Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-IP source guard configuration | 186.76 KB |
Contents
Static IP source guard entries
Dynamic IP source binding entries
IP source guard configuration task list
Configuring the IPv4 source guard function
Enabling IPv4 source guard on an interface
Configuring a static IPv4 source guard entry on an interface
Configuring the IPv6 source guard function
Enabling IPv6 source guard on an interface
Configuring a static IPv6 source guard entry on an interface
Displaying and maintaining IP source guard
IP source guard configuration examples
Static IPv4 source guard configuration example
Dynamic IPv4 source guard using DHCP snooping configuration example
Dynamic IPv4 source guard using DHCP relay configuration example
Static IPv6 source guard configuration example
Overview
IP source guard is a security feature. It is usually configured on a user access interface to help prevent spoofing attacks, in which an attacker uses, for example, the IP address of a valid host, to access the network.
As shown in Figure 1, after you configure IP source guard on an interface, the interface filters received packets according to the IP source guard entries, and forwards only the packets that matches one of the entries.
Figure 1 Diagram for the IP source guard function
IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag. It supports these types of binding entries:
· IP-interface binding entry
· IP-MAC-interface binding entry
· IP-VLAN-interface binding entry
· IP-MAC-VLAN-interface binding entry
A binding entry for IP source guard can be statically configured or dynamically added.
|
|
NOTE: IP source guard is a per-interface packet filter. The IP source guard function configured on one interface does not affect packet forwarding on another interface. |
Static IP source guard entries
Static binding entries are configured manually. They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a static binding entry on an interface that connects a server, allowing the interface to receive packets only from the server.
IP source guard use static IPv4 binding entries on an interface to filter IPv4 packets received by the interface or cooperate with the ARP detection feature to check user validity.
For information about ARP detection, see "Configuring ARP attack protection."
Dynamic IP source binding entries
IP source guard can automatically obtain user information from other modules to generate binding entries. Such binding entries are referred to as dynamic binding entries. The modules that provide dynamic binding information for IP source guard include DHCP relay, DHCP snooping, and DHCP server.
Dynamic IP source guard is suitable for scenarios where many hosts reside on a LAN and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a host on the LAN, the DHCP snooping device or DHCP relay agent generates a DHCP snooping entry or DHCP relay entry. IP source guard automatically adds an IP source binding entry according to the DHCP snooping or DHCP relay entry to allow the user to access the network. If a user specifies an IP address manually, no DHCP entry is generated and IP source guard cannot add a binding entry for the user. Therefore, packets of the user will be dropped.
On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with different modules to generate binding entries dynamically:
· On a Layer 2 Ethernet port, IP source guard can cooperate with DHCP snooping, obtain the DHCP snooping entries generated when hosts dynamically obtain IP addresses, and generate IPv4 binding entries accordingly to filter packets.
· On a Layer 3 Ethernet interface or VLAN interface, IP source guard can cooperate with the DHCP relay agent, obtain the DHCP relay entries generated when hosts obtain IP addresses across subnets, and generate IPv4 binding entries accordingly to filter packets.
· On a Layer 3 Ethernet interface or VLAN interface, IP source guard can also cooperate with the DHCP server. It generates dynamic binding entries according to the user information recorded by the DHCP server during IP address allocation. Such binding entries do not filter packets directly but help other modules (such as the ARP detection module) to provide security services.
For information about DHCP snooping, DHCP relay, and DHCP server see Layer 3—IP Services Configuration Guide.
IP source guard configuration task list
To configure IPv4 source guard, perform the following tasks:
|
Tasks at a glance |
|
(Required.) Enabling IPv4 source guard on an interface |
|
(Optional.) Configuring a static IPv4 source guard entry on an interface |
To configure IPv6 source guard, perform the following tasks:
|
Tasks at a glance |
|
(Required.) Enabling IPv6 source guard on an interface |
|
(Optional.) Configuring a static IPv6 source guard entry on an interface |
Configuring the IPv4 source guard function
Enabling IPv4 source guard on an interface
You must first enable the IPv4 source guard function on an interface before the interface can obtain dynamic IPv4 binding entries and use static and dynamic IPv4 binding entries to filter packets or help other modules to provide security services.
