No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSG Fundamentals

IPSG Fundamentals

IPSG checks IP packets on Layer 2 interfaces against a binding table that contains the bindings of source IP addresses, source MAC addresses, VLANs, and inbound interfaces. Only packets matching the binding table are forwarded, and other packets are discarded.

Table 13-1 describes two types of binding tables: static and dynamic binding tables.

Table 13-1  Binding tables

Type

Description

Applicable Scenario

Static binding table

Manually configured using the user-bind command.

A network has a few hosts that use static IP addresses.

DHCP snooping dynamic binding table

After DHCP snooping is configured, hosts request IP addresses from the DHCP server. The device generates DHCP snooping dynamic binding entries according to the DHCP reply ACK packets returned by DHCP server.

A network has many hosts that obtain IP addresses from the DHCP server.

After the binding table is generated, the device forwards the packets from hosts only when the packets match binding entries, and discards the packets when the packets do not match binding entries. By default, if IPSG is enabled but no binding table is configured, the device discards all IP packets except DHCP Request packets.

NOTE:

IPSG checks only the IP packets, but does not check non-IP packets such as ARP and PPPoE packets.

Figure 13-2 illustrates IPSG working mechanism. When a malicious host uses an authorized host's IP address to send packets to the Router, the Router detects that the packets do not match binding entries, and then discards the packets.

Figure 13-2  IPSG working mechanism

IPSG Interface Roles

IPSG can only be configured on Layer 2 physical interfaces or in VLANs, and checks only the packets on the untrusted interfaces with IPSG enabled. IPSG considers all interfaces to be untrusted by default. Trusted interfaces are manually specified. IPSG trusted and untrusted interfaces are also used as trusted and untrusted interfaces in the DHCP snooping functions. In addition, the trusted and untrusted interfaces are also valid for IPSG based on a static binding table.

Figure 13-3 shows the IPSG interface roles:
  • IF1 and IF2 are untrusted interfaces and have the IPSG function enabled. The device performs an IPSG check on the packets received by IF1 and IF2.
  • IF3 is an untrusted interface and does not have the IPSG function enabled. The device does not perform an IPSG check on the packets received by IF3. Therefore, IF3 is prone to attacks.
  • IF4 is the trusted interface, which is manually configured. The device does not perform an IPSG check on the packets received by IF4; however, IF4 is not prone to attacks. On a network with DHCP snooping configured, the interfaces directly or indirectly connected to a valid DHCP server are generally configured as trusted interfaces.
Figure 13-3  IPSG interface roles

IPSG Filtering

IPSG filters packets based on MAC addresses, IP addresses, VLAN IDs, and inbound interfaces.

  • When a static binding entry is configured, all the four items must be specified.
  • When a dynamic binding entry is configured, you can choose the check items. By default, IPSG checks packets against all the four options. Table 13-2 describes commonly used check methods. The usage of other combinations is similar to those in the table, and is not provided here.
    Table 13-2  IPSG filtering

    Option

    Description

    In the interface view

    Interface and Source IP address

    In the interface view, the device validates the source IP addresses of packets, and forwards the packets only when the source IP addresses in packets match binding entries.

    Interface and Source MAC address

    In the interface view, the device validates the source MAC addresses of packets, and forwards the packets only when the source IP addresses in packets match binding entries.

    Interface, Source IP address and source MAC address

    In the interface view, the device validates the source IP and MAC addresses of packets, and forwards the packets only when the source IP and MAC addresses in packets match binding entries.

    Interface, Source IP address and VLAN

    In the interface view, the device validates the source IP addresses and VLANs of packets, and forwards the packets only when the source IP addresses and VLANs in packets match binding entries.

    Interface, source MAC address and VLAN

    In the interface view, the device validates the source MAC addresses and VLANs of packets, and forwards the packets only when the source MAC addresses and VLANs in packets match binding entries.

    Interface, Source IP address, source MAC address, and VLAN

    In the interface view, the device validates the source IP addresses, source MAC addresses, and VLANs of packets, and forwards the packets only when the source IP addresses, source MAC addresses, and VLANs in packets match binding entries.

    In the VLAN view

    VLAN and Source IP address

    In the VLAN view, the device validates the source IP addresses of packets, and forwards the packets only when the source IP addresses in packets match binding entries.

    VLAN and Source MAC address

    In the VLAN view, the device validates the source MAC addresses of packets, and forwards the packets only when the source MAC addresses in packets match binding entries.

    VLAN, Source IP address and source MAC address

    In the VLAN view, the device validates the source IP and MAC addresses of packets, and forwards the packets only when the source IP and MAC addresses in packets match binding entries.

    VLAN, Source IP address and interface

    In the VLAN view, the device validates the source IP addresses and interfaces of packets, and forwards the packets only when the source IP addresses and interfaces in packets match binding entries.

    VLAN, source MAC address and interface

    In the VLAN view, the device validates the source MAC addresses and interfaces of packets, and forwards the packets only when the source MAC addresses and interfaces in packets match binding entries.

    VLAN, Source IP address, source MAC address and interface

    In the VLAN view, the device validates the source IP addresses, source MAC addresses, and interfaces of packets, and forwards the packets only when the source IP addresses, source MAC addresses, and interfaces in packets match binding entries.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95794

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next