No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPSG Based on a Static Binding Table

Configuring IPSG Based on a Static Binding Table

Context

IPSG based on a static binding table filters IP packets received by untrusted interfaces, to prevent malicious hosts from accessing the network without permission by stealing authorized hosts IP addresses. This function is applicable to a LAN where only a small number of hosts reside and the hosts use static IP addresses.

Configuration Procedure

Figure 12-10  Configuration flowchart of IPSG based on a static binding table

Perform the following operations on the switch to which users connect.

Procedure

  1. Create a static binding entry.

    Static binding entries include IPv4 and IPv6 entries. Choose one type of entries according to your network type.

    1. Run the system-view command to enter the system view.
    2. Run the user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command to configure a static binding entry.

      By default, no static binding entry exists.

      NOTE:

      IPSG matches packets against all options in the static binding entry. Ensure that the created binding entry is correct and contains all the options to check. The switch forwards the packets from hosts only when the packets match all options in the binding entry, and discards the packets not matching the binding entry.

      The switch can bind multiple IP addresses or IP address segments to the same interface or MAC address.
      • If you need to bind non-contiguous IP addresses, enter 1 to 10 IP addresses in start-ip. For example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12 interface gigabitethernet 1/0/1 to bind multiple IP addresses to the same interface.
      • If you need to bind contiguous IP addresses, enter 1 to 10 IP address segments in start-ip to end-ip. When the keyword to is used, the IP address segments cannot overlap. For example, you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address 0001-0001-0001 to bind multiple IP addresses to the same MAC address.

      If a static binding entry is incorrect or the network rights of a bound host have been changed, you can run the undo user-bind static [ { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address | interface interface-type interface-number | vlan vlan-id [ ce-vlan ce-vlan-id ] ] * command to delete the entry.

  2. (Optional) Configure a trusted interface.

    If the hosts on the network use static IP addresses, you do not need to configure trusted interfaces. However, if the upstream interface on the switch belongs to an IPSG-enabled VLAN, configure this interface as the trusted interface; otherwise, the return packets are discarded because they do not match the binding entries, resulting in service interruption. For the details about this problem, see Service Is Abnormal Because the Upstream Interface Is Not Configured as a Trusted Interface. After the upstream interface is configured as a trusted interface, the switch forwards the packets received by the interface without checking them against the binding entries.

    1. Run the dhcp enable command to enable DHCP globally.

      By default, DHCP is disabled globally.

    2. Run the dhcp snooping enable command to enable DHCP snooping globally.

      By default, DHCP snooping is disabled globally.

    3. Run the dhcp snooping trusted command in the interface view or the dhcp snooping trusted interface interface-type interface-number command in the VLAN view to configure the interface as a trusted interface.

      By default, an interface is untrusted.

  3. Enable IPSG.

    IPSG does not take effect immediately after a binding entry is created. IPSG takes effect only after it is enabled on the specified interface (user-side interface) or VLAN. There are two ways to enable IPSG.
    • Enabling IPSG on an interface: IPSG checks all packets received by the interface against the binding entry. Choose this method if you need to check IP packets on the specified interfaces and trust other interfaces. In addition, this method is convenient if an interface belongs to multiple VLANs because you do not need to enable IPSG in each VLAN.

    • Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in the VLAN against the binding entry. Choose this method if you need to check IP packets in the specified VLANs and trust other VLANs. In addition, this method is convenient if multiple interfaces belong to the same VLAN because you do not need to enable IPSG on each interface.

    NOTE:
    • If IPSG is enabled on an interface, IPSG takes effect only on this interface, and the switch does not perform an IPSG check on other interfaces.
    • If IPSG is enabled in a VLAN, IPSG takes effect only in this VLAN, and the switch does not perform an IPSG check in other VLANs.
    1. Enter the interface or VLAN view.
      • Run the interface interface-type interface-number command to enter the interface view.
      • Run the vlan vlan-id command to enter the VLAN view.
    2. Run the ip source check user-bind enable command to enable IP packet check on the interface or in the VLAN.

      By default, IP packet check is disabled on interfaces or in VLANs.

  4. (Optional) Configure IP packet check alarm.

    This step is valid only when IPSG is enabled on an interface in Step 3. After this alarm function is configured, the switch generates an alarm if the number of discarded IP packets exceeds the threshold.

    1. Run the system-view command to enter the system view.

    2. Run the interface interface-type interface-number command to enter the interface view.

    3. Run the ip source check user-bind alarm enable command to enable the IP packet check alarm.

      By default, IP packet check alarm is disabled.

    4. Run the ip source check user-bind alarm threshold threshold command to set the IP packet check alarm threshold.

      By default, the IP packet check alarm threshold is 100.

Verifying the Configuration

  • View the IPSG configuration on an interface.

    Run the display ip source check user-bind interface interface-type interface-number command to check the IPSG configuration on the interface.

  • View the static binding entries and status.

    Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view IPv4 static binding entries.

    Run the display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view IPv6 static binding entries.

    You can view the IPSG status by specifying the verbose parameter.
    • If the value of IPSG Status is effective, IPSG of this entry takes effect.
    • If the value of IPSG Status is ineffective, IPSG of this entry does not take effect. The possible reason is that hardware ACL resources are insufficient.
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178319

Views: 149939

Downloads: 82

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next