Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Time range configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Public key management
- 06-PKI configuration
- 07-IPsec configuration
- 08-SSH configuration
- 09-SSL configuration
- 10-SSL VPN configuration
- 11-Session management
- 12-Connection limit configuration
- 13-Attack detection and prevention configuration
- 14-IP source guard configuration
- 15-ARP attack protection configuration
- 16-ND attack defense configuration
- 17-ASPF configuration
- 18-Protocol packet rate limit configuration
- 19-Crypto engine configuration
- 20-Security policy configuration
- 21-Object group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-IP source guard configuration | 108.66 KB |
Configuring IP source guard
About IPSG
IP source guard (IPSG) prevents spoofing attacks by using WLAN snooping entries to filter packets received by an AP. It drops packets that do not match the entries.
WLAN snooping is enabled by default on the AP. A WLAN snooping entry is an IP-MAC binding.
· In an IPv4 network, WLAN snooping reads the clients' IP-MAC bindings from the ARP messages or DHCP packets that pass through the AP. IPSG uses only the WLAN snooping entries obtained through DHCP packets.
· In an IPv6 network, WLAN snooping reads the clients' IP-MAC bindings from packets that pass through the AP. The packets are RA messages, NS messages, NA messages, and DHCP packets. IPSG uses all WLAN snooping entries for packet filtering.
For information about DHCP, DHCPv6, and ND, see Network Connectivity Configuration Guide.
As shown in Figure 1, the AP has a WLAN snooping entry for the client that has obtained an IP address from the DHCP server. IPSG forwards packets only from the legal client.
Configuring the IPSG feature
Restrictions and guidelines
IPSG enabled for a service template filters only packets from the clients in the BSSs created based on the service template. It does not affect clients in other BSSs.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-number
3. Enable the IPSG feature.
IPv4:
ip verify source
IPv6:
ipv6 verify source
By default, the IPSG feature is disabled.
Display and maintenance commands for IPSG
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display IPv4SG bindings. |
display ip source binding [ wlan-snooping ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] |
|
Display IPv6SG bindings. |
display ipv6 source binding [ wlan-snooping ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] |
IPSG configuration examples
Example: Configuring IPSG
Network configuration
As shown in Figure 2, the clients access the WLAN through SSID service. Client 1 and Client 2 obtain IP addresses through the DHCP server (the switch).
Enable IPSG for the service template on the AC to make the AP filter incoming packets. The AP forwards the packets only from Client 1 and Client 2.
Procedure
# Create service template 1.
<AC> system-view
[AC] wlan service-template 1
# Set the SSID to service for the service template, and enable the service template.
[AC-wlan-st-1] ssid service
[AC-wlan-st-1] service-template enable
# Enable the IPSG feature for IPv4.
[AC-wlan-st-1] ip verify source
[AC-wlan-st-1] quit
# Create AP ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA6320
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# Enter radio view of radio 2 and bind service template 1 to radio 2.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
Verifying the configuration
# Use Client 1 and Client 2 to obtain their IP addresses through DHCP, and manually assign Client 3 the IP address of Client 1. (Details not shown.)
# Verify that packets from Client 1 and Client 2 are allowed to pass. (Details not shown.)
# Verify that packets from client 3 are dropped. (Details not shown.)
