Login
- Table of Contents
-
- 02-Typical configuration example
- 01-AAA_Configuration_Examples
- 02-ACL_Configuration_Examples
- 03-ATM_Configuration_Examples
- 04-IGMP_Configuration_Examples
- 05-IP_Source_Guard_Configuration_Examples
- 06-Ethernet_OAM_Configuration_Examples
- 07-NQA_Configuration_Examples
- 08-QinQ_Configuration_Examples
- 09-OSPF_Configuration_Examples
- 10-MPLS_TE_Configuration_Examples
- 11-OpenFlow_Configuration_Examples
- 12-NAT_Configuration_Examples
- 13-RBAC_Configuration_Examples
- 14-IRF_Configuration_Examples
- 15-POS_Interface_Configuration_Examples
- 16-CPOS_Interface_Configuration_Examples
- 17-DLDP_Configuration_Examples
- 18-IS-IS_Configuration_Examples
- 19-MPLS_L3VPN_Configuration_Examples
- 20-SSH_Configuration_Examples
- 21-Login_Management_Configuration_Examples
- 22-SNMP_Configuration_Examples
- 23-Priority_Marking_and_Queue_Scheduling_Configuration_Examples
- 24-Multicast_VPN_Configuration_Examples
- 25-BGP_Configuration_Examples
- 26-HoVPN_Configuration_Examples
- 27-L2TP_Configuration_Examples
- 28-VRRP_Configuration_Examples
- 29-Traffic_Filtering_Configuration_Examples
- 30-Samplers_and_IPv4_NetStream_Configuration_Examples
- 31-Software_Upgrade_Examples
- 32-MPLS_L2VPN_Configuration_Examples
- 33-NetStream_Configuration_Examples
- 34-Policy-Based_Routing_Configuration_Examples
- 35-Traffic_Policing_Configuration_Examples
- 36-BFD_Configuration_Examples
- 37-OSPFv3_Configuration_Examples
- 38-VPLS_Configuration_Examples
- 39-GTS_and_Rate_Limiting_Configuration_Examples
- 40-IPv6_IS-IS_Configuration_Examples
- 41-MPLS OAM_Configuration_Examples
- 42-BGP_Route_Selection_Configuration_Examples
- 43-IS-IS_Route_Summarization_Configuration_Examples
- 44-Attack_Protection_Configuration_Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-IP_Source_Guard_Configuration_Examples | 115.76 KB |
Introduction
This document provides IP source guard (IPSG) configuration examples.
IPSG prevents spoofing attacks by using IPSG bindings to filter incoming packets. IPSG bindings include static bindings that are configured manually and dynamic bindings that are generated based on information from DHCP-related modules. IPSG forwards only the packets that match IPSG bindings.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of IPSG.
Example: Configuring static IPv4SG
Network configuration
As shown in Figure 1, Host A, Host B, and the file server use static IPv4 addresses.
Enable static IPv4SG and configure static IPv4SG bindings on Device A and Device B to meet the following requirements:
· The interface Ten-GigabitEthernet 3/1/1 of Device A allows IP packets from Host A to pass.
· The interface Ten-GigabitEthernet 3/1/1 of Device B allows only IP packets from Host A and Host B to pass.
· The interface Ten-GigabitEthernet 3/1/2 of Device B allows only IP packets from the file server to pass.
Analysis
To meet the network requirements, you must perform the following tasks:
· To allow IP packets from Host A to pass through Ten-GigabitEthernet 3/1/1 on Device A, configure a static IPv4SG binding for Host A on the interface.
· To allow IP packets from both hosts to pass through Ten-GigabitEthernet 3/1/1 on Device B, configure static IPv4SG bindings for the hosts on the interface.
· To allow only IP packets from the file server to pass through Ten-GigabitEthernet 3/1/2 on Device B, configure a static IPv4SG binding for the file server on the interface.
