Contents

Configuring IP source guard· 1

About IPSG·· 1

Configuring the IPSG feature· 1

Display and maintenance commands for IPSG·· 2

IPSG configuration examples· 2

Example: Configuring IPSG·· 2

Configuring IP source guard

About IPSG

IP source guard (IPSG) prevents spoofing attacks by using WLAN snooping entries to filter packets received by an AP. It drops packets that do not match the entries.

WLAN snooping is enabled by default on the AP. A WLAN snooping entry is an IP-MAC binding.

·     In an IPv4 network, WLAN snooping reads the clients' IP-MAC bindings from the ARP messages or DHCP packets that pass through the AP. IPSG uses only the WLAN snooping entries obtained through DHCP packets.

·     In an IPv6 network, WLAN snooping reads the clients' IP-MAC bindings from packets that pass through the AP. The packets are RA messages, NS messages, NA messages, and DHCP packets. IPSG uses all WLAN snooping entries for packet filtering.

As shown in Figure 1, the AP has a WLAN snooping entry for the client that has obtained an IP address from the DHCP server. IPSG forwards packets only from the legal client.

Figure 1 IPSG application

Configuring the IPSG feature

Restrictions and guidelines

IPSG enabled for a service template filters only packets from the clients in the BSSs created based on the service template. It does not affect clients in other BSSs.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-number

3.     Enable the IPSG feature.

IPv4:

ip verify source

IPv6:

ipv6 verify source

By default, the IPSG feature is disabled.

Display and maintenance commands for IPSG

Execute display commands in any view and reset commands in user view.

‌

IPSG configuration examples

Example: Configuring IPSG

Network configuration

As shown in Figure 2, the clients access the WLAN through SSID service. Client 1 and Client 2 obtain IP addresses through the DHCP server (the switch).

Enable IPSG for the service template on the AC to make the AP filter incoming packets. The AP forwards the packets only from Client 1 and Client 2.

Figure 2 Network diagram

Procedure

# Create service template 1.

<AC> system-view

[AC] wlan service-template 1

# Set the SSID to service for the service template, and enable the service template.

[AC-wlan-st-1] ssid service

[AC-wlan-st-1] service-template enable

# Enable the IPSG feature for IPv4.

[AC-wlan-st-1] ip verify source

[AC-wlan-st-1] quit

# Create the AP ap1 with the mode WA4620i-CAN, and set its serial ID to 210235A29G007C000020.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Enter radio view of radio 2 and bind service template 1 to radio 2.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Use Client 1 and Client 2 to obtain their IP addresses through DHCP, and manually assign Client 3 the IP address of Client 1. (Details not shown.)

# Verify that packets from Client 1 and Client 2 are allowed to pass. (Details not shown.)

# Verify that packets from client 3 are dropped. (Details not shown.)