Three methods of IP + MAC binding on S series switch


The S series switches, except S1700, support three IP and MAC address binding methods: IPSG, static ARP binding, and static DHCP binding. They are applicable to different scenarios.
Details are as follows:
Scenario 1: To prevent clients from changing their IP addresses without permission, configure IPSG.
Description: Configure a global binding table to bind IP addresses, MAC addresses, interfaces, and VLANs. Enable IPSG on the interfaces or VLANs. When the IP packets from a PC reach an IPSG-enabled interface or VLAN, the switch matches the packets against binding table. If the packets match an entry, the packets are forwarded; otherwise, the packets are discarded.

Scenario 2: To prevent ARP spoofing (ARP entries on the switch are modified by fake ARP packets), configure static ARP entries.
Description: Static ARP entries are manually configured and maintained. They will not be aged out or overridden by dynamic ARP entries. Static ARP entries ensure communication between the local device and a specified device by using a specified MAC address so that attackers cannot modify mappings between IP addresses and MAC addresses in static ARP entries.

Scenario 3: To assign fixed IP addresses to certain users, configure static DHCP binding.
Description: If some special clients such as the Web server need fixed IP addresses, bind fixed IP addresses to MAC addresses of these clients. When receiving a request for applying for an IP address from a special client, a DHCP server assigns the fixed IP address bound to the client's MAC address to this client.(The DHCP server preferentially assigns the IP addresses bound to MAC addresses to clients.)

Other related questions:
Configure binding tables for IPSG (user-bind binding tables) on S series switches
Configure a binding table for IPSG (user-bind binding table) on an S series switch (except the S1700) as follows: �?Static binding table A static binding entry contains at least one of the following: IP address, MAC address, interface, VLAN, and IP address and MAC address. An interface cannot be bound to a VLAN to form a binding entry. For example, configure a static binding entry of VLAN 2 and IP address [HUAWEI] user-bind static ip-address vlan 2 Note: Static binding entries can be configured only in the system view. �?Dynamic binding table Enable DHCP snooping globally and on an interface. Generally, the interface directly or indirectly connected to the DHCP server or gateway is configured as a trusted interface. After DHCP snooping is enabled and the trusted interface is configured, user-side interfaces automatically generate dynamic binding entries based on received DHCP ACK packets. For example, enable DHCP snooping globally and on GE0/0/1, and configure G0/0/1 as a trusted interface. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable [HUAWEI-GigabitEthernet0/0/1] dhcp snooping trusted Note: If both DHCP relay and VRRP are configured on a switch, DHCP snooping cannot be enabled. DHCP snooping cannot be enabled if the DHCP server is at the subordinate VLAN side and the DHCP client is at the principle VLAN side. After DHCP snooping is configured, the switch generates DHCP snooping entries for the hosts when the hosts go online again. Then IPSG takes effect. If you enable IPSG before the switch generates DHCP snooping dynamic binding entries, the switch rejects all packets except DHCP Request packets. In this situation, the hosts with dynamic IP addresses cannot communicate with each other. Therefore, before enabling the IPSG function, configure the DHCP snooping function to enable the switch to generate dynamic binding entries.

Whether S series switches support IPSG
All S series switches except the following support IPSG: S1700 switches S2700-SI switches W series cards of S7700, S9700, and S1270 switches S9300 of earlier versions than V100R002 For switches that do not support IPSG, you can run the mac-address static vlan command to configure static MAC addresses and run the mac-address learning disable command to disable MAC address learning on interfaces to realize a function similar to IPSG.

Check binding tables for IPSG on S series switches
You can check binding tables for IPSG on S series switches (except S1700 switches) as follows: 1. Run the display dhcp static user-bind all command to check static binding entries. 2. Run the display dhcp snooping user-bind all command to check dynamic DHCP snooping binding entries.

How to bind the IP address, MAC address, and interface
The Switch implements binding between an interface and a MAC address through the traffic policy and DHCP snooping. Then the interface allows only the packets with the bound MAC address and packets matching the DHCP snooping binding table to pass through. The Switch does support binding of IP address + MAC address + interface. For example, to configure Ethernet 0/0/1 to allow only the packets with the source MAC address being 0-02-02 apart from of the packets matching the DHCP snooping binding table, and discard other packets, do as follows: # Enable DHCP snooping globally. [HUAWEI] dhcp snooping enable# Create an ACL that permits only the packets with the source MAC address being 0-02-02. [HUAWEI] acl 4000 [HUAWEI-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff-ffff [HUAWEI-acl-L2-4000] rule deny# Create a traffic classifier that matches ACL 4000. [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 4000# Create a traffic behavior and a traffic policy. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] permit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1# Apply the traffic policy to Ethernet 0/0/1 so that the interface allows only the packets with the source MAC address 0-02-02 to pass through apart from of the packets matching the DHCP snooping binding table. In V100R005C00 and later versions, the configuration is as follows: [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 4094 [HUAWEI-Ethernet0/0/1] ip source check user-bind enable [HUAWEI-Ethernet0/0/1] traffic-policy p1 inbound

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top