No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSG Based on the Static Binding Table to Prevent Hosts from Changing Their Own IP Addresses

Example for Configuring IPSG Based on the Static Binding Table to Prevent Hosts from Changing Their Own IP Addresses

Networking Requirements

In Figure 12-14, hosts access the Internet through a switch. The gateway is the egress device of the enterprise network. The hosts use static IP addresses. The administrator requires that the hosts can only use fixed IP addresses to access the internet. Users are not allowed to change their own IP addresses to access the internet.

Figure 12-14  Configuring IPSG based on the static binding table to prevent hosts from changing their own IP addresses

Configuration Roadmap

The requirement of the administrator can be met by configuring IPSG on the Switch. The configuration roadmap is as follows:

  1. Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses and MAC addresses of the hosts.
  2. Enable IPSG on the interfaces connected to user hosts so that the hosts can only use the fixed IP addresses to go online. Enable the IP packet check alarm function on the interfaces. When the number of discarded packets reaches the threshold, the switch reports an alarm.

Procedure

  1. Create static binding entries for Host_1 and Host_2.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001
    [Switch] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002
    

  2. Enable IPSG and IP packet check alarm.

    # Enable IPSG and IP packet check alarm on GE1/0/1 connected to Host_1 and set the alarm threshold to 200.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] ip source check user-bind enable
    [Switch-GigabitEthernet1/0/1] ip source check user-bind alarm enable
    [Switch-GigabitEthernet1/0/1] ip source check user-bind alarm threshold 200
    [Switch-GigabitEthernet1/0/1] quit

    # Enable IPSG and IP packet check alarm on GE1/0/2 connected to Host_2 and set the alarm threshold to 200.

    [Switch] interface gigabitethernet 1/0/2
    [Switch-GigabitEthernet1/0/2] ip source check user-bind enable
    [Switch-GigabitEthernet1/0/2] ip source check user-bind alarm enable
    [Switch-GigabitEthernet1/0/2] ip source check user-bind alarm threshold 200
    [Switch-GigabitEthernet1/0/2] quit

  3. Verify the configuration.

    Run the display dhcp static user-bind all command on the Switch to view static binding entries.

    [Switch] display dhcp static user-bind all
    DHCP static Bind-table:                                                         
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
    IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
    --------------------------------------------------------------------------------
    10.0.0.1                        0001-0001-0001  --  /--  /--    --       
    10.0.0.11                       0002-0002-0002  --  /--  /--    --       
    --------------------------------------------------------------------------------
    Print count:           2          Total count:           2           

    Host_1 and Host_2 can access the internet using the statically configured IP addresses, and cannot access the internet after changing their IP addresses.

Configuration Files

Switch configuration file

#
sysname Switch
#
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001
user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002
#
interface GigabitEthernet1/0/1
 ip source check user-bind enable
 ip source check user-bind alarm enable
 ip source check user-bind alarm threshold 200
#
interface GigabitEthernet1/0/2
 ip source check user-bind enable
 ip source check user-bind alarm enable
 ip source check user-bind alarm threshold 200
#
return

Related Content

Videos

Bind IP and MAC Addresses

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 136538

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next