What are the anti-IP spoofing implementation methods of the MA5600T?

Hope it can help u my friend:

1. The system implements the anti-IP spoofing function by dynamically binding the IP address. Generally, the system supports up to eight IP addresses bound to each service port.2. By default, the function of binding the IP address is disabled.
3. The system only binds the IP address of the user who obtains the IP address through DHCP.
4. The IP address of the user can be bound only when the user goes online after the anti-IP spoofing function is enabled. The IP address of the user cannot be bound when the user goes online before the anti-IP spoofing function is enabled.

https://support.huawei.com/enterprise/br/knowledge/EKB0000363347

Thanks!

Hi friend.

There are two methods to prevent IP address spoofing:

Method 1:IP Binding Table

In the IP address binding table, you can bind an IP address to a service port (each service port). After the binding succeeds, the device allows only the upstream packets whose source IP address is the bound IP address to pass through.

In V800R010, the number of IP addresses that can be bound to a service port is limited due to resource limitations.

A service port can be bound with a maximum of eight full IPv4 addresses or a maximum of four IPv6 address prefixes (the prefix length cannot exceed 64). For a hybrid service virtual port that supports both IPv4 and IPv6 services, the IPv4 and IPv6 addresses are bound to shared resources, and one IPv6 address prefix occupies two full IPv4 addresses. Therefore, the binding can be performed only within the allowed range.

Currently, V800R010 does not support the binding of IPv4 prefixes and full IPv6 addresses. However, V800R012 supports the binding of IPv4 prefixes and full IPv6 addresses.

The address binding table can be implemented in two ways: static configuration and dynamic configuration (DHCP snooping). 

The following is an example of static configuration:

MA5600T(config)#bind ip service-port 1 192.168.1.1

The anti-IP spoofing function must be enabled for dynamic configuration.

(The IP spoofing function is controlled based on the global config mode, VLAN service profile mode, and service flow. The IP spoofing function takes effect only when all the three switches are enabled.)

After this function is enabled, the system automatically binds IP addresses to users.

The following is a dynamic configuration example:

MA5600T(config)#security anti-ipspoofing enable
MA5600T(config)#vlan service-profile profile-id 10
MA5600T(config-vlan-srvprof-10)#security anti-ipspoofing enable
MA5600T(config-vlan-srvprof-10)#commit
MA5600T(config-vlan-srvprof-10)#quit
MA5600T(config)#vlan bind service-profile 10 profile-id 10
MA5600T(config)#security anti-ipspoofing service-port 1 enable

Method 2: Access Control List

ACLs can only be bound to IP addresses based on physical ports. However, the system supports a maximum of 128 ACLs and a maximum of 32 rules can be created for each ACL. To use ACLs, disable the anti-IP spoofing function.

The configuration example is as follows:

acl 2000
rule 5 deny
rule 10 permit source 192.168.1.1 0
rule 20 permit source 172.16.1.0 0.0.0.128
rule 30 permit source 172.17.1.0 0.0.0.128
rule 40 permit source 172.18.1.0 0.0.0.128
rule 50 permit source 172.19.1.0 0.0.0.128
acl 4000
rule 5 deny source 10
rule 10 permit source 10
packet-filter inbound ip-group 2000 rule 5 link-group 4000 rule 5 port 0/1/0
packet-filter inbound ip-group 2000 rule 10 rule 20 rule 30 rule 40 rule 50 link-group 4000 rule 10 port 0/1/0

I hope I can help you!