Got it
Huawei Enterprise Support Community
Community Forums Access Network
Differences between IPSG ...

Differences between IPSG and port security of switches

Created: Feb 21, 2022 07:56:25Latest reply: Feb 21, 2022 08:03:09 142 4 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#
what is the differences between IPSG and port security of switches?

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Knowledge Bookshelf for MDU(2)
Next: What is the difference between a Domain and a Workgroup?
Featured Answers

Best answer

(0) (0)
tubaboraka
MVE Author Created Feb 21, 2022 08:00:33

For S series switches (except S1700 switches), both IPSG and port
security support bindings between MAC addresses and interfaces.

Their
differences are as follows:
IPSG: Binds MAC addresses to interfaces
in a binding table so that a host can only go online through a fixed
port. The hosts of which MAC addresses are not in the binding table
cannot go online through the switch. IPSG prevents IP address spoofing
attacks. For example, it prevents a malicious host from stealing an
authorized host's IP address to access or attack the network.

Port security: Converts limited number of dynamic MAC entries learned by
interfaces into secure MAC entries, so that a host can only go online
through a fixed port. The hosts of which MAC addresses are not in the
MAC address table cannot go online through the switch. Port security
prevents access of unauthorized hosts and limits the number of access
hosts. It is applicable to networks with a large number of hosts.
If
you just want to prevent hosts with unauthorized MAC addresses from
communicating with each other and a large number of hosts reside on the
network, port security is recommended.

View more
  • x
  • convention:

Recommended answer

(0) (0)
fuzi_yao
Admin Created Feb 21, 2022 08:03:09

Hi, friend!

IPSG: The binding relationship between MAC addresses and interfaces is fixed in the binding table. In this way, fixed hosts can go online only through fixed interfaces. In addition, hosts with unauthorized MAC addresses outside the binding table cannot communicate with each other through the device. Binding entries need to be manually configured. If there are a large number of hosts, the configuration workload is heavy.

Port security: A specified number of dynamic MAC addresses learned by an interface are translated into secure MAC addresses and fixed MAC addresses are used. In this way, fixed hosts can go online only through fixed interfaces and unauthorized hosts cannot communicate with each other. Secure MAC addresses are dynamically generated and do not need to be manually configured.


View more
  • x
  • convention:
All Answers
(0) (0)
2#
Nino_Chou
Nino_Chou Admin Created Feb 21, 2022 07:59:23

Hello, friend!
It's nice to meet you in the community.
We're working on getting the right answer for you.
View more
  • x
  • convention:
(0) (0)
3#
tubaboraka
tubaboraka MVE Author Created Feb 21, 2022 08:00:33

For S series switches (except S1700 switches), both IPSG and port
security support bindings between MAC addresses and interfaces.

Their
differences are as follows:
IPSG: Binds MAC addresses to interfaces
in a binding table so that a host can only go online through a fixed
port. The hosts of which MAC addresses are not in the binding table
cannot go online through the switch. IPSG prevents IP address spoofing
attacks. For example, it prevents a malicious host from stealing an
authorized host's IP address to access or attack the network.

Port security: Converts limited number of dynamic MAC entries learned by
interfaces into secure MAC entries, so that a host can only go online
through a fixed port. The hosts of which MAC addresses are not in the
MAC address table cannot go online through the switch. Port security
prevents access of unauthorized hosts and limits the number of access
hosts. It is applicable to networks with a large number of hosts.
If
you just want to prevent hosts with unauthorized MAC addresses from
communicating with each other and a large number of hosts reside on the
network, port security is recommended.

View more
  • x
  • convention:
(0) (0)
4#
E.DR_91
E.DR_91 MVE Author Created Feb 21, 2022 08:02:11

IPSG and Port Security

Both IPSG based on a static binding table and port security support MAC and interface binding. Table 11-5 lists their differences.

Table 11-5  Differences between IPSG and port security

Feature

Description

Usage Scenario

IPSG

Binds
MAC addresses to interfaces in the binding table so that a host can
only go online through a fixed port. Hosts whose MAC addresses are not
in the binding table cannot go online through the device.

The binding entries are manually
configured. If a network has a large number of hosts, the configuration workload is heavy.

In
addition to binding MAC addresses to interfaces, IPSG can bind IP
addresses, MAC addresses, VLANs, and interfaces flexibly. IPSG prevents
IP address spoofing attacks. For example, a malicious host steals an
authorized host's IP address to
access or attack the network.

Port security

Converts
the limited number of dynamic MAC entries learned by interfaces into
secure MAC entries, so that a host can only go online through a fixed
port. Hosts whose MAC addresses are not in the MAC address table cannot
go online through the
device.

Secure MAC entries are dynamically generated.

Port
security prevents access of unauthorized hosts and limits the number of
access hosts. It is applicable to networks with a large number of
hosts.

If you need only to prevent hosts with unauthorized MAC addresses
from communicating with each other and a large number of hosts reside on
the network, port security is recommended.

IPSG does not fix MAC entries. Therefore, it cannot
prevent MAC address flapping caused by incorrect MAC entry updates. In Figure 11-8, when a malicious host sends data (for example, bogus ARP packets) to the switch by using an authorized host's MAC address, the switch
incorrectly updates the MAC address table. As a result, the malicious
host can intercept the packets destined for the authorized host.

Figure 11-8  Incorrect MAC address table update
download?uuid=9d354c6ee4734e80acf1e214a520148b

To solve the MAC address flapping problem, you can configure the
device to generate snooping MAC entries based on binding tables.

For details about port security, see Port Security Configuration.

IPSG, DAI, static ARP, and port security resolve different issues and
meet different requirements. To improve network security, it is
recommended that you configure them according to your requirements.


View more
  • x
  • convention:
(0) (0)
5#
fuzi_yao
fuzi_yao Admin Created Feb 21, 2022 08:03:09

Hi, friend!

IPSG: The binding relationship between MAC addresses and interfaces is fixed in the binding table. In this way, fixed hosts can go online only through fixed interfaces. In addition, hosts with unauthorized MAC addresses outside the binding table cannot communicate with each other through the device. Binding entries need to be manually configured. If there are a large number of hosts, the configuration workload is heavy.

Port security: A specified number of dynamic MAC addresses learned by an interface are translated into secure MAC addresses and fixed MAC addresses are used. In this way, fixed hosts can go online only through fixed interfaces and unauthorized hosts cannot communicate with each other. Secure MAC addresses are dynamically generated and do not need to be manually configured.


View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.