SupportDocumentationSwitchesCampus SwitchS1800EC&S5800EC&S600E&E600Configuration & CommissioningConfiguration Examples

S600-E Series Switches Typical Configuration Examples

Example for Configuring IPSG Based on the Static Binding Table to Prevent Unauthorized Hosts from Accessing the Intranet

Example for Configuring IPSG Based on the Static Binding Table to Prevent Unauthorized Hosts from Accessing the Intranet

IPSG Overview

IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It filters IP packets based on the binding table on a switch. An entry in the binding table contains the IP address, MAC address, VLAN ID, and interface. Binding entries include static entries and dynamic entries. A static binding table is manually created, a dynamic binding table is the DHCP snooping binding table. When hosts obtain dynamic IP addresses, the switch automatically generates the dynamic binding entries according to the DHCP Reply packets. After a binding table is built, the switch matches the packets received by IPSG-enabled interfaces against binding entries. If the packets match binding entries, they are forwarded; otherwise, they are discarded. The packet matching options can be a combination of IP address, MAC address, VLAN ID, and interface. For example, the switch matches only IP addresses, both IP addresses and MAC addresses, or a combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the packets.

Therefore, IPSG provides two functions:
  • Prevents malicious hosts from stealing authorized hosts' IP addresses to pose as the authorized hosts.
  • Prevents unauthorized hosts from changing their own IP addresses to static IP addresses to access or attack the network.

For example, when all the hosts on an intranet use static IP addresses, they must use the fixed IP addresses allocated by the network administrator and access the intranet through fixed interfaces. To ensure intranet security, external hosts cannot access the intranet without permission.

Configuration Notes

This example applies to all versions of the S600-E.

Networking Requirements

As shown in Figure 10-13, hosts access the enterprise intranet through the switch. The gateway is the egress device of the enterprise intranet. The hosts use static IP addresses. The administrator has configured interface rate limiting on the switch, and requires that the hosts use fixed IP addresses to access the intranet through fixed ports. To ensure network security, the administrator does not allow external hosts to access the intranet without permission.

Figure 10-13 Configuring IPSG based on the static binding table to prevent unauthorized hosts from accessing the intranet

Data Plan

To perform the configuration, you need to the following data.

Table 10-3 Data Plan

Item

Data

Description

VLAN
  • Switch:

    VLAN ID: 10, including interfaces GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4

  • Gateway:

    VLAN ID: 10

None

IP addresses of the hosts allowed to access the network.

10.0.0.1, 10.0.0.2

None

Configuration Roadmap

The requirement of the administrator can be met by configuring IPSG on the Switch. The configuration roadmap is as follows:

  1. Specify the VLAN to which the interfaces belong.
  2. Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses, MAC addresses, and interfaces.
  3. Configure GE0/0/4 as a trusted interface. The Switch does not perform an IPSG check on the packets received by this trusted interface, so the packets returned by the gateway will not be discarded.
  4. Enable IPSG in the VLAN connected to user hosts so that Host_1 and Host_2 access the intranet using fixed IP addresses through fixed ports. In addition, external host Host_3 cannot access the intranet.

Procedure

  1. Specify the VLAN to which the interfaces belong. 

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface gigabitethernet 0/0/1 
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2 
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3 
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 10
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4 
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/4] quit

  2. Create static binding entries for Host_1 and Host_2. 

    [Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 0/0/1  //Create a static binding entry for Host_1.
[Switch] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface gigabitethernet 0/0/2  //Create a static binding entry for Host_2.

  3. Configure the upstream interface GE0/0/4 as a trusted interface. 

    [Switch] dhcp enable  //Enable DHCP
[Switch] dhcp snooping enable  //Enable DHCP Snooping globally
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] dhcp snooping trusted  //Configure a trusted interface
[Switch-GigabitEthernet0/0/4] quit

  4. Enable IPSG in VLAN 10 connected to hosts. 

    [Switch] vlan 10
[Switch-vlan10] ip source check user-bind enable
[Switch-vlan10] quit

  5. Verify the configuration.

    Run the display dhcp static user-bind all command on the Switch to view binding entries of Host_1 and Host_2.

    [Switch] display dhcp static user-bind all
DHCP static Bind-table:                                                         
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
--------------------------------------------------------------------------------
10.0.0.1                        0001-0001-0001  --  /--  /--    GE0/0/1
10.0.0.2                        0002-0002-0002  --  /--  /--    GE0/0/2
--------------------------------------------------------------------------------
Print count:           2          Total count:           2

    Host_1 and Host_2 can access the intranet. After the IP addresses of the hosts are changed or the hosts connect to other interfaces, they cannot access the intranet.

    When Host_3 with IP address 10.0.0.3 connects to GE0/0/3, Host_3 cannot access the intranet, indicating that external hosts cannot access the intranet without permission. If Host_3 needs to access the intranet, add the entry of Host_3 to the static binding table.

Configuration Files

Configuration file of the switch

#
sysname Switch
#
vlan batch 10
#
dhcp enable 
#
dhcp snooping enable
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet0/0/1
user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface GigabitEthernet0/0/2
#
vlan 10
 ip source check user-bind enable
#
interface GigabitEthernet0/0/1
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/2
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/3
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10
 dhcp snooping trusted
#
return
Translation
Favorite
Download
Update Date:2024-03-14
Document ID:EDOC1000141870
Views:561943
Downloads:1275
Average rating:4.0Points

Related Documents

Digital Signature File

digtal sigature tool