How do I configure IPSG on an AR

9

IP source guard (IPSG) checks received IP packets against a binding table as a defense measure against source IP address spoofing attacks.

Before configuring IPSG, complete the following task:
- Configure IP addresses for interfaces to ensure that the link status is Up.
- Configure DHCP snooping if IP addreses are dynamically allocated.
- Manually configure a static binding table if IP addresses are statically configured.

Dynamic binding:
system-view //Enter the system view.
[Huawei] dhcp enable //Enable DHCP globally.
[Huawei] dhcp snooping enable //Enable DHCP snooping globally.
[Huawei] vlan 10 //Eneter the view of VLAN 10.
[Huawei -vlan10] dhcp snooping enable //Enable DHCP snooping in the VLAN.
[Huawei -vlan10] ip source check user-bind enable //Enable IP packet check in VLAN 10.
[Huawei vlan10] quit //Exit from the view of VLAN 10.
[Huawei] display ip source check user-bind vlan 10 //Check the configuration of IP packet check.

Static binding:
system-view //Enter the system view.
[Huawei]user-bind static ip-address 1.1.1.2 mac-address 5489-98A1-38D9 interface ethernet 0/0/2 vlan 10 //Configure a static binding entry in which the IP adress, MAC address, and VLAN ID are bound. (In practice, bind one of them. If all of them are bound, users can access a network only when the binding entry is matched.)
[huawei]interface ethernet 0/0/2
[huawei-Ethernet0/0/2]ip source check user-bind enable //Enable IPSG on the interface.

Other related questions:
IPSG on an AR
IP Source Guard (IPSG) defends against spoofing attacks based on source IP addresses. Some attacks on networks aim at source IP addresses by accessing and using network resources through spoofing IP addresses, stealing users' information or blocking authorized users from accessing networks. IPSG provides a mechanism to effectively defend against IP address spoofing attacks. IPSG uses binding tables (static or DHCP dynamic binding tables) to filter IP packets. Before the router forwards an IP packet, it compares the source IP address, source MAC address, interface, and VLAN information in the IP packet with entries in the binding table. If a matching entry is found, the router considers the IP packet as a valid packet and forwards it. Otherwise, the router considers the IP packet as an attack packet and discards it.

Whether the S1700 supports IPSG
Does the S1700 support IPSG? SNMP-based S1700 switches (including S1700-28GFR-4P-AC, S1700-52GFR-4P-AC, S1700-28FR-2T2P-AC, S1700-52FR-2T2P-AC, S1720-20GFR-4TP, and S1720-28GFR-4TP switches) support IPSG. NMS-free and web-managed S1700 switches do not support IPSG. An S1700 switch checks whether to match data packets against binding entries configured on interfaces. The binding entries include the following: �?IP: The switch matches only IP addresses. �?MAC: The switch matches only MAC addresses. �?VLAN: The switch matches only VLAN IDs. �?IP&MAC: The switch matches IP addresses and MAC addresses. �?IP&VLAN: The switch matches IP addresses and VLAN IDs. �?MAC&VLAN: The switch matches MAC addresses and VLAN IDs. �?IP&MAC&VLAN: The switch matches IP addresses, MAC addresses, and VLAN IDs.

How to configure IPSG for a WLAN device
IP source guard (IPSG) can defend against spoofing attacks based on source IP addresses. For the methods of configuring IPSG for a WLAN device, see "Example for Configuring WLAN IPSG" in Typical Configuration Examples.

How Do I configure proxy ARP on an AR
An AR router supports routed proxy ARP, intra-VLAN proxy ARP, and inter-VLAN proxy ARP. - Routed proxy ARP Routed proxy ARP allows hosts on the same network segment across different physical networks to communicate. The configuration is as follows: [Huawei] interface ethernet2/0/0 [Huawei-Ethernet2/0/0] arp-proxy enable - Intra-VLAN proxy ARP Intra-VLAN proxy ARP allows hosts on the same network segment and VLAN where isolation is configured to communicate. The configuration is as follows: [Huawei] interface vlanif 10 [Huawei-Vlanif10] arp-proxy inner-sub-vlan-proxy enable - Inter-VLAN proxy ARP Inter-VLAN proxy ARP allows hosts on the same network segment but different VLANs to communicate . The configuration is as follows: [Huawei] interface vlanif 10 [Huawei-Vlanif10] arp-proxy inter-sub-vlan-proxy enable

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top