No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPSG Based on a Dynamic Binding Table

Configuring IPSG Based on a Dynamic Binding Table

IPSG based on a dynamic binding table filters IP packets received by untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to access the network without permission.

Context

IPSG based on a dynamic binding table is applicable to the LAN where a large number of hosts reside or the hosts obtain IP addresses through DHCP.

Configuration Process

Figure 13-11  Configuration flowchart of IPSG based on a dynamic binding table

Perform the following operations on the device to which users connect.

Procedure

  1. Create a dynamic binding entry.

    Dynamic binding entries include IPv4 and IPv6 entries. Choose one type of entries according to your network type.

    • If IPv4 or IPv6 hosts on the network obtain IP addresses through DHCP, DHCP snooping can be configured on the device to generate DHCP snooping dynamic binding entries for the hosts.

      1. Run the system-view command to enter the system view.
      2. Run the dhcp enable command to enable DHCP.

        By default, DHCP is disabled on a device.

      3. Run the dhcp snooping enable command to enable DHCP snooping globally.

        By default, DHCP snooping is disabled globally.

      4. Enter the VLAN or interface view.
        • Run the vlan vlan-id command to enter the VLAN view.
        • Run the interface interface-type interface-number command to enter the interface view.
      5. Run the dhcp snooping enable command to enable DHCP snooping in the VLAN or on the interface.

        By default, DHCP snooping is disabled in a VLAN or on an interface.

        NOTE:

        Before enabling DHCP snooping on an interface or in a VLAN, ensure that the DHCP relay or server function has been enabled on this interface or corresponding VLANIF interface; if they are not enabled, the device will not obtain the binding entries of users.

      6. Configure a trusted interface in either of the following ways:
        • Run the dhcp snooping trusted interface interface-type interface-number command in the VLAN view to configure the interfaces in the VLAN as trusted interfaces.
        • Run the dhcp snooping trusted command in the interface view to configure the interface as a trusted interface.

        By default, a DHCP snooping-enabled interface is an untrusted interface.

        NOTE:

        The interface directly or indirectly connected to the server is generally configured as the trusted interface. After DHCP snooping is enabled and the trusted interface is configured, the interface on the user side generates dynamic binding entries based on DHCP ACK messages.

        The AR500 series do not support trusted interfaces. Before enabling DHCP snooping on an interface or in a VLAN, ensure that the DHCP relay or DHCP server function has been enabled on this interface or corresponding VLANIF interface; if they are not enabled, the device will not obtain the binding entries of users.

      For details about DHCP snooping configuration, see DHCP Snooping Configuration in the Huawei AR Series IOT Gateway Configuration Guide - Security.

  2. Enable IPSG.

    After a binding entry is created, IPSG does not take effect. IPSG takes effect only after it is enabled on the specified interface (user-side interface) or VLAN. There are two ways to enable IPSG.
    • Enabling IPSG on an interface: IPSG checks all packets received by the interface against the binding entry. Choose this method if you need to check IP packets on the specified interfaces and trust other interfaces. In addition, this method is convenient if an interface belongs to multiple VLANs because you do not need to enable IPSG in each VLAN.

    • Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in the VLAN against the binding entry. Choose this method if you need to check IP packets in the specified VLANs and trust other VLANs. In addition, this method is convenient if multiple interfaces belong to the same VLAN because you do not need to enable IPSG on each interface.

    NOTE:
    • If IPSG is enabled on an interface, IPSG takes effect on only this interface, and the device does not perform an IPSG check on other interfaces.
    • If IPSG is enabled in a VLAN, IPSG takes effect in only this VLAN, and the device does not perform an IPSG check in other VLANs.
    1. Enter the interface or VLAN view.
      • Run the interface interface-type interface-number command to enter the interface view.
      • Run the vlan vlan-id command to enter the VLAN view.
    2. Run the ip source check user-bind enable command to enable IP packet check on the interface or in the VLAN.

      By default, IP packet check is disabled on interfaces or in VLANs.

  3. (Optional) Configure the IP packet check options.

    • If IPSG has been enabled in a VLAN, run the ip source check user-bind check-item { ip-address | mac-address | interface }* command in the VLAN view to configure the IP packet check options.
    • If IPSG has been enabled on an interface, run the ip source check user-bind check-item { ip-address | mac-address | vlan }* command in the interface view to configure the IP packet check options.

    By default, the IP packet check options include IP address, MAC address, VLAN, and interface. If some options are trustable or unfixed (for example, packets from hosts may be received by different interfaces), you can perform this step. The default values are recommended.

Checking the Configuration

  • View the IPSG configuration.

    Run the display ip source check user-bind { vlan vlan-id | interface interface-type interface-number } command to view IPSG configurations.

  • View the dynamic binding entries and status.

    • Run the display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id }* | all } [ verbose ] command to view DHCP snooping dynamic binding entries.
    • Run the display dhcpv6 snooping user-bind { { interface interface-type interface-number | ipv6-address ipv6-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view DHCPv6 snooping dynamic binding entries.
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13118

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next