Login
- Table of Contents
-
- H3C S3610[S5510] Series Ethernet Switches Operation Manual-Release 5303(V1.01)
- 00-1Cover
- 00-2Product Overview
- 01-Login Configuration
- 02-VLAN Configuration
- 03-IP Addressing and Performance Configuration
- 04-QinQ-BPDU Tunneling Configuration
- 05-Port Correlation Configuration
- 06-Link Aggregation Configuration
- 07-MAC Address Table Management Configuration
- 08-IP Source Guard Configuration
- 09-MSTP Configuration
- 10-IPv6 Configuration
- 11-Routing Overview
- 12-IPv4 Routing Configuration
- 13-BFD-GR Configuration
- 14-IPv6 Routing Configuration
- 15-Multicast Protocol Configuration
- 16-802.1x-HABP-MAC Authentication Configuration
- 17-AAA-RADIUS-HWTACACS Configuration
- 18-ARP Configuration
- 19-DHCP Configuration
- 20-ACL Configuration
- 21-QoS Configuration
- 22-Port Mirroring Configuration
- 23-Cluster Management Configuration
- 24-UDP Helper Configuration
- 25-SNMP-RMON Configuration
- 26-NTP Configuration
- 27-DNS Configuration
- 28-File System Management Configuration
- 29-Information Center Configuration
- 30-System Maintaining and Debugging Configuration
- 31-NQA Configuration
- 32-VRRP Configuration
- 33-SSH Configuration
- 34-MCE Configuration
- 35-OAM Configuration
- 36-DLDP Configuration
- 37-RRPP Configuration
- 38-SSL-HTTPS Configuration
- 39-PKI Configuration
- 40-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-IP Source Guard Configuration | 100.86 KB |
Table of Contents
Chapter 1 IP Source Guard Configuration
1.2 Configuring a Static Binding Entry
1.3 Configuring Port Filtering
1.4 Displaying IP Source Guard
1.5 IP Source Guard Configuration Examples
1.5.1 Static Binding Entry Configuration Example
1.5.2 Port Filtering Configuration Example
1.6.1 Failed to Configure Static Binding Entries and Port Filtering
Chapter 1 IP Source Guard Configuration
When configuring IP Source Guard, go to these sections for information you are interested in:
l Configuring a Static Binding Entry
l IP Source Guard Configuration Examples
1.1 IP Source Guard Overview
By filtering packets on a per-port basis, IP source guard prevents packets with illegal IP addresses and MAC addresses from traveling through, improving the network security. IP source guard filters packets based on two types of binding entries:
l IP-port binding entry: A port permits packets with source IP addresses among its IP-port binding entries.
l MAC-IP-port binding entry: A port permits packets with source MAC address and source IP address pairs among its MAC-IP-port binding entries.
All other packets are denied.
Caution:
IP source guard and aggregation group configuration are mutually exclusive.
1.2 Configuring a Static Binding Entry
Follow these steps to configure a static binding entry:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Configure a static binding entry |
user-bind ip-address ip-address [ mac-address mac-address |
Required No static binding entry exists by default. |
& Note:
l The system does not support repeatedly binding a binding entry to one port. A binding entry can be configured to multiple ports
l In a valid binding entry, the MAC address cannot be all 0s, all Fs (a broadcast address), or a multicast address, and the IP address can only be a Class A, Class B, or Class C address and can be neither 127.x.x.x nor 0.0.0.0.
1.3 Configuring Port Filtering
Port filtering allows IP source guard to filter packets based on the MAC-IP-port binding entries created and maintained by DHCP snooping.
Follow these steps to configure port filtering:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Configure port filtering |
ip check source ip-address [ mac-address ] |
Required Not configured by default |
1.4 Displaying IP Source Guard
|
To do… |
Use the command… |
Remarks |
|
Display information about static binding entries |
display user-bind [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] |
Available in any view |
|
Display information about dynamic binding entries |
display ip check source [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] |
Available in any view |
1.5 IP Source Guard Configuration Examples
1.5.1 Static Binding Entry Configuration Example
I. Network requirements
As shown in Figure 1-1, switches A and B and Hosts A, B and C are on an Ethernet. Host A and Host B are connected to ports Ethernet 1/0/1 and Ethernet 1/0/2 of Switch B respectively, Host C is connected to port Ethernet 1/0/1 of Switch A, while Switch B is connected to port Ethernet 1/0/2 of Switch A.
Detailed requirements are as follows:
l On port Ethernet 1/0/2 of Switch A, only IP packets with the source MAC address of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 can pass.
l On port Ethernet 1/0/1 of Switch A, only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 can pass.
l On port Ethernet 1/0/1 of Switch B, only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 can pass.
l On port Ethernet 1/0/2 of Switch B, only IP packets with the source MAC address of 00-01-02-03-04-07 and the source IP address of 192.168.0.2 can pass.