All the fields in a static IPv4 binding entry are used by IP source guard to filter packets. For information about how to configure a static IPv4 binding entry, see "Configuring a static IPv4 source guard entry on an interface."
Dynamic IPv4 binding entries can contain such information as the MAC address, IPv4 address, VLAN tag, ingress interface information, and entry type (such as DHCP snooping and DHCP relay). Which information in an entry is used by IP source guard to filter IPv4 packets is determined by the IPv4 source guard configuration on the interface:
· If you bind both the source IP address and the source MAC address on the interface, the interface forwards a received packet only when the packet's source IP address and source MAC address both match a dynamic binding entry. If no match is found, the packet is dropped.
· If you bind only the source IP address on the interface, the interface forwards a packet as long as the packet's source IP address matches a dynamic binding entry. If no match is found, the packet is dropped.
To implement dynamic IPv4 source guard, make sure the DHCP snooping or DHCP relay function works normally on the network.
To enable the IPv4 source guard function on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
These types of interfaces are supported: Layer 2 Ethernet port, Layer 3 Ethernet interface, VLAN interface, Layer 3 aggregate interface. |
|
3. Enable the IPv4 source guard function. |
ip verify source ip-address [ mac-address ] |
By default, the function is disabled on an interface. If you configure this command on an interface multiple times, the most recent configuration takes effect. |
Configuring a static IPv4 source guard entry on an interface
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
These types of interfaces are supported: Layer 2 Ethernet interface, Layer 3 Ethernet port, VLAN interface. |
|
3. Configure a static IPv4 binding entry. |
ip source binding ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ] |
By default, no static IPv4 binding entry is configured on an interface. The vlan keyword is supported on only Layer 2 Ethernet ports. You cannot configure the same static binding entry on one interface, but you can configure the same static binding entry on different interfaces. |
Configuring the IPv6 source guard function
When you configure the IPv6 source guard function, configure the acl hardware-mode ipv6 enable command first. For information about the command, see ACL and QoS command reference.
Enabling IPv6 source guard on an interface
The IPv6 source guard function on an interface enables the interface to use static and dynamic IPv6 binding entries to filter packets.
All the fields in a static IPv6 binding entry are used by IP source guard to filter packets. For information about how to configure a static IPv6 binding entry, see "Configuring a static IPv6 source guard entry on an interface."
Dynamic IPv6 binding entries can contain such information as the MAC address, IPv6 address, VLAN tag, ingress interface information, and entry type. Which information in an entry is used by IP source guard to filter IPv6 packets is determined by the IPv6 source guard configuration on the interface:
· If you bind both the source IP address and the source MAC address on the interface, the interface forwards a received packet only when the packet's source IPv6 address and source MAC address both match a dynamic binding entry. If no match is found, the packet is dropped.
· If you bind only the IP address on the interface, the interface forwards a packet as long as the packet's source IPv6 address matches a dynamic binding entry. If no match is found, the packet is dropped.
To enable the IPv6 source guard function on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
These types of interfaces are supported: Layer 2 Ethernet port, Layer 3 Ethernet interface, VLAN interface, Layer 3 aggregate interface. |
|
3. Enable the IPv6 source guard function. |
ipv6 verify source ip-address [ mac-address ] |
By default, the function is disabled on an interface. If you configure this command on an interface multiple times, the most recent configuration takes effect. |
Configuring a static IPv6 source guard entry on an interface
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
These types of interfaces are supported: Layer 2 Ethernet interface, Layer 3 Ethernet port, VLAN interface. |
|
3. Configure a static IPv6 binding entry. |
ipv6 source binding ip-address ipv6-address [ mac-address mac-address ] [ vlan vlan-id ] |
By default, no static IPv6 binding entry is configured on an interface. The vlan keyword is supported on only Layer 2 Ethernet ports. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address. You cannot configure the same static binding entry on one interface, but you can configure the same static binding entry on different interfaces. |
Displaying and maintaining IP source guard
Execute display commands in any view and reset commands in user view.
