No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSG Deployment

IPSG Deployment

Generally, IPSG is configured on the interfaces or VLANs of the access device connected to users.
  • As shown in Figure 14-4, after IPSG is enabled on the user-side interface of the device, the device performs an IPSG check on all IP packets received by this interface.
    Figure 14-4  IPSG is enabled on an interface

  • As shown in Figure 14-5, after IPSG is enabled on the user-side VLAN, the device performs an IPSG check on the IP packets received by all interfaces in this VLAN.
    Figure 14-5  IPSG is enabled in a VLAN

If the access device directly connected to users does not support IPSG, IPSG can be configured on the aggregation or core device, as shown in Figure 14-6.

  • For example, Router_1 connected to intranet 1 does not support IPSG, so IPSG is configured on IF1 of Router_2 (a binding table needs to be built on Router_2 for the hosts in intranet 1). Router_1 does not support IPSG, so the packets from Router_1 may be IP address spoofing packets. IPSG configured on IF1 of Router_2 can block the attack and minimize the attack scope.
  • IPSG also needs to be configured on IF2 of Router_2, which is connected to intranet 2; otherwise, intranet 2 is prone to IP address spoofing attacks.
Figure 14-6  Multi-device environment

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 136675

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next