Configure IP packet check on a CE series switch

Attackers often forge packets with the source IP addresses or MAC addresses of authorized users to access or attack networks. As a result, authorized users cannot obtain stable and secure network services. The IP packet check function addresses this problem.
When IP packet check is enabled on a switch, the switch checks IP addresses, MAC addresses, VLAN information, and interface information in IP packets against a binding table. You can run the ip source check user-bind check-item { ip-address | mac-address | vlan } * command in the interface view or the ip source check user-bind check-item { ip-address | mac-address | interface } * command in the VLAN view to specify IP packet check items. Only packets that match binding entries can be forwarded. Packets that do not match any binding entries are discarded.
For example, enable IP packet check on 10GE1/0/1 to check whether the IP addresses in packets match binding entries.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] ip source check user-bind enable //Enable the IP packet check function.
[*HUAWEI-10GE1/0/1] ip source check user-bind check-item ip-address //Check whether the IP addresses in IP packets match binding entries.
[*HUAWEI-10GE1/0/1] commit

Scroll to top