10-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10310-Security Configuration Guide
13-IP Source Guard Configuration
Title Size Download
13-IP Source Guard Configuration 87.48 KB

 

 

NOTE:

You cannot enable IP source guard on a link aggregation member port or a service loopback port. If IP source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group.

 

IP source guard overview

IP source guard is intended to work on an interface connecting users. It filters received packets to block illegal access to network resources, improving the network security.

IP source guard supports filtering packets according to the source IP address and source MAC address, and the IP source guard binding entries are generated dynamically based on DHCP relay entries.

IP source guard binding entries are on a per-interface basis. A binding entry generated on an interface is effective only on the interface.

Configuring dynamic IP source guard binding

 

CAUTION

CAUTION:

·     After enabling IP source guard on a BFD session interface, you need to add DHCP relay entries manually on the interface.

·     You must configure the IP source guard function before enabling DHCP relay.

 

After the dynamic IP source guard binding function is enabled on an interface, IP source guard receives and processes corresponding DHCP relay entries, which contain such information as MAC address, IP address, VLAN tag, port information or entry type. It adds the obtained information to the dynamic IP source guard binding entries. Then, the interface filters packets according to the IP source guard binding entries.

To configure dynamic IP source guard binding on an interface:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Configure the dynamic IP source guard binding function.

ip check source ip-address mac-address

Not configured by default

 

 

NOTE:

The dynamic IP source guard binding function can be configured on Layer 3 Ethernet interfaces and VLAN interfaces.

 

Displaying and maintaining IP source guard

 

Task

Command

Remarks

Display information about dynamic IP source guard binding entries.

display ip check source [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ | { begin | exclude | include } regular-expression ]

Available in any view

 

IP source guard configuration example

Network requirements

As shown in Figure 1, Device A connects to Client A and the DHCP server through GigabitEthernet 3/1/2 and GigabitEthernet 3/1/1 respectively. DHCP relay is enabled on Device A.

·     Configure the dynamic IP source guard binding function on interface GigabitEthernet 3/1/2 to prevent illegal clients from using forged IP addresses to attack the server.

·     Client A (with the MAC address of 00-0e-0c-b5-08-09) obtains an IP address through the DHCP server.

·     On Device A, create a DHCP relay entry for Client A.

 

 

NOTE:

For how to configure a DHCP server, see Layer 3—IP Services Configuration Guide.

 

Figure 1 Network diagram

 

Configuration procedure

1.     Configure Device A

# Configure IP addresses for the interfaces. (Details not shown)

# Configure the dynamic IP source guard binding function on GigabitEthernet 3/1/2, binding the source IP address and source MAC address.

[DeviceA] interface GigabitEthernet 3/1/2

[DeviceA-GigabitEthernet3/1/2] ip check source ip-address mac-address

[DeviceA-GigabitEthernet3/1/2] quit

# Enable DHCP relay.

[DeviceA] dhcp enable

# Specify the IP address of the DHCP server.

[DeviceA] dhcp relay server-group 1 ip 10.1.1.1

# Configure GigabitEthernet 3/1/2 to work in DHCP relay mode.

[DeviceA]interface GigabitEthernet 3/1/2

[DeviceA-GigabitEthernet3/1/2] dhcp select relay

# Correlate GigabitEthernet 3/1/2 with DHCP server group 1.

[DeviceA-GigabitEthernet3/1/2] dhcp relay server-select 1

[DeviceA-GigabitEthernet3/1/2] quit

2.     Verify the configuration

Display the dynamic IP source guard binding entries obtained from DHCP relay entries on interface GigabitEthernet 3/1/2.

[DeviceA-GigabitEthernet3/1/2] display ip check source

Total entries found: 1

MAC               IP              Vlan   Port                   Status

000e-0cb5-0809    7.7.7.1         N/A    GigabitEthernet3/1/2   DHCP-RLY

Troubleshooting IP source guard

Symptom

Failed to configure the dynamic IP source guard binding function on an interface.

Analysis

IP source guard is not supported on an interface that is in an aggregation group.

Solution

Remove the interface from the aggregation group.