For IPv4 source guard:
|
Task |
Command |
|
Display IPv4 binding entries (in standalone mode). |
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping | dot1x ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] |
|
Display IPv4 binding entries (in IRF mode). |
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping | dot1x ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] |
|
Clear IPv4 biding entries. |
reset ip source binding [ static [ ip-address ip-address ] | [ vpn-instance vpn-instance-name ] [ { dhcp-relay | dhcp-server | dhcp-snooping | dot1x } [ ip-address ip-address ] ] ] |
For IPv6 source guard:
|
Task |
Command |
|
Display IPv6 binding entries (in standalone mode). |
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] |
|
Display IPv6 biding entries (in IRF mode). |
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] |
|
Clear IPv6 biding entries. |
reset ipv6 source binding [ static [ ip-address ipv6-address ] | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping [ ip-address ipv6-address ] ] ] |
IP source guard configuration examples
By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are down. To configure such interfaces, use the undo shutdown command to bring them up.
Static IPv4 source guard configuration example
Network requirements
Configure static IPv4 source guard entries on Switch A and Switch B to meet the following requirements:
· On port GigabitEthernet 3/0/2 of Switch A, only IP packets from Host C can pass.
· On port GigabitEthernet 3/0/1 of Switch A, only IP packets from Host A can pass.
· On port GigabitEthernet 3/0/2 of Switch B, only IP packets from Host A can pass.
· On port GigabitEthernet 3/0/1 of Switch B, only IP packets from Host B can pass.
Configuration procedure
1. Configure Switch A:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable IPv4 source guard on port GigabitEthernet 3/0/2.
<SwitchA> system-view
[SwitchA] interface GigabitEthernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] ip verify source ip-address mac-address
# On GigabitEthernet 3/0/2, configure a static IPv4 source guard entry to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
[SwitchA-GigabitEthernet3/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405
[SwitchA-GigabitEthernet3/0/2] quit
# Enable IPv4 source guard on port GigabitEthernet 3/0/1.
[SwitchA] interface GigabitEthernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] ip verify source ip-address mac-address
# On GigabitEthernet 3/0/1, configure a static IPv4 source guard entry to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
[SwitchA-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406
[SwitchA-GigabitEthernet3/0/1] quit
2. Configure Switch B:
# Configure an IP address for each interface. (Details not shown.)
# Enable IPv4 source guard on port GigabitEthernet 3/0/2.
<SwitchB> system-view
[SwitchB] interface GigabitEthernet 3/0/2
[SwitchB-GigabitEthernet3/0/2] ip verify source ip-address mac-address
# On GigabitEthernet 3/0/2, configure a static IPv4 source guard entry to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
[SwitchB-GigabitEthernet3/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406
[SwitchB-GigabitEthernet3/0/2] quit
# Enable IPv4 source guard on port GigabitEthernet 3/0/1.
[SwitchB] interface GigabitEthernet 3/0/1
[SwitchB-GigabitEthernet3/0/1] ip verify source ip-address mac-address
# On GigabitEthernet 3/0/1, configure a static IPv4 source guard entry to allow only IP packets with the source MAC address of 0001-0203-0407 and the source IP address of 192.168.0.2 to pass.
[SwitchB-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.2 mac-address 0001-0203-0407
[SwitchB-GigabitEthernet3/0/1] quit
3. Verify the configuration:
# Display static IPv4 source guard entries on Switch A. The output shows that the static IPv4 source guard entries are configured successfully.
<SwitchA> display ip source binding static
Total entries found: 2
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0405 GE3/0/2 N/A Static
192.168.0.3 0001-0203-0406 GE3/0/1 N/A Static
# Display static IPv4 source guard entries on Switch B. The output shows that the static IPv4 source guard entries are configured successfully.
