- Table of Contents
-
- 10-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Portal Configuration
- 05-Password Control Configuration
- 06-Public Key Configuration
- 07-IPsec Configuration
- 08-SSH Configuration
- 09-Packet-Filter Firewall Configuration
- 10-ALG Configuration
- 11-Session Management Configuration
- 12-TCP and ICMP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-URPF Configuration
- 16-COPS Configuration
- 17-FIPS Configuration
- 18-PKI Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
13-IP Source Guard Configuration | 87.48 KB |
Contents
Configuring dynamic IP source guard binding
Displaying and maintaining IP source guard
IP source guard configuration example
Troubleshooting IP source guard
|
NOTE: You cannot enable IP source guard on a link aggregation member port or a service loopback port. If IP source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group. |
IP source guard overview
IP source guard is intended to work on an interface connecting users. It filters received packets to block illegal access to network resources, improving the network security.
IP source guard supports filtering packets according to the source IP address and source MAC address, and the IP source guard binding entries are generated dynamically based on DHCP relay entries.
IP source guard binding entries are on a per-interface basis. A binding entry generated on an interface is effective only on the interface.
Configuring dynamic IP source guard binding
|
CAUTION: · After enabling IP source guard on a BFD session interface, you need to add DHCP relay entries manually on the interface. · You must configure the IP source guard function before enabling DHCP relay. |
After the dynamic IP source guard binding function is enabled on an interface, IP source guard receives and processes corresponding DHCP relay entries, which contain such information as MAC address, IP address, VLAN tag, port information or entry type. It adds the obtained information to the dynamic IP source guard binding entries. Then, the interface filters packets according to the IP source guard binding entries.
To configure dynamic IP source guard binding on an interface:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the dynamic IP source guard binding function. |
ip check source ip-address mac-address |
Not configured by default |
|
NOTE: The dynamic IP source guard binding function can be configured on Layer 3 Ethernet interfaces and VLAN interfaces. |
Displaying and maintaining IP source guard
Task |
Command |
Remarks |
Display information about dynamic IP source guard binding entries. |
display ip check source [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
IP source guard configuration example
Network requirements
As shown in Figure 1, Device A connects to Client A and the DHCP server through GigabitEthernet 3/1/2 and GigabitEthernet 3/1/1 respectively. DHCP relay is enabled on Device A.
· Configure the dynamic IP source guard binding function on interface GigabitEthernet 3/1/2 to prevent illegal clients from using forged IP addresses to attack the server.
· Client A (with the MAC address of 00-0e-0c-b5-08-09) obtains an IP address through the DHCP server.
· On Device A, create a DHCP relay entry for Client A.
|
NOTE: For how to configure a DHCP server, see Layer 3—IP Services Configuration Guide. |
Configuration procedure
1. Configure Device A
# Configure IP addresses for the interfaces. (Details not shown)
# Configure the dynamic IP source guard binding function on GigabitEthernet 3/1/2, binding the source IP address and source MAC address.
[DeviceA] interface GigabitEthernet 3/1/2
[DeviceA-GigabitEthernet3/1/2] ip check source ip-address mac-address
[DeviceA-GigabitEthernet3/1/2] quit
# Enable DHCP relay.
[DeviceA] dhcp enable
# Specify the IP address of the DHCP server.
[DeviceA] dhcp relay server-group 1 ip 10.1.1.1
# Configure GigabitEthernet 3/1/2 to work in DHCP relay mode.
[DeviceA]interface GigabitEthernet 3/1/2
[DeviceA-GigabitEthernet3/1/2] dhcp select relay
# Correlate GigabitEthernet 3/1/2 with DHCP server group 1.
[DeviceA-GigabitEthernet3/1/2] dhcp relay server-select 1
[DeviceA-GigabitEthernet3/1/2] quit
2. Verify the configuration
Display the dynamic IP source guard binding entries obtained from DHCP relay entries on interface GigabitEthernet 3/1/2.
[DeviceA-GigabitEthernet3/1/2] display ip check source
Total entries found: 1
MAC IP Vlan Port Status
000e-0cb5-0809 7.7.7.1 N/A GigabitEthernet3/1/2 DHCP-RLY
Troubleshooting IP source guard
Symptom
Failed to configure the dynamic IP source guard binding function on an interface.
Analysis
IP source guard is not supported on an interface that is in an aggregation group.
Solution
Remove the interface from the aggregation group.