No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSG Based on the Static Binding Table to Prevent Unauthorized Hosts from Accessing the intranet

Example for Configuring IPSG Based on the Static Binding Table to Prevent Unauthorized Hosts from Accessing the intranet

Networking Requirements

As shown in Figure 14-14, hosts access the enterprise intranet through the router. The gateway is the egress device of the enterprise intranet. The hosts use static IP addresses. The administrator has configured interface rate limiting on the router, and requires that the hosts use fixed IP addresses to access the intranet through fixed ports. To ensure network security, the administrator does not allow external hosts to access the intranet without permission.

Figure 14-14  Configuring IPSG based on the static binding table to prevent unauthorized hosts from accessing the intranet

Configuration Roadmap

The requirement of the administrator can be met by configuring IPSG on the Router. The configuration roadmap is as follows:

  1. Specify the VLAN to which the interfaces belong.
  2. Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses, MAC addresses, and interfaces.
  3. Configure Eth0/0/4 as a trusted interface. The Router does not perform an IPSG check on the packets received by this trusted interface, so the packets returned by the gateway will not be discarded.
  4. Enable IPSG in the VLAN connected to user hosts so that Host_1 and Host_2 access the intranet using fixed IP addresses through fixed ports. In addition, external host Host_3 cannot access the intranet.

Procedure

  1. Specify the VLAN to which the interfaces belong.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10
    [Router] interface ethernet 0/0/1 
    [Router-Ethernet0/0/1] port link-type access
    [Router-Ethernet0/0/1] port default vlan 10
    [Router-Ethernet0/0/1] quit
    [Router] interface ethernet 0/0/2 
    [Router-Ethernet0/0/2] port link-type access
    [Router-Ethernet0/0/2] port default vlan 10
    [Router-Ethernet0/0/2] quit
    [Router] interface ethernet 0/0/3 
    [Router-Ethernet0/0/3] port link-type access
    [Router-Ethernet0/0/3] port default vlan 10
    [Router-Ethernet0/0/3] quit
    [Router] interface ethernet 0/0/4 
    [Router-Ethernet0/0/4] port link-type trunk
    [Router-Ethernet0/0/4] port trunk allow-pass vlan 10
    [Router-Ethernet0/0/4] quit
    

  2. Create static binding entries for Host_1 and Host_2.

    [Router] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface ethernet 0/0/1
    [Router] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface ethernet 0/0/2
    

  3. Configure the upstream interface Eth0/0/4 as a trusted interface.

    [Router] dhcp enable
    [Router] dhcp snooping enable
    [Router] interface ethernet 0/0/4
    [Router-Ethernet0/0/4] dhcp snooping trusted
    [Router-Ethernet0/0/4] quit
    

  4. Enable IPSG in VLAN 10 connected to hosts.

    [Router] vlan 10
    [Router-vlan10] ip source check user-bind enable
    [Router-vlan10] quit
    

  5. Verify the configuration.

    # Run the display dhcp static user-bind all command on the Router to view binding entries of Host_1 and Host_2.

    [Router] display dhcp static user-bind all
    DHCP static Bind-table:                                                         
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
    IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
    --------------------------------------------------------------------------------
    10.0.0.1                        0001-0001-0001  --  /--  /--    Eth0/0/1
    10.0.0.2                        0002-0002-0002  --  /--  /--    Eth0/0/2
    --------------------------------------------------------------------------------
    Print count:           2          Total count:           2           

    # Host_1 and Host_2 can access the intranet. After the IP addresses of the hosts are changed or the hosts connect to other interfaces, they cannot access the intranet.

    # When Host_3 with IP address 10.0.0.3 connects to Eth0/0/3, Host_3 cannot access the intranet, indicating that external hosts cannot access the intranet without permission. If Host_3 needs to access the intranet, add the entry of Host_3 to the static binding table.

Configuration Files

router configuration file

#
sysname Router
#
vlan batch 10
#
dhcp enable 
#
dhcp snooping enable
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface Ethernet0/0/1
user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface Ethernet0/0/2
#
vlan 10
 ip source check user-bind enable
#
interface Ethernet0/0/1
 port link-type access  
 port default vlan 10 
#
interface Ethernet0/0/2
 port link-type access  
 port default vlan 10 
#
interface Ethernet0/0/3
 port link-type access  
 port default vlan 10 
#
interface Ethernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10
 dhcp snooping trusted
#
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 134133

Downloads: 242

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next