No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries

Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries

Networking Requirements

As shown in Figure 14-2, HostA and HostB are connected to 10GE1/0/1 and 10GE1/0/2 on the Switch respectively. It is required that HostB not forge the IP address and MAC address of HostA and IP packets from HostA be sent to the Server.

Figure 14-2 Networking diagram of configuring IPSG

Configuration Roadmap

Assume that the user is configured with an IP address statically. The configuration roadmap is as follows:

  1. Enable IP packet check on the interfaces connecting HostA and HostB.
  2. Configure static binding entries for users statically obtaining IP addresses.
NOTE:

This configuration example provides only the commands related to IP source guard.

Procedure

  1. Configure IP packet check.

    # Enable IP packet check on 10GE1/0/1 connected to HostA.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] interface 10ge 1/0/1
    [~Switch-10GE1/0/1] ip source check user-bind enable

    # Enable the alarm function of IP packet check and set the alarm threshold on 10GE1/0/1 connected to HostA.

    [*Switch-10GE1/0/1] ip source check user-bind alarm enable
    [*Switch-10GE1/0/1] ip source check user-bind alarm threshold 200
    [*Switch-10GE1/0/1] quit

    # Enable IP packet check on 10GE1/0/2 connected to HostB.

    [*Switch] interface 10ge 1/0/2
    [*Switch-10GE1/0/2] ip source check user-bind enable

    # Enable the alarm function of IP packet check and set the alarm threshold on 10GE1/0/2 connected to HostB.

    [*Switch-10GE1/0/2] ip source check user-bind alarm enable
    [*Switch-10GE1/0/2] ip source check user-bind alarm threshold 200
    [*Switch-10GE1/0/2] quit

  2. Configure a static binding entry.

    # Configure HostA in the static binding table.

    [*Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface 10ge 1/0/1
    [*Switch] commit

  3. Verify the configuration.

    Run the display user-bind static all command on Switch to check the binding table.

    [~Switch] display user-bind static all
    Flags: O - outer vlan, I - inner vlan, P - map vlan                             
    IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
                                                                                    
    --------------------------------------------------------------------------------
    10.0.0.1                        0001-0001-0001  --  /--  /--    10GE1/0/1       
    --------------------------------------------------------------------------------
    Print count:           1          Total count:           1                      

    The command output indicates that HostA has been configured in the static binding table.

Configuration Files

Configuration file of Switch

#
sysname Switch
#
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface 10GE1/0/1
#
interface 10GE1/0/1
 ip source check user-bind enable
 ip source check user-bind alarm enable
 ip source check user-bind alarm threshold 200
#
interface 10GE1/0/2
 ip source check user-bind enable
 ip source check user-bind alarm enable
 ip source check user-bind alarm threshold 200
#
return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23069

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next