No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSG Deployment

IPSG Deployment

Generally, IPSG is configured on the interfaces or VLANs of the access device connected to users.
  • In Figure 12-4, after IPSG is enabled on the user-side interface of the switch, the switch performs an IPSG check on all IP packets received by this interface.
    Figure 12-4  IPSG is enabled on an interface

  • In Figure 12-5, after IPSG is enabled on the user-side VLAN, the switch performs an IPSG check on the IP packets received by all interfaces in this VLAN.
    Figure 12-5  IPSG is enabled in a VLAN

If the access device directly connected to users does not support IPSG, IPSG can be configured on the aggregation or core device, as shown in Figure 12-6.

  • For example, Switch_1 connected to intranet 1 does not support IPSG, so IPSG is configured on IF1 of Switch_2 (a binding table needs to be built on Switch_2 for the hosts in intranet 1). Switch_1 does not support IPSG, so the packets from Switch_1 may be IP address spoofing packets. IPSG configured on IF1 of Switch_2 can block the attack and minimize the attack scope.
  • IPSG also needs to be configured on IF2 of Switch_2, which is connected to intranet 2; otherwise, intranet 2 is prone to IP address spoofing attacks.
Figure 12-6  Multi-switch environment

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 130336

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next