Login
- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-DAE proxy configuration
- 02-Password control configuration
- 03-Keychain configuration
- 04-Public key management
- 05-PKI configuration
- 06-IPsec configuration
- 07-SSH configuration
- 08-SSL configuration
- 09-Session management
- 10-Object group configuration
- 11-Attack detection and prevention configuration
- 12-IP-based attack prevention configuration
- 13-IP source guard configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-uRPF configuration
- 17-SAVA configuration
- 18-SAVA-P configuration
- 19-Crypto engine configuration
- 20-Trust level configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-IP source guard configuration | 157.73 KB |
Contents
Configuring the IPv4SG feature
Enabling IPv4SG on an interface
Configuring a static IPv4SG binding
Configuring the IPv6SG feature
Enabling IPv6SG on an interface
Configuring a static IPv6SG binding
Display and maintenance commands for IPSG
Example: Configuring static IPv4SG
Example: Configuring dynamic IPv4SG using DHCP relay agent
Example: Configuring static IPv6SG
Example: Configuring dynamic IPv6SG using DHCPv6 relay agent
Configuring IP source guard
About IPSG
IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to filter out illegitimate packets. This feature is typically configured on user-side interfaces.
IPSG operating mechanism
The IPSG binding table contains bindings that bind IP address, MAC address, VLAN, or any combinations. IPSG uses the bindings to match an incoming packet. If a match is found, the packet is forwarded. If no match is found, the packet is discarded.
IPSG is a per-interface packet filter. Configuring this feature on one interface does not affect packet forwarding on another interface.
IPSG bindings can be static or dynamic.
As shown in Figure 1, IPSG forwards only the packets that match an IPSG binding.
Figure 1 IPSG application
Static IPSG bindings
Static IPSG bindings are configured manually. They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a static IPSG binding on an interface that connects to a server. This binding allows the interface to receive packets only from the server.
Static IPSG bindings on an interface filter incoming IPv4 or IPv6 packets on the interface.
Interface-specific static binding binds the IP address, MAC address, or any combination of the items in interface view. The binding takes effect only on the interface to check the validity of users who are attempting to access the interface.
Dynamic IPSG bindings
IPSG automatically obtains user information from other modules to generate dynamic bindings. A dynamic IPSG binding can contain MAC address, IPv4 or IPv6 address, VLAN tag, ingress interface, and binding type. The binding type identifies the source module for the binding, such as DHCPv4 relay agent or DHCPv6 relay agent.
For example, DHCP-based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP. IPSG is configured on the DHCP server or the DHCP relay agent. It generates dynamic bindings based on the client bindings on the DHCP server or the DHCP relay entries. IPSG allows only packets from the DHCP clients to pass through.
Dynamic IPv4SG
Dynamic bindings generated based on different source modules are for different usages:
|
Interface types |
Source modules |
Binding usage |
|
Layer 3 Ethernet interface VLAN interface |
DHCP relay agent |
Packet filtering. |
|
DHCP server |
For cooperation with modules (such as the authorized ARP module) to provide security services. |
For information about DHCP relay and DHCP server, see Layer 3—IP Services Configuration Guide.
Dynamic IPv6SG
Dynamic IPv6SG bindings generated based on the following source modules are for packet filtering:
|
Interface types |
Source modules |
|
Layer 3 Ethernet interface VLAN interface |
DHCPv6 relay agent |
For more information about DHCPv6 relay agent, see Layer 3—IP Services Configuration Guide.
IPSG tasks at a glance
To configure IPv4SG, perform the following tasks:
1. Enabling IPv4SG on an interface
2. (Optional.) Configuring a static IPv4SG binding
To configure IPv6SG, perform the following tasks:
1. Enabling IPv6SG on an interface
2. (Optional.) Configuring a static IPv6SG binding
Configuring the IPv4SG feature
Enabling IPv4SG on an interface
About this task
When you enable IPSG on an interface, the static and dynamic IPSG are both enabled.
· Static IPv4SG uses static bindings configured by using the ip source binding command. For more information, see "Configuring a static IPv4SG binding."
