No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSG Based on the Static Binding Table to Prevent Host to Use the IP Address of Another Host without Permission

Example for Configuring IPSG Based on the Static Binding Table to Prevent Host to Use the IP Address of Another Host without Permission

Networking Requirements

As shown in Figure 14-12, hosts access the enterprise internet through the Router. The gateway is the egress device of the enterprise internet. The hosts use static IP addresses. The administrator requires that the hosts can only use fixed IP addresses to access the internet. Users are not allowed to use the IP address of another host without permission to access the internet.

Figure 14-12  Configuring IPSG based on the static binding table to prevent host to use the IP address of another host without permission

Configuration Roadmap

The requirement of the administrator can be met by configuring IPSG on the Router. The configuration roadmap is as follows:

  1. Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses and MAC addresses of the hosts.
  2. Enable IPSG on the interfaces connected to user hosts so that the hosts can only use the fixed IP addresses to go online.

Procedure

  1. Create static binding entries for Host_1 and Host_2.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001
    [Router] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002
    

  2. Enable IPSG.

    # Enable IPSG on Eth0/0/1 connected to Host_1.

    [Router] interface ethernet 0/0/1
    [Router-Ethernet0/0/1] ip source check user-bind enable
    [Router-Ethernet0/0/1] quit

    # Enable IPSG on Eth0/0/2 connected to Host_2.

    [Router] interface ethernet 0/0/2
    [Router-Ethernet0/0/2] ip source check user-bind enable
    [Router-Ethernet0/0/2] quit

  3. Verify the configuration.

    Run the display dhcp static user-bind all command on the Router to view static binding entries.

    [Router] display dhcp static user-bind all
    DHCP static Bind-table:                                                         
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
    IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
    --------------------------------------------------------------------------------
    10.0.0.1                        0001-0001-0001  --  /--  /--    --       
    10.0.0.11                       0002-0002-0002  --  /--  /--    --       
    --------------------------------------------------------------------------------
    Print count:           2          Total count:           2           

    Host_1 and Host_2 can access the internet using the statically configured IP addresses, and cannot access the internet after changing their IP addresses.

Configuration Files

Router configuration file

#
sysname Router
#
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001
user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002
#
interface Ethernet0/0/1
 ip source check user-bind enable
#
interface Ethernet0/0/2
 ip source check user-bind enable
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112309

Downloads: 204

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next