No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSG Based on the DHCP Snooping Dynamic Binding Table to Prevent Host to Use the IP Address of Another Host without Permission

Example for Configuring IPSG Based on the DHCP Snooping Dynamic Binding Table to Prevent Host to Use the IP Address of Another Host without Permission

Networking Requirements

As shown in Figure 13-13, hosts access the enterprise internet through Router_1, and Router_2 functions as a DHCP server to allocate IP addresses to the hosts. The gateway is the egress device of the enterprise internet. The administrator requires that the hosts use dynamically allocated IP addresses. The hosts cannot change their IP addresses to statically configured IP addresses to access the internet.

Figure 13-13  Configuring IPSG based on the DHCP snooping dynamic binding table to prevent host to use the IP address of another host without permission

Configuration Roadmap

The requirement of the administrator can be met by configuring IPSG. The configuration roadmap is as follows:

  1. Configure the DHCP server (IP address pool 10.1.1.0/24) on Router_2 to allocate IP addresses to hosts.
  2. Configure DHCP snooping on Router_1. Then the hosts can obtain IP addresses from the valid DHCP server, and the DHCP server can generate DHCP snooping dynamic binding entries, which record the bindings of IP addresses, MAC addresses, VLANs, and interfaces of hosts.
  3. Enable IPSG in the VLAN to which the hosts belong to prevent the hosts from accessing the internet with changed IP addresses.

Procedure

  1. Configure the DHCP server on Router_2.

    <Huawei> system-view
    [Huawei] sysname Router_2
    [Router_2] vlan batch 10
    [Router_2] interface ethernet 0/0/1 
    [Router_2-Ethernet0/0/1] port link-type trunk
    [Router_2-Ethernet0/0/1] port trunk allow-pass vlan 10
    [Router_2-Ethernet0/0/1] quit
    [Router_2] dhcp enable
    [Router_2] ip pool 10
    [Router_2-ip-pool-10] network 10.1.1.0 mask 24
    [Router_2-ip-pool-10] gateway-list 10.1.1.1
    [Router_2-ip-pool-10] quit
    [Router_2] interface vlanif 10
    [Router_2-Vlanif10] ip address 10.1.1.1 255.255.255.0
    [Router_2-Vlanif10] dhcp select global
    [Router_2-Vlanif10] quit
    

  2. Configure DHCP snooping on Router_1.

    # Specify the VLAN to which the interfaces belong.

    <Huawei> system-view
    [Huawei] sysname Router_1
    [Router_1] vlan batch 10
    [Router_1] interface ethernet 0/0/1 
    [Router_1-Ethernet0/0/1] port link-type access
    [Router_1-Ethernet0/0/1] port default vlan 10
    [Router_1-Ethernet0/0/1] quit
    [Router_1] interface ethernet 0/0/2 
    [Router_1-Ethernet0/0/2] port link-type access
    [Router_1-Ethernet0/0/2] port default vlan 10
    [Router_1-Ethernet0/0/2] quit
    [Router_1] interface ethernet 0/0/3 
    [Router_1-Ethernet0/0/3] port link-type trunk
    [Router_1-Ethernet0/0/3] port trunk allow-pass vlan 10
    [Router_1-Ethernet0/0/3] quit
    

    # Enable DHCP snooping and configure Eth0/0/3 connected to the DHCP server as a trusted interface.

    [Router_1] dhcp enable
    [Router_1] dhcp snooping enable
    [Router_1] vlan 10
    [Router_1-vlan10] dhcp snooping enable
    [Router_1-vlan10] dhcp snooping trusted interface ethernet 0/0/3
    

  3. Enable IPSG in VLAN 10 on Router_1.

    [Router_1-vlan10] ip source check user-bind enable
    [Router_1-vlan10] quit
    

  4. Verify the configuration.

    # After the hosts go online, run the display dhcp snooping user-bind all command on Router_1 to view dynamic binding entries of the hosts.

    [Router_1] display dhcp snooping user-bind all
    DHCP Dynamic Bind-table:
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
    IP Address       MAC Address     VSI/VLAN(O/I/P) Interface      Lease           
    --------------------------------------------------------------------------------
    10.1.1.254       0001-0001-0001  --  /10  /--    Eth0/0/1        2014.08.17-07:31
    10.1.1.253       0002-0002-0002  --  /10  /--    Eth0/0/2        2014.08.17-07:34
    --------------------------------------------------------------------------------
    print count:      2     total count:      2
    

    # The hosts can access the internet using the IP addresses dynamically allocated by the DHCP server. After the dynamic IP addresses of the hosts are changed to statically configured IP addresses that are different from the dynamic ones, the hosts cannot access the internet.

Configuration Files

  • Router_1 configuration file

    #
    sysname Router_1
    #
    vlan batch 10
    #
    dhcp enable 
    #
    dhcp snooping enable
    #
    vlan 10
     dhcp snooping enable 
     dhcp snooping trusted interface Ethernet0/0/3
     ip source check user-bind enable
    #
    interface Ethernet0/0/1
     port link-type access  
     port default vlan 10 
    #
    interface Ethernet0/0/2
     port link-type access  
     port default vlan 10 
    #
    interface Ethernet0/0/3
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    return
  • Configuration file of Router_2

    #
    sysname Router_2
    #
    vlan batch 10 
    #
    dhcp enable 
    #
    ip pool 10
     gateway-list 10.1.1.1
     network 10.1.1.0 mask 255.255.255.0 
    #
    interface Vlanif10 
     ip address 10.1.1.1 255.255.255.0 
     dhcp select global
    # 
    interface Ethernet0/0/1
     port link-type trunk 
     port trunk allow-pass vlan 10
    # 
    return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13722

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next