No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of IPSG

Overview of IPSG

Some attacks on networks aim at source IP addresses by accessing and using network resources through spoofing IP addresses, stealing users' information or blocking authorized users from accessing networks. IPSG can prevent source address spoofing attacks.

IPSG enables the device to check IP packets against dynamic and static DHCP entries. Before the device forwards an IP packet, it compares the source IP address, source Media Access Control (MAC) address, interface, and Virtual Local Area Network (VLAN) information in the IP packet with entries in the binding table. If an entry is matched, the device takes the IP packet as a valid packet and forwards an IP packet. Otherwise, the device takes the IP packet as an attack packet and discards the packet.

As shown in Figure 14-1, an attacker sends bogus packets to modify the outbound interface in the MAC address table on the Switch. Then replies are sent from the server to the attacker.

Figure 14-1 IP/MAC address spoofing attack

To prevent these attacks, you can configure IPSG on the Switch to check incoming IP packets against the binding entries. IP packets that match the binding entries are forwarded, and IP packets that do not match the binding entries are discarded.

IPSG enables the device to check IP packets against the binding entries. The check items contain the source IP address, source MAC address, VLAN ID, and interface number. The device supports IPSG to check the combination of the following items:

In the interface view:
  • Interface and IP address
  • Interface and MAC address
  • Interface, IP address, and MAC address
  • Interface, IP address, and VLAN ID
  • Interface, MAC address, and VLAN ID
  • Interface, IP address, MAC address, and VLAN ID
In the VLAN view:
  • VLAN ID and IP address
  • VLAN ID and MAC address
  • VLAN ID, IP address, and MAC address
  • VLAN ID, IP address, and interface
  • VLAN ID, MAC address, and interface
  • VLAN ID, IP address, MAC address, and interface
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18853

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next