Procedures
Configuring Device A
# Assign an IP address to Ten-GigabitEthernet 3/1/1.
[DeviceA] interface ten-gigabitethernet3/1/1
[DeviceA-Ten-GigabitEthernet3/1/1] ip address 192.168.0.8 255.255.255.0
[DeviceA-Ten-GigabitEthernet3/1/1] quit
# Assign an IP address to Ten-GigabitEthernet 3/1/2.
[DeviceA] interface ten-gigabitethernet3/1/2
[DeviceA-Ten-GigabitEthernet3/1/2] ip address 192.168.1.9 255.255.255.0
[DeviceA-Ten-GigabitEthernet3/1/2] quit
# Assign an IP address to Ten-GigabitEthernet 3/1/3.
[DeviceA] interface ten-gigabitethernet3/1/3
[DeviceA-Ten-GigabitEthernet3/1/3] ip address 192.168.2.10 255.255.255.0
[DeviceA-Ten-GigabitEthernet3/1/3] quit
# Enable IPv4SG on Ten-GigabitEthernet 3/1/1 and Ten-GigabitEthernet 3/1/2.
[DeviceA] interface ten-gigabitethernet 3/1/2
[DeviceA-Ten-GigabitEthernet3/1/2] ip verify source ip-address mac-address
[DeviceA-Ten-GigabitEthernet3/1/2] quit
[DeviceA] interface ten-gigabitethernet 3/1/1
[DeviceA-Ten-GigabitEthernet3/1/1] ip verify source ip-address mac-address
# Configure a static IPv4SG binding for Host A on Ten-GigabitEthernet 3/1/1.
[DeviceA-Ten-GigabitEthernet3/1/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
[DeviceA-Ten-GigabitEthernet3/1/1] quit
# Configure a static IPv4SG binding for Host B on Ten-GigabitEthernet 3/1/2.
[DeviceA-Ten-GigabitEthernet3/1/2] ip source binding ip-address 192.168.1.2 mac-address 0001-0203-0402
[DeviceA-Ten-GigabitEthernet3/1/2] quit
Configuring Device B
# Assign an IP address to Ten-GigabitEthernet 3/1/1.
<DeviceB> system-view
[DeviceB] interface ten-gigabitethernet3/1/1
[DeviceB-Ten-GigabitEthernet3/1/1] ip address 192.168.2.100 255.255.255.0
[DeviceB-Ten-GigabitEthernet3/1/1] quit
# Assign an IP address to Ten-GigabitEthernet 3/1/2.
[DeviceB] interface ten-gigabitethernet3/1/2
[DeviceB-Ten-GigabitEthernet3/1/2] ip address 192.168.3.100 255.255.255.0
[DeviceB-Ten-GigabitEthernet3/1/2] quit
# Enable IPv4SG on Ten-GigabitEthernet 3/1/1.
[DeviceB] interface ten-gigabitethernet 3/1/1
[DeviceB-Ten-GigabitEthernet3/1/1] ip verify source ip-address mac-address
# Configure static IPv4SG bindings for Host A and Host B on Ten-GigabitEthernet 3/1/1.
[DeviceB-Ten-GigabitEthernet3/1/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
[DeviceB-Ten-GigabitEthernet3/1/1] ip source binding ip-address 192.168.1.2 mac-address 0001-0203-0402
[DeviceB-Ten-GigabitEthernet3/1/1] quit
# Enable IPv4SG on Ten-GigabitEthernet 3/1/2.
[DeviceB] interface ten-gigabitethernet 3/1/2
[DeviceB-Ten-GigabitEthernet3/1/2] ip verify source ip-address mac-address
# Configure a static IPv4SG binding for the file server on Ten-GigabitEthernet 3/1/2.
[DeviceB-Ten-GigabitEthernet3/1/2] ip source binding ip-address 192.168.3.3 mac-address 0001-0203-0403
[DeviceB-Ten-GigabitEthernet3/1/2] quit
# Configure static routes to make sure the hosts and Device B can reach each other.
[DeviceB] ip route-static 192.168.0.0 24 192.168.2.10
[DeviceB] ip route-static 192.168.1.0 24 192.168.2.10
Verifying the configuration
# Verify that Host A can ping the IP addresses of Ten-GigabitEthernet 3/1/1 on both Device A and Device B. (Details not shown.)
