Configure source IP address verification

34

The source IP address verification function enables an interface to check validity of source IP addresses in received packets. Packets with invalid source addresses are discarded.
As defined in RFC 1812, the following IP source addresses cannot be used as source addresses:

Broadcast addresses of Class A, B, and C

Class D addresses (multicast addresses)

Reserved Class E addresses

All-0 or all-1 addresses

Addresses on the network segment 127.0.0.0 on the network outside the host

<HUAWEI> system-view
[~HUAWEI] interface vlanif 100
[*HUAWEI-Vlanif100] ip verify source-address
[*HUAWEI-Vlanif100] commit

Other related questions:
Use the IP source trail function on S series switches to quickly locate attack sources
S series fixed switches do not support this function. S series modular switches provide the ip source-trail command that enables the source IP address tracing function for the specified IP addresses. After this command is executed on a switch, the switch records statistics on the traffic destined for the specified addresses. A maximum of 32 IP addresses can be configured in the command. For example, traffic on the host with IP address 10.0.0.1 is detected to be abnormal. You can enable the source IP address tracing function for 10.0.0.1, then check statistics on the traffic destined for the host, and quickly locate the attack source. The configuration is as follows: [HUAWEI] ip source-trail ip-address 10.0.0.1 [HUAWEI] display ip source-trail ip-address 10.0.0.1 Destination Address: 10.0.0.1 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ----------------------------------------------------------------------------------- 10.1.0.2 GE3/0/23 85.971M 60.234K 1.356M 121 10.1.0.3 GE3/0/23 15.462M 10.852K 203.984K 17 10.1.0.4 GE3/0/23 14.785M 10.577K 204.601K 18 10.1.0.5 GE3/0/23 3.432M 6.557K 118.164K 28 10.1.0.6 GE3/0/23 2.541M 4.600K 34.257K 7 Based on statistics on the traffic destined for the host with IP address 10.0.0.1. The source IP address 10.1.0.2 has sent heavy traffic to the host, so attack source the host with IP address 10.1.0.2 is located. You can then configure an ACL on the switch to block the traffic from 10.1.0.2 to 10.0.0.1.

Method used to configure the check of a source IP address on USG firewalls
The check of a source IP address indicates that an interface checks the source IP address upon receiving an IP packet. If the source IP address of the packet is not in the network segment of the interface, the interface discards the packet; if the source IP address of the packet is in the network segment of the interface, the interface can forward the packet. The IP masquerading is effectively prevented by means of the check of a source IP address. To configure the check of a source IP address, run the ip verify source-address command in the interface view. By default, the interface does not verify the source address of a received packet.

Query of the attack source IP address on the USG6000 series
Run the display anti-ddos source-ip [ ipv4 ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address ] command on the USG6000 to view the DDoS traffic source IP address monitoring table.

Configure a source IP address for S series switches to communicate with an HWTACACS server
By default, an S series switch (except the S1700 switch) uses the IP address of the outbound interface as the source IP address in HWTACACS packets for communicating with an HWTACACS server. To modify the source IP address in HWTACACS packets, perform the following operation: [HUAWEI] hwtacacs-server template template1 [HUAWEI-hwtacacs-template1] hwtacacs-server source-ip 10.1.1.1

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top