II. Network diagram
Figure 1-1 Network diagram for configuring static binding entries
III. Configuration procedure
1) Configure Switch A
# Configure the IP addresses of various interfaces (omitted).
# Configure port Ethernet 1/0/2 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 to pass.
<SwitchA> system-view
[SwitchA] interface ethernet 1/0/2
[SwitchA-Ethernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405
[SwitchA-Ethernet1/0/2] quit
# Configure port Ethernet 1/0/1 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass.
[SwitchA] interface ethernet 1/0/1
[SwitchA-Ethernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406
2) Configure Switch B
# Configure the IP addresses of various interfaces (omitted).
# Configure port Ethernet 1/0/1 of Switch B to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass.
<SwitchB> system-view
[SwitchB] interface ethernet 1/0/1
[SwitchB-Ethernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406
[SwitchB-Ethernet1/0/1] quit
# Configure port Ethernet 1/0/2 of Switch B to allow only IP packets with the source MAC address of 00-01-02-03-04-07 and the source IP address of 192.168.0.2 to pass.
[SwitchB] interface ethernet 1/0/2
[SwitchB-Ethernet1/0/2] user-bind ip-address 192.168.0.2 mac-address 0001-0203-0407
3) Verify the configuration
# On Switch A, static binding entries are configured successfully.
<SwitchA> display user-bind
The Following User address bind have been configured:
Mac IP Port Status
0001-0203-0405 192.168.0.3 Ethernet1/0/2 Static
0001-0203-0406 192.168.0.1 Ethernet1/0/1 Static
-------------2 bind entries queried, 2 listed------------
# On Switch B, static binding entries are configured successfully.
<SwitchB> display user-bind
The Following User address bind have been configured:
Mac IP Port Status
0001-0203-0406 192.168.0.1 Ethernet1/0/1 Static
0001-0203-0407 192.168.0.2 Ethernet1/0/2 Static
-------------2 bind entries queried, 2 listed------------
1.5.2 Port Filtering Configuration Example
I. Network requirements
Switch A connects to Client A and the DHCP Server through Ethernet 1/0/1 and Ethernet 1/0/2 respectively. DHCP Snooping is enabled on Switch A.
Detailed requirements are as follows:
l Client A with the MAC address of 00-01-02-03-04-06 obtains an IP address through the DHCP Server.
l On Switch A, create the DHCP Snooping entry of Client A.
l Enable IP filtering on port Ethernet 1/0/1 of Switch A to prevent attacks from clients using fake source IP addresses to the DHCP server.
& Note:
For detailed configuration of DHCP Server, refer to DHCP Configuration in this manual.
II. Network diagram
Figure 1-2 Network diagram for configuring port filtering
III. Configuration procedure
1) Configure Switch A
# Configure port filtering on port Ethernet 1/0/1.
<SwitchA> system-view
[SwitchA] interface ethernet1/0/1
[SwitchA-Ethernet1/0/1] ip check source ip-address mac-address
[SwitchA-Ethernet1/0/1] quit
# Enable DHCP snooping on Switch A.
[SwitchA] dhcp-snooping
# Configure port Ethernet 1/0/2 connected to the DHCP server as a trusted port.
[SwitchA] interface ethernet1/0/2
[SwitchA-Ethernet1/0/2] dhcp-snooping trust
[SwitchA-Ethernet1/0/2] quit
2) Verify the configuration
# Port filtering is configured successfully on port Ethernet 1/0/1.
[SwitchA] interface ethernet1/0/1
[SwitchA-Ethernet1/0/1] display this
#
interface Ethernet1/0/1
ip check source ip-address mac-address
#
return
# Display the dynamic binding entries that port Ethernet 1/0/1 has obtained from DHCP Snooping.
<SwitchA> display ip check source
The Following User address bind have been configured:
Mac IP Port Status
0001-0203-0406 192.168.0.1 Ethernet 1/0/1 Dynamic
-------------1 bind entries queried, 1 listed------------
# Display the dynamic entries of DHCP Snooping and check it is identical with the dynamic entries that port Ethernet 1/0/1 has obtained.
<SwitchA> display dhcp-snooping
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== ============== ============ ==== =================
D 192.168.0.1 0001-0203-0406 86335 1 Ethernet1/0/1
As you see, port Ethernet 1/0/1 has obtained the dynamic entries generated by DHCP Snooping after it is configured with port filtering.
1.6 Troubleshooting
1.6.1 Failed to Configure Static Binding Entries and Port Filtering
I. Symptom
Configuring static binding entries and port filtering fails on a port.
II. Analysis
IP Source Guard is not supported on the port which has joined an aggregation group. Neither static binding entries nor port filtering can be configured on the port which has joined an aggregation group.
III. Solution
Remove the port from the aggregation group.