# Verify that Host B can ping Ten-GigabitEthernet 3/1/1 of Device B and Ten-GigabitEthernet 3/1/2 of Device A. (Details not shown.)
# Verify that the file server can ping Ten-GigabitEthernet 3/1/2 of Device B. (Details not shown.)
# Verify that Device A has static IPv4SG bindings for Host A and Host B.
<DeviceA> display ip source binding static
Total entries found: 2
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0401 XGE3/1/1 N/A Static
192.168.1.2 0001-0203-0402 XGE3/1/2 N/A Static
# Verify that Device B has static IPv4SG bindings for Host A, Host B, and the file server.
<DeviceB> display ip source binding static
Total entries found: 3
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0401 XGE3/1/1 N/A Static
192.168.1.2 0001-0203-0402 XGE3/1/1 N/A Static
192.168.3.3 0001-0203-0403 XGE3/1/2 N/A Static
# Verify that Host B cannot ping Device A when Host B is assigned an IP address different from 192.168.0.2. (Details not shown.)
# Verify that Host A cannot ping Device A when any of following conditions exist (details not shown):
· Host A is connected to Device A through Ten-GigabitEthernet 3/1/2 or Ten-GigabitEthernet 3/1/3.
· Host A is assigned an IP address different from 192.168.0.1.
Configuration files
· Device A:
#
interface Ten-GigabitEthernet3/1/1
port link-mode route
ip address 192.168.0.8 255.255.255.0
ip verify source ip-address mac-address
ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
#
interface Ten-GigabitEthernet3/1/2
port link-mode route
ip address 192.168.1.9 255.255.255.0
ip verify source ip-address mac-address
ip source binding ip-address 192.168.1.2 mac-address 0001-0203-0402
#
interface Ten-GigabitEthernet3/1/3
port link-mode route
ip address 192.168.2.10 255.255.255.0
#
· Device B:
#
interface Ten-GigabitEthernet3/1/1
port link-mode route
ip address 192.168.2.100 255.255.255.0
ip verify source ip-address mac-address
ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
ip source binding ip-address 192.168.1.2 mac-address 0001-0203-0402
#
interface Ten-GigabitEthernet3/1/2
port link-mode route
ip address 192.168.3.100 255.255.255.0
ip verify source ip-address mac-address
ip source binding ip-address 192.168.3.3 mac-address 0001-0203-0403
#
ip route-static 192.168.0.0 24 192.168.2.10
ip route-static 192.168.1.0 24 192.168.2.10
#
Example: Configuring dynamic IPv4SG based on DHCP relay agent
Network configuration
As shown in Figure 2, DHCP relay is enabled on the device. The DHCP clients obtain IP addresses from the DHCP server through the DHCP relay agent.
Enable dynamic IPv4SG on Ten-GigabitEthernet 3/1/1 to filter incoming packets by using the dynamic IPv4SG bindings generated based on the DHCP relay entries.
Analysis
To generate DHCP relay entries for the DHCP clients, enable recording of relay entries on the delay agent. By default, the DHCP relay agent does not record client information in relay entries.
Procedures
Configuring the DHCP server
This example uses an H3C CR16000-F router as the DHCP server.
