Introduction· 1

Prerequisites 1

General configuration restrictions and guidelines 1

Example: Configuring static IP source guard binding entries 1

Network requirements 1

Software version used· 2

Configuration restrictions and guidelines 2

Configuration procedures 2

Verifying the configuration· 3

Configuration files 3

Example: Configuring dynamic IP source guard by using DHCP snooping entries 4

Network requirements 4

Software version used· 4

Configuration restrictions and guidelines 4

Configuration procedures 4

Verifying the configuration· 5

Configuration files 5

Related documentation· 5

 

 

Introduction

This document provides IP source guard configuration examples.

IP source guard filters incoming packets on an interface to prevent spoofing attacks. For example, this feature denies attackers that use the IP address of a valid host to access the network.

An IP source guard binding entry can be manually configured or dynamically added. A static IP source guard binding entry is configured manually, and a dynamic IP source guard binding entry is created in cooperation with DHCP snooping.

Prerequisites

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of H3C IP source guard.

General configuration restrictions and guidelines

When an EB/EC2 card is operating in standard ACL mode, the card does not support MAC-interface binding, IP-MAC-interface binding, MAC-VLAN-interface binding, or IP-MAC-VLAN-interface binding. By default, an EB/EC2 card operates in advanced ACL mode.

Example: Configuring static IP source guard binding entries

Network requirements

As shown in Figure 1, all hosts use static IP addresses.

Configure static IP source guard binding entries (IP-MAC-interface binding) on Switch A and Switch B to meet the following requirements:

·     GE 2/0/2 on Switch A allows only IP packets from Host A to pass through.

·     GE 3/0/1 on Switch B allows only IP packets from Host B to pass through.

·     GE 3/0/2 on Switch B allows only IP packets from Host C to pass through.

Figure 1 Network diagram

 

Software version used

The configuration examples were created and verified on S12500-CMW520-R1825P01.

Configuration restrictions and guidelines

When you configure static IP source guard binding entries, follow these restrictions and guidelines:

·     You cannot enable IP source guard on a link aggregation member interface. If IP source guard is enabled on an interface, you cannot assign the interface to a link aggregation group.

·     By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. To configure such an interface, first use the undo shutdown command to bring the interface up.

Configuration procedures

1.     Configure Switch A:

# Assign IP addresses to the interfaces for the devices. (Details not shown.)

# Configure IP source guard on GigabitEthernet 2/0/2 to filter incoming packets by checking their source IP addresses and source MAC addresses.

<SwitchA> system-view

[SwitchA] interface GigabitEthernet2/0/2

[SwitchA-GigabitEthernet2/0/2] ip verify source ip-address mac-address

# Configure a static binding entry for Host A on GigabitEthernet 2/0/2.

[SwitchA-GigabitEthernet2/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406

2.     Configure Switch B:

# Configure IP source guard on GigabitEthernet 3/0/2 to filter incoming packets by checking their source IP addresses and source MAC addresses.

<SwitchB> system-view

[SwitchB] interface GigabitEthernet3/0/2

[SwitchB-GigabitEthernet3/0/2] ip verify source ip-address mac-address

# Configure a static binding entry for Host C on GigabitEthernet 3/0/2.

[SwitchB-GigabitEthernet3/0/2] ip source binding ip-address 192.168.2.3 mac-address 0001-0203-0405

[SwitchB-GigabitEthernet3/0/2] quit

# Configure IP source guard on GigabitEthernet 3/0/1 to filter incoming packets by checking their source IP addresses and source MAC addresses.