<SwitchB> display ip source binding static
Total entries found: 2
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0406 GE3/0/2 N/A Static
192.168.0.2 0001-0203-0407 GE3/0/1 N/A Static
Dynamic IPv4 source guard using DHCP snooping configuration example
Network requirements
As shown in Figure 3, the host (the DHCP client) is connected to port GigabitEthernet 3/0/1 of the switch, and obtains an IP address from the DHCP server. The DHCP server is connected to port GigabitEthernet 3/0/2 of the switch.
Enable DHCP snooping on the switch, so that the host can obtain an IPv4 address from the valid DHCP server and the IPv4 address and the MAC address of the host can be recorded in a DHCP snooping entry.
Enable dynamic IPv4 source guard on port GigabitEthernet 3/0/1 to filter received packets based on DHCP snooping entries, allowing only packets from a client that obtains an IP address from the DHCP server to pass.
Configuration procedure
1. Configure the DHCP server:
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
2. Configure DHCP snooping on the switch:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP snooping.
<Switch> system-view
[Switch] dhcp snooping enable
# Configure port GigabitEthernet 3/0/2 as a trusted port.
[Switch] interface GigabitEthernet3/0/2
[Switch-GigabitEthernet3/0/2] dhcp snooping trust
[Switch-GigabitEthernet3/0/2] quit
3. Enable IPv4 source guard on port GigabitEthernet 3/0/1 to filter packets based on both the source IP address and the MAC address:
[Switch] interface GigabitEthernet 3/0/1
[Switch-GigabitEthernet3/0/1] ip verify source ip-address mac-address
[Switch-GigabitEthernet3/0/1] quit
4. Verify the configuration:
# Display dynamic IPv4 source guard entries obtained from DHCP snooping.
[Switch] display ip source binding dhcp-snooping
Total entries found: 1
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0406 GE3/0/1 1 DHCP snooping
The output shows that IP source guard has generated a dynamic IPv4 binding entry on port GigabitEthernet 3/0/1 based on the DHCP snooping entry.
Dynamic IPv4 source guard using DHCP relay configuration example
Network requirements
DHCP relay is enabled on the switch. The host obtains an IP address from the DHCP server through the DHCP relay agent.
Enable dynamic IPv4 source guard on VLAN-interface 100 to filter received packets based on the DHCP relay entry generated on the switch.
Configuration procedure
1. Configure dynamic IPv4 source guard:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable IPv4 source guard on VLAN-interface 100 to filter packets based on both the source IP address and the MAC address.
<Switch> system-view
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] ip verify source ip-address mac-address
[Switch-Vlan-interface100] quit
2. Configure the DHCP relay agent:
# Enable the DHCP service.
[Switch] dhcp enable
# Enable recording DHCP relay client entries.
[Switch] dhcp relay client-information record
# Configure VLAN-interface 100 to work in DHCP relay mode.
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] dhcp select relay
# Specify the IP address of the DHCP server.
[Switch-Vlan-interface100] dhcp relay server-address 10.1.1.1
[Switch-Vlan-interface100] quit
3. Verify the configuration:
# Display dynamic IPv4 source guard entries.
[Switch] display ip source binding dhcp-relay
Total entries found: 1
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0406 Vlan100 N/A DHCP relay
Static IPv6 source guard configuration example
Network requirements
Configure a static IPv6 source guard entry for GigabitEthernet 3/0/1 of the switch to allow only IPv6 packets from the host to pass.
Configuration procedure
# Enable IPv6 source guard on port GigabitEthernet 3/0/1.
<Switch> system-view
[Switch] interface GigabitEthernet 3/0/1
[Switch-GigabitEthernet3/0/1] ipv6 verify source ip-address mac-address
# On port GigabitEthernet 3/0/1, configure a static IPv6 source guard entry to allow only IPv6 packets with the source IPv6 address of 2001::1 and the source MAC address of 00-01-02-02-02-02 to pass.
[Switch-GigabitEthernet3/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202
[Switch-GigabitEthernet3/0/1] quit
# Display static IPv6 source guard entries on the switch. The output shows that a static binding entry is configured successfully.
[Switch] display ipv6 source binding static
Total entries found: 1
IPv6 Address MAC Address Interface VLAN Type
2001::1 0001-0202-0202 GE3/0/1 N/A Static