# Assign an IP address to Ten-GigabitEthernet 3/1/1.
<DHCPserver> system-view
[DHCPserver] interface ten-gigabitethernet3/1/1
[DHCPserver-Ten-GigabitEthernet3/1/1] ip address 10.10.0.2 255.255.255.0
# Enable the DHCP server on Ten-GigabitEthernet 3/1/1.
[DHCPserver-Ten-GigabitEthernet3/1/1] dhcp select server
[DHCPserver-Ten-GigabitEthernet3/1/1] quit
# Enable DHCP.
[DHCPserver] dhcp enable
# Create DHCP address pool 1.
[DHCPserver] dhcp server ip-pool 1
# Specify the assignable subnet as 192.168.0.0/24 and the address lease duration as 7 days.
[DHCPserver-dhcp-pool-1] network 192.168.0.0 24
[DHCPserver-dhcp-pool-1] expired day 7
[DHCPserver-dhcp-pool-1] quit
# Configure a static route for the subnet where Ten-GigabitEthernet 3/1/1 of the DHCP relay agent resides on the DHCP server.
[DHCPserver] ip route-static 192.168.0.0 24 10.10.0.1
Configuring the device
# Assign an IP address to Ten-GigabitEthernet 3/1/1.
<Device> system-view
[Device] interface ten-gigabitethernet3/1/1
[Device-Ten-GigabitEthernet3/1/1] ip address 192.168.0.1 255.255.255.0
[Device-Ten-GigabitEthernet3/1/1] quit
# Assign an IP address to Ten-GigabitEthernet 3/1/2.
[Device] interface ten-gigabitethernet3/1/2
[Device-Ten-GigabitEthernet3/1/2] ip address 10.10.0.1 255.255.255.0
[Device-Ten-GigabitEthernet3/1/2] quit
# Enable DHCP.
[Device] dhcp enable
# Enable recording of relay entries on the delay agent.
[Device] dhcp relay client-information record
# Enable the DHCP relay agent on Ten-GigabitEthernet 3/1/1.
[Device] interface ten-gigabitethernet3/1/1
[Device-Ten-GigabitEthernet3/1/1] dhcp select relay
# Specify the IP address of the DHCP server on the relay agent.
[Device-Ten-GigabitEthernet3/1/1] dhcp relay server-address 10.10.0.2
[Device-Ten-GigabitEthernet3/1/1] quit
# Enable IPv4SG on Ten-GigabitEthernet 3/1/1 and verify the source IP address and MAC address for dynamic IPv4SG.
[Device] interface ten-gigabitethernet3/1/1
[Device-Ten-GigabitEthernet3/1/1] ip verify source ip-address mac-address
[Device-Ten-GigabitEthernet3/1/1] quit
Configuring DHCP clients
# Configure the DHCP clients to use DHCP for IP address acquisition. (Details not shown.)
Verifying the configuration
# Verify that the device has generated dynamic IPv4SG bindings for the clients based on DHCP relay entries.
<Device> display ip source binding dhcp-relay
Total entries found: 4
IP Address MAC Address Interface VLAN Type
192.168.0.2 0001-0203-0402 XGE3/1/1 N/A DHCP relay
192.168.0.3 0001-0203-0403 XGE3/1/1 N/A DHCP relay
192.168.0.4 0001-0203-0404 XGE3/1/1 N/A DHCP relay
192.168.0.5 0001-0203-0405 XGE3/1/1 N/A DHCP relay
# Verify that the DHCP server can be pinged from the clients. (Details not shown.)
# Verify that the DHCP server cannot be pinged from the clients when the clients are assigned IP addresses manually. (Details not shown.)
Configuration files
#
dhcp enable
dhcp relay client-information record
#
interface Ten-GigabitEthernet3/1/1
port link-mode route
ip address 192.168.0.1 255.255.255.0
dhcp select relay
dhcp relay server-address 10.10.0.2
ip verify source ip-address mac-address
#
interface Ten-GigabitEthernet3/1/2
port link-mode route
ip address 10.10.0.1 255.255.255.0
#
Related documentation
· H3C CR16000-F Routers Security Command Reference-R8385P09
· H3C CR16000-F Routers Security Configuration Guide-R8385P09
·
