How to implement the function of binding the IP address, MAC address, and interface through configurations

3

The Switch implements the function of binding the IP address, MAC address, and interface through the DHCP snooping static binding table.

To implement the function, configure the static binding table on a VLAN with the IP address and MAC address of the PC being the IP address and MAC address of the static binding table. Then configure the function of checking IP and ARP packets on the interface that connects the PC and Switch.

For example, to bind the IP address 10.1.1.1, MAC address 0002-0002-0002, and interface Ethernet 0/0/1, run the following commands:

In V100R005 and V100R006, the configuration is as follows:

[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] interface Ethernet 0/0/1
[HUAWEI-Ethernet0/0/1] port default vlan 100
[HUAWEI-Ethernet0/0/1] ip source check user-bind enable
[HUAWEI-Ethernet0/0/1] quit
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
[HUAWEI-vlan100] quit
[HUAWEI] user-bind static ip-address 10.1.1.1 mac-address 0002-0002-0002 interface Ethernet0/0/1

Other related questions:
How to bind the IP address, MAC address, and interface
The Switch implements binding between an interface and a MAC address through the traffic policy and DHCP snooping. Then the interface allows only the packets with the bound MAC address and packets matching the DHCP snooping binding table to pass through. The Switch does support binding of IP address + MAC address + interface. For example, to configure Ethernet 0/0/1 to allow only the packets with the source MAC address being 0-02-02 apart from of the packets matching the DHCP snooping binding table, and discard other packets, do as follows: # Enable DHCP snooping globally. [HUAWEI] dhcp snooping enable# Create an ACL that permits only the packets with the source MAC address being 0-02-02. [HUAWEI] acl 4000 [HUAWEI-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff-ffff [HUAWEI-acl-L2-4000] rule deny# Create a traffic classifier that matches ACL 4000. [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 4000# Create a traffic behavior and a traffic policy. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] permit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1# Apply the traffic policy to Ethernet 0/0/1 so that the interface allows only the packets with the source MAC address 0-02-02 to pass through apart from of the packets matching the DHCP snooping binding table. In V100R005C00 and later versions, the configuration is as follows: [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 4094 [HUAWEI-Ethernet0/0/1] ip source check user-bind enable [HUAWEI-Ethernet0/0/1] traffic-policy p1 inbound

How to implement the binding of the IP address and interface
The Switch implements binding between an interface and an IP address through the traffic policy and DHCP snooping. Then the interface allows only the packets with the bound IP address and packets matching the DHCP snooping binding table to pass through. The Switch does support binding of IP address + MAC address + interface. For example, to configure Ethernet 0/0/8 to allow packets with the source IP address being 192.168.130.50 apart from of the packets matching the DHCP snooping binding table, and discard other packets, do as follows: # Enable DHCP snooping globally. [HUAWEI] dhcp snooping enable# Configure an advanced ACL that matches source IP address 192.168.130.50. [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 5 permit ip source 192.168.130.50 0 [HUAWEI-acl-adv-3000] rule 10 deny ip source any [HUAWEI-acl-adv-3000] rule 15 deny ip destination any# Create a traffic classifier that matches the advanced ACL. [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 3000# Create a traffic behavior and a traffic policy. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] permit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1# Apply the traffic policy to Ethernet 0/0/8 so that the interface allows only the packets with the source IP address 192.168.130.50 to pass through apart from of the packets matching the DHCP snooping binding table. In V100R005 and later versions, the configuration is as follows: [HUAWEI] interface Ethernet 0/0/8 [HUAWEI-Ethernet0/0/8] port default vlan 4094 [HUAWEI-Ethernet0/0/8] ip source check user-bind enable [HUAWEI-Ethernet0/0/8] traffic-policy p1 inbound

How to bind IP addresses with MAC addresses on the Layer 3 interface of a router
The IP Source Guard can be configured only on a Layer 2 interface. Use the following preventive measures: 1. Configure static ARP entries. 2. Configure an ACL to allow IP packets that are bound with the static ARP entries to be released.

Three methods of IP + MAC binding on S series switch
The S series switches, except S1700, support three IP and MAC address binding methods: IPSG, static ARP binding, and static DHCP binding. They are applicable to different scenarios. Details are as follows: Scenario 1: To prevent clients from changing their IP addresses without permission, configure IPSG. Description: Configure a global binding table to bind IP addresses, MAC addresses, interfaces, and VLANs. Enable IPSG on the interfaces or VLANs. When the IP packets from a PC reach an IPSG-enabled interface or VLAN, the switch matches the packets against binding table. If the packets match an entry, the packets are forwarded; otherwise, the packets are discarded. Scenario 2: To prevent ARP spoofing (ARP entries on the switch are modified by fake ARP packets), configure static ARP entries. Description: Static ARP entries are manually configured and maintained. They will not be aged out or overridden by dynamic ARP entries. Static ARP entries ensure communication between the local device and a specified device by using a specified MAC address so that attackers cannot modify mappings between IP addresses and MAC addresses in static ARP entries. Scenario 3: To assign fixed IP addresses to certain users, configure static DHCP binding. Description: If some special clients such as the Web server need fixed IP addresses, bind fixed IP addresses to MAC addresses of these clients. When receiving a request for applying for an IP address from a special client, a DHCP server assigns the fixed IP address bound to the client's MAC address to this client.(The DHCP server preferentially assigns the IP addresses bound to MAC addresses to clients.)

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top