No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPSG Based on a Static Binding Table

Configuring IPSG Based on a Static Binding Table

Context

IPSG based on a static binding table filters IP packets received by untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to access the network without permission. This function is applicable to a LAN where a small number of hosts reside and the hosts use static IP addresses.

Configuration Procedure

Figure 14-10  Configuration flowchart of IPSG based on a static binding table

Perform the following operations on the device to which users connect.

Procedure

  1. Create a static binding entry.

    Static binding entries include IPv4 and IPv6 entries. Choose one type of entries according to your network type.

    1. Run the system-view command to enter the system view.
    2. Run the user-bind static { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command to configure a static binding entry.

      By default, no static binding entry exists.

      NOTE:

      IPSG matches packets against all options in the static binding entry. Ensure that the created binding entry is correct and contains all the options to check. The device forwards the packets from hosts only when the packets match all options in the binding entry, and discards the packets not matching the binding entry.

      The device can bind multiple IP addresses or IP address segments to the same interface or MAC address.
      • If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12 interface ethernet 2/0/0 to bind multiple IP addresses to the same interface.
      • If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to end-ip. When the keyword to is used, the IP address segments cannot overlap. For example, you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address 0001-0001-0001 to bind multiple IP addresses to the same MAC address.

      The AR100&AR120&AR150&AR160&AR200&AR1200 series do not support the keywords ipv6-address and ce-vlan.

      If a static binding entry is incorrect or the network rights of a bound host have been changed, you can run the undo user-bind static [ interface interface-type interface-number | { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | mac-address mac-address | vlan vlan-id [ ce-vlan ce-vlan-id ] ] * command to delete the entry.

  2. (Optional) Configure a trusted interface.

    If the hosts on the network use static IP addresses, you do not need to configure trusted interfaces. However, if the upstream interface on the device belongs to an IPSG-enabled VLAN, configure this interface as the trusted interface; otherwise, the return packets are discarded because they do not match the binding entries. As a result, service will be interrupted. For the details about this problem, see Service Is Abnormal Because the Upstream Interface Is Not Configured as a Trusted Interface. After the upstream interface is configured as a trusted interface, the device forwards the packets received by the interface without checking them against the binding entries.

    1. Run the dhcp enable command to enable DHCP globally.

      By default, DHCP is not enabled globally.

    2. Run the dhcp snooping enable command to enable DHCP snooping globally.

      By default, DHCP snooping is disabled globally.

    3. Configure the trusted interface.

      • Run the dhcp snooping trusted interface interface-type interface-number command in the VLAN view to configure the interface as the trusted interface.
      • Run the dhcp snooping trusted command in the interface view to configure the interface as the trusted interface.

      By default, interfaces are untrusted after DHCP snooping is enabled.

      NOTE:

      The AR100&AR120&AR150&AR160&AR200&AR1200 series do not support trusted interfaces.

  3. Enable IPSG.

    After a binding entry is created, IPSG does not take effect. IPSG takes effect only after it is enabled on the specified interface (user-side interface) or VLAN. There are two ways to enable IPSG.
    • Enabling IPSG on an interface: IPSG checks all packets received by the interface against the binding entry. Choose this method if you need to check IP packets on the specified interfaces and trust other interfaces. In addition, this method is convenient if an interface belongs to multiple VLANs because you do not need to enable IPSG in each VLAN.

    • Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in the VLAN against the binding entry. Choose this method if you need to check IP packets in the specified VLANs and trust other VLANs. In addition, this method is convenient if multiple interfaces belong to the same VLAN because you do not need to enable IPSG on each interface.

    NOTE:
    • If IPSG is enabled on an interface, IPSG takes effect only on this interface, and the device does not perform an IPSG check on other interfaces.
    • If IPSG is enabled in a VLAN, IPSG takes effect in only this VLAN, and the device does not perform an IPSG check in other VLANs.
    1. Enter the interface or VLAN view.
      • Run the interface interface-type interface-number command to enter the interface view.
      • Run the vlan vlan-id command to enter the VLAN view.
    2. Run the ip source check user-bind enable command to enable IP packet check on the interface or in the VLAN.

      By default, IP packet check is disabled on interfaces or in VLANs.

Verifying the Configuration

  • Run the display ip source check user-bind { vlan vlan-id | interface interface-type interface-number } command to view IPSG configurations.

  • Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view IPv4 static binding entries.

    Run the display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address ipv6-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to view IPv6 static binding entries.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112279

Downloads: 204

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next