IPSG based on a static binding table filters IP packets received by untrusted interfaces, to prevent malicious hosts from stealing authorized hosts' IP addresses to access the network without permission. IPSG based on a static binding table is applicable to a LAN where a small number of hosts reside and the hosts use static IP addresses. The configuration procedure is as follows:
-
Run the user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command in the system view to configure a static binding entry.
NOTE:
IPSG matches packets against all options in the static binding entry. Ensure that the created binding entry is correct and contains all the options to check. The device forwards the packets from hosts only when the packets match all options in the binding entry, and discards the packets not matching the binding entry.
The device can bind multiple IP addresses or IP address segments to the same interface or MAC address.- If you need to bind discontinuous IP addresses, enter 1-10 IP addresses in start-ip. For example, you can run user-bind static ip-address 192.168.1.2 192.168.1.5 192.168.1.12 interface gigabitethernet 0/0/1 to bind multiple IP addresses to the same interface.
- If you need to bind continuous IP addresses, enter 1-10 IP address segments in start-ip to end-ip. When the keyword to is used, the IP address segments cannot overlap. For example, you can run user-bind static ip-address 172.16.1.1 to 172.16.1.4 mac-address 0001-0001-0001 to bind multiple IP addresses to the same MAC address.
-
Run the ip source check user-bind enable command in the interface or VLAN view to enable IPSG.
-
Enabling IPSG on an interface: IPSG checks all packets received by the interface against the binding entry. Choose this method if you need to check IP packets on the specified interfaces and trust other interfaces. In addition, this method is convenient if an interface belongs to multiple VLANs because you do not need to enable IPSG in each VLAN.
-
Enabling IPSG in a VLAN: IPSG checks the packets received by all interfaces in the VLAN against the binding entry. Choose this method if you need to check IP packets in the specified VLANs and trust other VLANs. In addition, this method is convenient if multiple interfaces belong to the same VLAN because you do not need to enable IPSG on each interface.
-
The following example shows how to configure IPSG based on the static binding table:
# Create a static binding entry (source IP address 192.168.1.1 and source MAC address 0003-0003-0003) and enable IPSG on GE0/0/1.
<HUAWEI> system-view [HUAWEI] user-bind static ip-address 192.168.1.1 mac-address 0003-0003-0003 [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable
# Create a static binding entry (source IP address 192.168.2.1, source MAC address 0002-0002-0002, interface GE0/0/1, and VLAN 10) and enable IPSG in VLAN 10.
<HUAWEI> system-view [HUAWEI] user-bind static ip-address 192.168.2.1 mac-address 0002-0002-0002 interface gigabitethernet 0/0/1 vlan 10 [HUAWEI] vlan 10 [HUAWEI-vlan10] ip source check user-bind enable
More Information: S Series Switches Common Operation Guide
