Bind IP addresses with MAC addresses in web mode on an AR router

23

1. Log in to the web NMS, and choose IP Service > ARP.
2. Click Create. In the Create Static ARP Entry that is displayed, select parameters or enter values according to requirements, and configure static ARP entries.
3. Click OK to complete the static ARP entry configuration.

Other related questions:
How to bind the IP address, MAC address, and interface
The Switch implements binding between an interface and a MAC address through the traffic policy and DHCP snooping. Then the interface allows only the packets with the bound MAC address and packets matching the DHCP snooping binding table to pass through. The Switch does support binding of IP address + MAC address + interface. For example, to configure Ethernet 0/0/1 to allow only the packets with the source MAC address being 0-02-02 apart from of the packets matching the DHCP snooping binding table, and discard other packets, do as follows: # Enable DHCP snooping globally. [HUAWEI] dhcp snooping enable# Create an ACL that permits only the packets with the source MAC address being 0-02-02. [HUAWEI] acl 4000 [HUAWEI-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff-ffff [HUAWEI-acl-L2-4000] rule deny# Create a traffic classifier that matches ACL 4000. [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 4000# Create a traffic behavior and a traffic policy. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] permit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1# Apply the traffic policy to Ethernet 0/0/1 so that the interface allows only the packets with the source MAC address 0-02-02 to pass through apart from of the packets matching the DHCP snooping binding table. In V100R005C00 and later versions, the configuration is as follows: [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 4094 [HUAWEI-Ethernet0/0/1] ip source check user-bind enable [HUAWEI-Ethernet0/0/1] traffic-policy p1 inbound

How to bind IP addresses with MAC addresses on the Layer 3 interface of a router
The IP Source Guard can be configured only on a Layer 2 interface. Use the following preventive measures: 1. Configure static ARP entries. 2. Configure an ACL to allow IP packets that are bound with the static ARP entries to be released.

IPSG on an AR
IP Source Guard (IPSG) defends against spoofing attacks based on source IP addresses. Some attacks on networks aim at source IP addresses by accessing and using network resources through spoofing IP addresses, stealing users' information or blocking authorized users from accessing networks. IPSG provides a mechanism to effectively defend against IP address spoofing attacks. IPSG uses binding tables (static or DHCP dynamic binding tables) to filter IP packets. Before the router forwards an IP packet, it compares the source IP address, source MAC address, interface, and VLAN information in the IP packet with entries in the binding table. If a matching entry is found, the router considers the IP packet as a valid packet and forwards it. Otherwise, the router considers the IP packet as an attack packet and discards it.

Number of supported static DHCP binding entries on S series switch
S series switches (except S1700 switches) support the static DHCP binding configuration. When configuring static DHCP binding, ensure that IP addresses to be bound exist in a DHCP address pool. If you want to know the maximum number of static DHCP binding entries that can be configured, send an email to e_online@huawei.com.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top