[SwitchB] interface GigabitEthernet3/0/1

[SwitchB-GigabitEthernet3/0/1] ip verify source ip-address mac-address

# Configure a static binding entry for Host B on GigabitEthernet 3/0/1.

[SwitchB] interface GigabitEthernet3/0/1

[SwitchB-GigabitEthernet3/0/1] ip source binding ip-address 192.168.2.2 mac-address 0001-0203-0407

Verifying the configuration

# Display information about IP source guard binding entries.

<SwitchA> display ip source binding

Total entries found: 2

MAC Address     IP Address                  VLAN  Interface   Type        

0001-0203-0406  192.168.0.1                 N/A   GE2/0/2     Static

<SwitchB> display ip source binding

Total entries found: 2

MAC Address     IP Address                  VLAN  Interface   Type        

0001-0203-0405  192.168.2.3                 N/A   GE3/0/2     Static

0001-0203-0407  192.168.2.2                 N/A   GE3/0/1     Static

Configuration files

·     Switch A:

#

 interface GigabitEthernet2/0/2

port link-mode bridge                                                                                                                                                                                                                            

 ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406

 ip verify source ip-address mac-address

#

·     Switch B:

#

interface GigabitEthernet3/0/1

  port link-mode bridge 

ip source binding ip-address 192.168.2.2 mac-address 0001-0203-0407

ip verify source ip-address mac-address

#

interface GigabitEthernet3/0/2

  port link-mode bridge

ip source binding ip-address 192.168.2.3 mac-address 0001-0203-0405

ip verify source ip-address mac-address

#

Example: Configuring dynamic IP source guard by using DHCP snooping entries

Network requirements

As shown in Figure 2, the DHCP client (with MAC address 00-01-02-03-04-06) obtains an IP address from the DHCP server.

Enable DHCP snooping on the switch so that a DHCP snooping entry can be created for the DHCP client.

Enable the IP source guard function on GigabitEthernet 2/0/1 of the switch to filter incoming packets based on DHCP snooping entries (IP-MAC-interface binding) to prevent attackers from using forged IP addresses to attack the server.

Figure 2 Network diagram

 

Software version used

The configuration examples were created and verified on S12500-CMW520-R1825P01.

Configuration restrictions and guidelines

When you configure dynamic IP source guard by using DHCP snooping, follow these restrictions and guidelines:

·     You cannot enable IP source guard on a link aggregation member interface. If IP source guard is enabled on an interface, you cannot assign the interface to a link aggregation group.

·     By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. To configure such an interface, first use the undo shutdown command to bring the interface up.

·     By default, the interfaces on a DHCP snooping enabled device are untrusted interfaces. To enable the interface connected to the DHCP server to forward packets from the DHCP server, configure the interface as a trusted interface.

Configuration procedures

# Enable IP source guard on GigabitEthernet 2/0/1 to filter incoming packets by checking their source IP addresses and source MAC addresses.

<Switch> system-view

[Switch] interface GigabitEthernet2/0/1

[Switch-GigabitEthernet2/0/1] undo shutdown

[Switch-GigabitEthernet2/0/1] ip verify source ip-address mac-address

# Enable DHCP snooping.

[Switch] dhcp-snooping

# Configure GigabitEthernet 2/0/2 as a trusted interface.

[Switch] interface GigabitEthernet2/0/2

[Switch-GigabitEthernet2/0/2] undo shutdown

[Switch-GigabitEthernet2/0/2] dhcp-snooping trust

[Switch-GigabitEthernet2/0/2] quit

Verifying the configuration

# Display information about dynamic IP source guard binding entries on GigabitEthernet 2/0/1.

[Switch-GigabitEthernet2/0/1] display ip source binding

Total entries found: 1

MAC Address     IP Address               VLAN  Interface   Type        

0001-0203-0406  192.168.0.1              1     GE2/0/1     DHCP-SNP

[Switch-GigabitEthernet2/0/1] display dhcp-snooping

DHCP Snooping is enabled.

The client binding table for all untrusted ports.

Type : D--Dynamic , S--Static

Type IP Address      MAC Address    Lease        VLAN Interface

==== =============== ============== ============ ==== =================

D    192.168.0.1     0001-0203-0406 86335        1    GE2/0/1

The output shows that a dynamic IP source guard binding entry has been generated based on the DHCP snooping entry.

Configuration files

#

interface GigabitEthernet2/0/1

port link-mode bridge

ip verify source ip-address mac-address

#

dhcp-snooping

#

interface GigabitEthernet2/0/2

port link-mode bridge

dhcp-snooping trust

 #

Related documentation

·     H3C S12500 Routing Switch Series Security Configuration Guide

·     H3C S12500 Routing Switch Series Security Command Reference