How do I configure IPSG on an AR

IP source guard (IPSG) checks received IP packets against a binding table as a defense measure against source IP address spoofing attacks.

Before configuring IPSG, complete the following task:
- Configure IP addresses for interfaces to ensure that the link status is Up.
- Configure DHCP snooping if IP addreses are dynamically allocated.
- Manually configure a static binding table if IP addresses are statically configured.

Dynamic binding:
system-view //Enter the system view.
[Huawei] dhcp enable //Enable DHCP globally.
[Huawei] dhcp snooping enable //Enable DHCP snooping globally.
[Huawei] vlan 10 //Eneter the view of VLAN 10.
[Huawei -vlan10] dhcp snooping enable //Enable DHCP snooping in the VLAN.
[Huawei -vlan10] ip source check user-bind enable //Enable IP packet check in VLAN 10.
[Huawei vlan10] quit //Exit from the view of VLAN 10.
[Huawei] display ip source check user-bind vlan 10 //Check the configuration of IP packet check.

Static binding:
system-view //Enter the system view.
[Huawei]user-bind static ip-address 1.1.1.2 mac-address 5489-98A1-38D9 interface ethernet 0/0/2 vlan 10 //Configure a static binding entry in which the IP adress, MAC address, and VLAN ID are bound. (In practice, bind one of them. If all of them are bound, users can access a network only when the binding entry is matched.)
[huawei]interface ethernet 0/0/2
[huawei-Ethernet0/0/2]ip source check user-bind enable //Enable IPSG on the interface.

Scroll to top