a static binding entry.

      By default, no static binding entry exists.

      NOTE:

      IPSG matches packets against all options in the static binding entry. Ensure that the created binding entry is correct and contains all the options to check. The device forwards the packets from hosts only when the packets match all options in the binding entry, and discards the packets not matching the binding entry.

      The device can bind multiple IP addresses or IP address segments to the same interface or MAC address.
      • If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12 interface ethernet 0/0/1 to bind multiple IP addresses to the same interface.
      • If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to end-ip. When the keyword to is used, the IP address segments cannot overlap. For example, you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address 0001-0001-0001 to bind multiple IP addresses to the same MAC address.

      The AR500 series (except AR502G-L-D-H, AR502GR-L-D-H) do not support the keywords ipv6-address and ce-vlan.

      If a static binding entry is incorrect or the network rights of a bound host have been changed, you can run the undo user-bind static [ interface interface-type interface-number | { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | mac-address mac-address | vlan vlan-id [ ce-vlan ce-vlan-id ] ] * command to delete the entry.

  2. (Optional) Configure a trusted interface.

    If the hosts on the network use static IP addresses, you do not need to configure trusted interfaces. However, if the upstream interface on the device belongs to an IPSG-enabled VLAN, configure this interface as the trusted interface; otherwise, the return packets are discarded because they do not match the binding entries. As a result, service will be interrupted. For the details about this problem, see Service Is Abnormal Because the Upstream Interface Is Not Configured as a Trusted Interface. After the upstream interface is configured as a trusted interface, the device forwards the packets received by the interface without checking them against the binding entries.

    1. Run the dhcp enable command to enable DHCP globally.

      By default, DHCP is not enabled globally.

    2. Run the dhcp snooping enable command to enable DHCP snooping globally.

      By default, DHCP snooping is disabled globally.

    3. Configure the trusted interface.

      • Run the dhcp snooping trusted interface interface-type interface-number command in the VLAN view to configure the interface as the trusted interface.
      • Run the dhcp snooping trusted command in the interface view to configure the interface as the trusted interface.

      By default, interfaces are untrusted after DHCP snooping is enabled.

      NOTE:

      AR500 series (except AR502G-L-D-H, AR502GR-L-D-H) do not support trusted interfaces.

  3. Enable IPSG.

    After a binding entry is created, IPSG does not take effect. IPSG takes effect only after it is enabled on the specified interface (user-side interface) or VLAN. There are two ways to enable IPSG.
    • Enabling IPSG on an interface: IPSG checks all packets received by the interface against the binding entry. Choose this method if you need to check IP packets on the specified interfaces and trust other interfaces. In addition, this method is convenient if an interface belongs to multiple VLANs because you do not need to enable IPSG in each VLAN.

    • Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in the VLAN against the binding entry. Choose this method if you need to check IP packets in the specified VLANs and trust other VLANs. In addition, this method is convenient if multiple interfaces belong to the same VLAN because you do not need to enable IPSG on each interface.

    NOTE:
    • If IPSG is enabled on an interface, IPSG takes effect on only this interface, and the device does not perform an IPSG check on other interfaces.
    • If IPSG is enabled in a VLAN, IPSG takes effect in only this VLAN, and the device does not perform an IPSG check in other VLANs.
    1. Enter the interface or VLAN view.
      • Run the interface interface-type interface-number command to enter the interface view.
      • Run the vlan vlan-id command to enter the VLAN view.
    2. Run the ip source check user-bind enable command to enable IP packet check on the interface or in the VLAN.

      By default, IP packet check is disabled on interfaces or in VLANs.

Checking the Configuration

  • Run the display ip source check user-bind { vlan vlan-id | interface interface-type interface-number } command to view IPSG configurations.

  • Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view IPv4 static binding entries.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 12865

Downloads: 38

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next