Common IPSG Operations : Configuring IPSG Based on a Static Binding Table

Created Jul 27, 2016 09:21:19Latest reply Jul 27, 2016 11:24:50 1586 1 0 0

IPSG based on a static binding table filters IP packets received by untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to access the network without permission. IPSG based on a static binding table is applicable to a LAN where a small number of hosts reside and the hosts use static IP addresses. The configuration procedure is as follows:

  1. Run the user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command in the system view to configure a static binding entry.

    NOTE:

    IPSG matches packets against all options in the static binding entry. Ensure that the created binding entry is correct and contains all the options to check. The device forwards the packets from hosts only when the packets match all options in the binding entry, and discards the packets not matching the binding entry.

    The device can bind multiple IP addresses or IP address segments to the same interface or MAC address.
    • If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12 interface gigabitethernet 0/0/1 to bind multiple IP addresses to the same interface.
    • If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to end-ip. When the keyword to is used, the IP address segments cannot overlap. For example, you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address 0001-0001-0001 to bind multiple IP addresses to the same MAC address.
  2. Run the ip source check user-bind enable command in the interface or VLAN view to enable IPSG.

    • Enabling IPSG on an interface: IPSG checks all packets received by the interface against the binding entry. Choose this method if you need to check IP packets on the specified interfaces and trust other interfaces. In addition, this method is convenient if an interface belongs to multiple VLANs because you do not need to enable IPSG in each VLAN.

    • Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in the VLAN against the binding entry. Choose this method if you need to check IP packets in the specified VLANs and trust other VLANs. In addition, this method is convenient if multiple interfaces belong to the same VLAN because you do not need to enable IPSG on each interface.

The following example shows how to configure IPSG based on the static binding table:

# Create a static binding entry (source IP address 192.168.1.1 and source MAC address 0003-0003-0003) and enable IPSG on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] user-bind static ip-address 192.168.1.1 mac-address 0003-0003-0003
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable

# Create a static binding entry (source IP address 192.168.2.1, source MAC address 0002-0002-0002, interface GE0/0/1, and VLAN 10) and enable IPSG in VLAN 10.

<HUAWEI> system-view
[HUAWEI] user-bind static ip-address 192.168.2.1 mac-address 0002-0002-0002 interface gigabitethernet 0/0/1 vlan 10
[HUAWEI] vlan 10
[HUAWEI-vlan10] ip source check user-bind enable
 
 
 
  • x
  • convention:

user_2790689  Expert   Created Jul 27, 2016 11:24:50 Helpful(0) Helpful(0)

Common IPSG Operations : Configuring IPSG Based on a Static Binding Table

Thank you

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top