S600-E Series Switches Typical Configuration Examples
Example for Configuring IPSG Based on the Static Binding Table to Prevent Unauthorized Hosts from Accessing the Intranet
IPSG Overview
IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It filters IP packets based on the binding table on a switch. An entry in the binding table contains the IP address, MAC address, VLAN ID, and interface. Binding entries include static entries and dynamic entries. A static binding table is manually created, a dynamic binding table is the DHCP snooping binding table. When hosts obtain dynamic IP addresses, the switch automatically generates the dynamic binding entries according to the DHCP Reply packets. After a binding table is built, the switch matches the packets received by IPSG-enabled interfaces against binding entries. If the packets match binding entries, they are forwarded; otherwise, they are discarded. The packet matching options can be a combination of IP address, MAC address, VLAN ID, and interface. For example, the switch matches only IP addresses, both IP addresses and MAC addresses, or a combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the packets.
- Prevents malicious hosts from stealing authorized hosts' IP addresses to pose as the authorized hosts.
- Prevents unauthorized hosts from changing their own IP addresses to static IP addresses to access or attack the network.
For example, when all the hosts on an intranet use static IP addresses, they must use the fixed IP addresses allocated by the network administrator and access the intranet through fixed interfaces. To ensure intranet security, external hosts cannot access the intranet without permission.
Networking Requirements
As shown in Figure 10-13, hosts access the enterprise intranet through the switch. The gateway is the egress device of the enterprise intranet. The hosts use static IP addresses. The administrator has configured interface rate limiting on the switch, and requires that the hosts use fixed IP addresses to access the intranet through fixed ports. To ensure network security, the administrator does not allow external hosts to access the intranet without permission.
Data Plan
To perform the configuration, you need to the following data.
Item |
Data |
Description |
---|---|---|
VLAN |
|
None |
IP addresses of the hosts allowed to access the network. |
10.0.0.1, 10.0.0.2 |
None |
Configuration Roadmap
The requirement of the administrator can be met by configuring IPSG on the Switch. The configuration roadmap is as follows:
- Specify the VLAN to which the interfaces belong.
- Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses, MAC addresses, and interfaces.
- Configure GE0/0/4 as a trusted interface. The Switch does not perform an IPSG check on the packets received by this trusted interface, so the packets returned by the gateway will not be discarded.
- Enable IPSG in the VLAN connected to user hosts so that Host_1 and Host_2 access the intranet using fixed IP addresses through fixed ports. In addition, external host Host_3 cannot access the intranet.
Procedure
- Specify the VLAN to which the interfaces belong.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 10 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 10 [Switch-GigabitEthernet0/0/3] quit [Switch] interface gigabitethernet 0/0/4 [Switch-GigabitEthernet0/0/4] port link-type trunk [Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 10 [Switch-GigabitEthernet0/0/4] quit
- Create static binding entries for Host_1 and Host_2.
[Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 0/0/1 //Create a static binding entry for Host_1. [Switch] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface gigabitethernet 0/0/2 //Create a static binding entry for Host_2.
- Configure the upstream interface GE0/0/4 as a trusted interface.
[Switch] dhcp enable //Enable DHCP [Switch] dhcp snooping enable //Enable DHCP Snooping globally [Switch] interface gigabitethernet 0/0/4 [Switch-GigabitEthernet0/0/4] dhcp snooping trusted //Configure a trusted interface [Switch-GigabitEthernet0/0/4] quit
- Enable IPSG in VLAN 10 connected to hosts.
[Switch] vlan 10 [Switch-vlan10] ip source check user-bind enable [Switch-vlan10] quit
- Verify the configuration.
Run the display dhcp static user-bind all command on the Switch to view binding entries of Host_1 and Host_2.
[Switch] display dhcp static user-bind all DHCP static Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping IP Address MAC Address VSI/VLAN(O/I/P) Interface -------------------------------------------------------------------------------- 10.0.0.1 0001-0001-0001 -- /-- /-- GE0/0/1 10.0.0.2 0002-0002-0002 -- /-- /-- GE0/0/2 -------------------------------------------------------------------------------- Print count: 2 Total count: 2
Host_1 and Host_2 can access the intranet. After the IP addresses of the hosts are changed or the hosts connect to other interfaces, they cannot access the intranet.
When Host_3 with IP address 10.0.0.3 connects to GE0/0/3, Host_3 cannot access the intranet, indicating that external hosts cannot access the intranet without permission. If Host_3 needs to access the intranet, add the entry of Host_3 to the static binding table.
Configuration Files
Configuration file of the switch
# sysname Switch # vlan batch 10 # dhcp enable # dhcp snooping enable user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet0/0/1 user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface GigabitEthernet0/0/2 # vlan 10 ip source check user-bind enable # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 # interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping trusted # return