Configure IP packet check on a CE series switch

3

Attackers often forge packets with the source IP addresses or MAC addresses of authorized users to access or attack networks. As a result, authorized users cannot obtain stable and secure network services. The IP packet check function addresses this problem.
When IP packet check is enabled on a switch, the switch checks IP addresses, MAC addresses, VLAN information, and interface information in IP packets against a binding table. You can run the ip source check user-bind check-item { ip-address | mac-address | vlan } * command in the interface view or the ip source check user-bind check-item { ip-address | mac-address | interface } * command in the VLAN view to specify IP packet check items. Only packets that match binding entries can be forwarded. Packets that do not match any binding entries are discarded.
For example, enable IP packet check on 10GE1/0/1 to check whether the IP addresses in packets match binding entries.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] ip source check user-bind enable //Enable the IP packet check function.
[*HUAWEI-10GE1/0/1] ip source check user-bind check-item ip-address //Check whether the IP addresses in IP packets match binding entries.
[*HUAWEI-10GE1/0/1] commit

Other related questions:
Options in binding tables configured for IPSG on S series switches
Options in binding tables configured for IPSG on S series switches (except S1700 switches) include the following: With IPSG enabled, an S series switch (except the S1700) checks IP packets against options in a binding table, which can be combinations of source IP addresses, source MAC addresses, VLANs, and interfaces. The following bindings can be configured in an interface view: Interface and IP address Interface and MAC address Interface, IP address, and MAC address Interface, IP address, and VLAN Interface, MAC address, and VLAN Interface, IP address, MAC address, and VLAN The following bindings can be configured in a VLAN view: VLAN and IP address VLAN and MAC address VLAN, IP address, and MAC address VLAN, IP address, and interface VLAN, MAC address, and interface VLAN, IP address, MAC address, and interface

DHCP packet checksum check on S series switch
After the dhcp enable command is executed in the system view of S series switches, the switch checks the checksum of all passing DHCP packets as well as IP and UDP checksums.

Can I use a MIB to obtain the number of lost packets on an interface of a CE series switch
You can use a MIB to obtain the number of lost packets on an interface of a CE series switch. The objects with the OIDs 1.3.6.1.2.1.2.2.1.13 and 1.3.6.1.2.1.2.2.1.19 indicate the numbers of lost incoming and outgoing packets respectively on an interface. For CE12800 series switches, pay attention to the following points: 1. To improve the NMS monitoring and query performance, the number of lost packets obtained through MIBs is always 0 in versions earlier than V100R005C00. 2. In V100R005C00 and later versions, you can run the set if-mib discard-statistics enable command in the diagnostic view to enable the function of using a MIB to collect statistics about packets loss on interfaces.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top