Differences between IPSG and static ARP of S series switches

1

For S series switches, both IPSG based on a static binding table and static ARP support IP and MAC binding. Their differences are as follows:
- IPSG is generally configured on the access switch connected to users or on the aggregation or core switch to prevent IP address spoofing attacks from the intranet. For example, a malicious host steals an authorized host's IP address to access the network.
- Static ARP is generally configured on the gateway. The static ARP table stores the ARP entries of key servers to prevent ARP spoofing attacks and ensure normal communication between hosts and servers.

Other related questions:
Three methods of IP + MAC binding on S series switch
The S series switches, except S1700, support three IP and MAC address binding methods: IPSG, static ARP binding, and static DHCP binding. They are applicable to different scenarios. Details are as follows: Scenario 1: To prevent clients from changing their IP addresses without permission, configure IPSG. Description: Configure a global binding table to bind IP addresses, MAC addresses, interfaces, and VLANs. Enable IPSG on the interfaces or VLANs. When the IP packets from a PC reach an IPSG-enabled interface or VLAN, the switch matches the packets against binding table. If the packets match an entry, the packets are forwarded; otherwise, the packets are discarded. Scenario 2: To prevent ARP spoofing (ARP entries on the switch are modified by fake ARP packets), configure static ARP entries. Description: Static ARP entries are manually configured and maintained. They will not be aged out or overridden by dynamic ARP entries. Static ARP entries ensure communication between the local device and a specified device by using a specified MAC address so that attackers cannot modify mappings between IP addresses and MAC addresses in static ARP entries. Scenario 3: To assign fixed IP addresses to certain users, configure static DHCP binding. Description: If some special clients such as the Web server need fixed IP addresses, bind fixed IP addresses to MAC addresses of these clients. When receiving a request for applying for an IP address from a special client, a DHCP server assigns the fixed IP address bound to the client's MAC address to this client.(The DHCP server preferentially assigns the IP addresses bound to MAC addresses to clients.)

Differences between IPSG and port security of S series switches
For S series switches (except S1700 switches), both IPSG and port security support bindings between MAC addresses and interfaces. Their differences are as follows: �?IPSG: Binds MAC addresses to interfaces in a binding table so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the binding table cannot go online through the switch. IPSG prevents IP address spoofing attacks. For example, it prevents a malicious host from stealing an authorized host's IP address to access or attack the network. �?Port security: Converts limited number of dynamic MAC entries learned by interfaces into secure MAC entries, so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the MAC address table cannot go online through the switch. Port security prevents access of unauthorized hosts and limits the number of access hosts. It is applicable to networks with a large number of hosts. If you just want to prevent hosts with unauthorized MAC addresses from communicating with each other and a large number of hosts reside on the network, port security is recommended.

Static ARP configuration on S series switch
On an S series switch, except S1700, run the arp static command in the system view to configure a static ARP entry. When the outbound interface is an Ethernet interface, run the arp static ip-address mac-address interface interface-type interface-number command to configure a static ARP entry. When a VPN instance needs to be specified for the ARP entry, run the arp static ip-address mac-address vpn-instance vpn-instance-name command. To configure a short ARP entry (only contains IP address and MAC address mapping, without VLAN or outbound interface), run the arp static ip-address mac-address command. To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, VLAN ID is 10, and outbound interface is GE1/0/1, run: [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vid 10 interface gigabitethernet 1/0/1 - To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, and VPN instance is vpn1, run: [HUAWEI] ip vpn-instance vpn1 [HUAWEI-vpn-instance-vpn1] ipv4-family [HUAWEI-vpn-instance-vpn1-af-ipv4] quit [HUAWEI-vpn-instance-vpn1] quit [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vpn-instance vpn1

Static ARP support on S series switches
S series switches (except S1700 switches) support static ARP entries.

Differences between IPSG and DAI of S series switches
For S series switches, both IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI) use binding tables (static binding table or DHCP snooping binding table) to filter packets. �?IPSG filters IP packets by using binding tables. A switch matches IP packets received by interfaces against binding entries, and forwards the packets matching the binding entries. - DAI filters ARP packets by using binding tables. A switch matches ARP packets received by interfaces against binding entries, and forwards the ARP packets matching the binding entries. - IPSG prevents IP address spoofing attacks. For example, a malicious host steals an authorized host's IP address to access the network or initiate attacks. - DAI can prevent man-in-the-middle attacks. Man-in-the-middle attacks are generally initiated through ARP spoofing. That is, the attacker leads traffic to itself to intercept other hosts' information. - IPSG cannot prevent address conflicts. For example, when a malicious host steals an online host's IP address, the ARP request packets sent by the malicious host will be sent to the online host through broadcast, causing an address conflict. To prevent IP address conflicts, you can configure both IPSG and DAI. - IPSG and DAI resolve different issues and meet different requirements. To ensure network security, you can configure both of them.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top