· Dynamic IPv4SG generates dynamic bindings from related source modules. IPv4SG uses the bindings to filter incoming IPv4 packets based on the matching criteria specified in the ip verify source command.
Restrictions and guidelines
To implement dynamic IPv4SG, make sure DHCP relay agent or DHCP server operates correctly on the network.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following interface types are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
¡ VLAN interface.
3. Enable the IPv4SG feature.
ip verify source ip-address mac-address
By default, the IPv4SG feature is disabled on an interface.
Configuring a static IPv4SG binding
Configuring a static IPv4SG binding on an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following interface types are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ VLAN interface.
3. Configure a static IPv4SG binding.
ip source binding ip-address ip-address mac-address mac-address
You can configure the same static IPv4SG binding on different interfaces.
Configuring the IPv6SG feature
Enabling IPv6SG on an interface
About this task
When you enable IPv6SG on an interface, the static and dynamic IPv6SG are both enabled.
· Static IPv6SG uses static bindings configured by using the ipv6 source binding command. For more information, see "Configuring a static IPv6SG binding."
· Dynamic IPv6SG generates dynamic bindings from related source modules. IPv6SG uses the bindings to filter incoming IPv6 packets based on the matching criteria specified in the ipv6 verify source command.
Restrictions and guidelines
To implement dynamic IPv6SG, make sure DHCPv6 relay agent operates correctly on the network.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following interface types are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ Layer 3 aggregate interface.
¡ Layer 3 aggregate subinterface.
¡ VLAN interface.
3. Enable the IPv6SG feature.
ipv6 verify source ip-address mac-address
By default, the IPv6SG feature is disabled on an interface.
Configuring a static IPv6SG binding
Configuring a static IPv6SG binding on an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following interface types are supported:
¡ Layer 3 Ethernet interface.
¡ Layer 3 Ethernet subinterface.
¡ VLAN interface.
3. Configure a static IPv6SG binding.
ipv6 source binding ip-address ipv6-address mac-address mac-address
You can configure the same static IPv6SG binding on different interfaces.
Display and maintenance commands for IPSG
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display IPv4SG bindings. |
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] |
|
Display IPv6SG bindings. |
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-relay ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] |
IPSG configuration examples
Example: Configuring static IPv4SG
Network configuration
As shown in Figure 2, all hosts use static IP addresses.
Configure static IPv4SG bindings on Device A to meet the following requirements:
· All interfaces of Device A allow IP packets from Host A to pass.
· Ten-GigabitEthernet 3/0/1 of Device A allows IP packets from Host B to pass.
Procedure
# Configure an IP address for each interface. (Details not shown.)
# Enable IPv4SG on Ten-GigabitEthernet 3/0/2.
<DeviceA> system-view
[DeviceA] interface ten-gigabitethernet 3/0/2
[DeviceA-Ten-GigabitEthernet3/0/2] ip verify source ip-address mac-address
[DeviceA-Ten-GigabitEthernet3/0/2] quit
# Configure a static IPv4SG binding for Host A.
[DeviceA] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406
# Enable IPv4SG on Ten-GigabitEthernet 3/0/1.
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ip verify source ip-address mac-address
# On Ten-GigabitEthernet 3/0/1, configure a static IPv4SG binding for Host B.
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ip source binding mac-address 0001-0203-0407
[DeviceA-Ten-GigabitEthernet3/0/1] quit
Verifying the configuration
# Verify that the static IPv4SG bindings are configured successfully on Device A.
<DeviceA> display ip source binding static
Total entries found: 2
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0406 N/A N/A Static
N/A 0001-0203-0407 XGE3/0/1 N/A Static
Example: Configuring dynamic IPv4SG using DHCP relay agent
Network configuration
As shown in Figure 3, DHCP relay agent is enabled on the router. The host obtains an IP address from the DHCP server through the DHCP relay agent.
Enable dynamic IPv4SG on Ten-GigabitEthernet 3/0/1 to filter incoming packets by using the IPv4SG bindings generated based on DHCP relay entries.
Procedure
1. Configure the DHCP relay agent:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable the DHCP service.
<Router> system-view
[Router] dhcp enable
# Enable recording DHCP relay client entries.
[Router] dhcp relay client-information record
# Configure interface Ten-GigabitEthernet 3/0/1 to operate in DHCP relay mode.
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] dhcp select relay
# Specify the IP address of the DHCP server.
[Router-Ten-GigabitEthernet3/0/1] dhcp relay server-address 10.1.1.1
[Router-Ten-GigabitEthernet3/0/1] quit
2. Enable IPv4SG on Ten-GigabitEthernet 3/0/1 and verify the source IP address and MAC address for dynamic IPSG.
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] ip verify source ip-address mac-address
[Router-Ten-GigabitEthernet3/0/1] quit
Verifying the configuration
# Display dynamic IPv4SG bindings generated based on DHCP relay entries.
[Router] display ip source binding dhcp-relay
Total entries found: 1
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0406 XGE3/0/1 N/A DHCP relay
The output shows that Ten-GigabitEthernet 3/0/1 will filter packets based on the IPv4SG binding.
Example: Configuring static IPv6SG
Network configuration
As shown in Figure 4, configure a static IPv6SG binding on Ten-GigabitEthernet 3/0/1 of the device to allow only IPv6 packets from the host to pass.
Procedure
# Enable IPv6SG on Ten-GigabitEthernet 3/0/1.
<Device> system-view
[Device] interface ten-gigabitethernet 3/0/1
[Device-Ten-GigabitEthernet3/0/1] ipv6 verify source ip-address mac-address
# On Ten-GigabitEthernet 3/0/1, configure a static IPv6SG binding for the host.
[Device-Ten-GigabitEthernet3/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202
[Device-Ten-GigabitEthernet3/0/1] quit
Verifying the configuration
# Verify that the static IPv6SG binding is configured successfully on the device.
[Device] display ipv6 source binding static
Total entries found: 1
IPv6 Address MAC Address Interface VLAN Type
2001::1 0001-0202-0202 XGE3/0/1 N/A Static
Example: Configuring dynamic IPv6SG using DHCPv6 relay agent
Network configuration
As shown in Figure 5, DHCPv6 relay agent is enabled on the router. The clients obtain IPv6 addresses from the DHCPv6 server through the DHCPv6 relay agent.
Enable dynamic IPv6SG on Ten-GigabitEthernet 3/0/1 to filter incoming packets by using the IPv6SG bindings generated based on DHCPv6 relay entries.
Procedure
1. Configure the DHCPv6 relay agent:
# Specify IP addresses for the interfaces. (Details not shown.)
# Enable the DHCPv6 relay agent on Ten-GigabitEthernet 3/0/1.
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] ipv6 dhcp select relay
# Enable recording of DHCPv6 relay entries on the interface.
[Router-Ten-GigabitEthernet3/0/1] ipv6 dhcp relay client-information record
# Specify the DHCPv6 server address 2::2 on the relay agent.
[Router-Ten-GigabitEthernet3/0/1] ipv6 dhcp relay server-address 2::2
[Router-Ten-GigabitEthernet3/0/1] quit
2. Enable IPv6SG on Ten-GigabitEthernet 3/0/1 and verify the source IP address and MAC address for dynamic IPv6SG.
[Router] interface ten-gigabitethernet 3/0/1
[Router-Ten-GigabitEthernet3/0/1] ipv6 verify source ip-address mac-address
[Router-Ten-GigabitEthernet3/0/1] quit
Verifying the configuration
# Display dynamic IPv6SG bindings generated based on DHCPv6 relay entries.
[Router] display ipv6 source binding dhcpv6-relay
Total entries found: 1
IP Address MAC Address Interface VLAN Type
1::2 0001-0203-0406 XGE3/0/1 N/A DHCPv6 relay
The output shows that Ten-GigabitEthernet 3/0/1 will filter packets based on the IPv6SG binding.
