Login
- Table of Contents
-
- 02-Configuration Examples
- 01-H3C_AAA_Configuration_Examples
- 02-H3C_ACL_Configuration_Examples
- 03-H3C_IGMP_Configuration_Examples
- 04-H3C_IP_Source_Guard_Configuration_Examples
- 05-H3C_Ethernet_OAM_Configuration_Examples
- 06-H3C_NQA_Configuration_Examples
- 07-H3C_QinQ_Configuration_Examples
- 08-H3C_OSPF_Configuration_Examples
- 09-H3C_MPLS_TE_Configuration_Examples
- 10-H3C_OpenFlow_Configuration_Examples
- 11-H3C_NAT_Configuration_Examples
- 12-H3C_RBAC_Configuration_Examples
- 13-H3C_DHCP_Relay_Redundancy_Configuration_Examples
- 14-H3C_DLDP_Configuration_Examples
- 15-H3C_IS-IS_Configuration_Examples
- 16-H3C_MPLS_L3VPN_Configuration_Examples
- 17-H3C_SSH_Configuration_Examples
- 18-H3C_Login_Management_Configuration_Examples
- 19-H3C_SNMP_Configuration_Examples
- 20-H3C_Priority_Marking_and_Queue_Scheduling_Configuration_Examples
- 21-H3C_Multicast_VPN_Configuration_Examples
- 22-H3C_BGP_Configuration_Examples
- 23-H3C_HoVPN_Configuration_Examples
- 24-H3C_L2TP_Configuration_Examples
- 25-H3C_VRRP_Configuration_Examples
- 26-H3C_Traffic_Filtering_Configuration_Examples
- 27-H3C_Samplers_and_IPv4_NetStream_Configuration_Examples
- 28-H3C_MPLS_L2VPN_Configuration_Examples
- 29-H3C_NetStream_Configuration_Examples
- 30-H3C_Policy-Based_Routing_Configuration_Examples
- 31-H3C_Traffic_Policing_Configuration_Examples
- 32-H3C_BFD_Configuration_Examples
- 33-H3C_OSPFv3_Configuration_Examples
- 34-H3C_VPLS_Configuration_Examples
- 35-H3C_GTS_and_Rate_Limiting_Configuration_Examples
- 36-H3C_IPv6_IS-IS_Configuration_Examples
- 37-H3C_MPLS OAM_Configuration_Examples
- 38-H3C_BGP_Route_Selection_Configuration_Examples
- 39-H3C_IS-IS_Route_Summarization_Configuration_Examples
- 40-H3C_SRv6 Configuration Examples
- 41-H3C_Attack_Protection_Configuration_Examples
- 42-H3C_OSPF_Multi-Process_Configuration_Examples
- 43-H3C_OSPF_with_Multi-Instance_Configuration_Examples
- 44-H3C_ARP_Attack_Protection_Configuration_Examples
- 45-H3C_DHCPv6_Server_and_DHCPv6_Prefix_Client_Configuration_Examples
- 46-General QoS Configuration Examples
- 47-GRE Tunnel Establishment Using OSPF Configuration Examples
- 48-GRE Tunnel Establishment Using Static Routes Configuration Examples
- 49-QoS Configuration Examples for the Financial Industry
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-H3C_IP_Source_Guard_Configuration_Examples | 85.66 KB |
Introduction
This document provides IP source guard (IPSG) configuration examples.
IPSG prevents spoofing attacks by using IPSG bindings to filter incoming packets. IPSG bindings include static bindings that are configured manually and dynamic bindings that are generated based on information from DHCP-related modules. IPSG forwards only the packets that match IPSG bindings.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of IPSG.
Example: Configuring dynamic IPv4SG based on DHCP relay agent
Network configuration
As shown in Figure 1, DHCP relay is enabled on the device. The DHCP clients obtain IP addresses from the DHCP server through the DHCP relay agent.
Enable dynamic IPv4SG on Ten-GigabitEthernet 0/0/15 to filter incoming packets by using the dynamic IPv4SG bindings generated based on the DHCP relay entries.
Analysis
To generate DHCP relay entries for the DHCP clients, enable recording of relay entries on the delay agent. By default, the DHCP relay agent does not record client information in relay entries.
Procedures
Configuring the DHCP server
This example uses an H3C CR16000-M1A router as the DHCP server.
# Assign an IP address to Ten-GigabitEthernet 0/0/15.
<DHCPserver> system-view
[DHCPserver] interface ten-gigabitethernet 0/0/15
[DHCPserver-Ten-GigabitEthernet0/0/15] ip address 10.10.0.2 255.255.255.0
# Enable the DHCP server on Ten-GigabitEthernet 0/0/15.
[DHCPserver-Ten-GigabitEthernet0/0/15] dhcp select server
[DHCPserver-Ten-GigabitEthernet0/0/15] quit
# Enable DHCP.
[DHCPserver] dhcp enable
# Create DHCP address pool 1.
[DHCPserver] dhcp server ip-pool 1
# Specify the assignable subnet as 192.168.0.0/24 and the address lease duration as 7 days.
[DHCPserver-dhcp-pool-1] network 192.168.0.0 24
[DHCPserver-dhcp-pool-1] expired day 7
[DHCPserver-dhcp-pool-1] quit
# Configure a static route for the subnet where Ten-GigabitEthernet 0/0/15 of the DHCP relay agent resides on the DHCP server.
[DHCPserver] ip route-static 192.168.0.0 24 10.10.0.1
Configuring the device
# Assign an IP address to Ten-GigabitEthernet 0/0/15.
<Device> system-view
[Device] interface ten-gigabitethernet 0/0/15
[Device-Ten-GigabitEthernet0/0/15] ip address 192.168.0.1 255.255.255.0
[Device-Ten-GigabitEthernet0/0/15] quit
# Assign an IP address to Ten-GigabitEthernet 0/0/16.
[Device] interface ten-gigabitethernet 0/0/16
[Device-Ten-GigabitEthernet0/0/16] ip address 10.10.0.1 255.255.255.0
[Device-Ten-GigabitEthernet0/0/16] quit
# Enable DHCP.
[Device] dhcp enable
# Enable recording of relay entries on the delay agent.
[Device] dhcp relay client-information record
# Enable the DHCP relay agent on Ten-GigabitEthernet 0/0/15.
[Device] interface ten-gigabitethernet 0/0/15
[Device-Ten-GigabitEthernet0/0/15] dhcp select relay
# Specify the IP address of the DHCP server on the relay agent.
[Device-Ten-GigabitEthernet0/0/15] dhcp relay server-address 10.10.0.2
[Device-Ten-GigabitEthernet0/0/15] quit
# Enable IPv4SG on Ten-GigabitEthernet 0/0/15 and verify the source IP address and MAC address for dynamic IPv4SG.
[Device] interface ten-gigabitethernet 0/0/15
[Device-Ten-GigabitEthernet0/0/15] ip verify source ip-address mac-address
[Device-Ten-GigabitEthernet0/0/15] quit
Configuring DHCP clients
# Configure the DHCP clients to use DHCP for IP address acquisition. (Details not shown.)
Verifying the configuration
# Verify that the device has generated dynamic IPv4SG bindings for the clients based on DHCP relay entries.
<Device> display ip source binding dhcp-relay
Total entries found: 4
IP Address MAC Address Interface VLAN Type
192.168.0.2 0001-0203-0402 XGE0/0/15 N/A DHCP relay
192.168.0.3 0001-0203-0403 XGE0/0/15 N/A DHCP relay
192.168.0.4 0001-0203-0404 XGE0/0/15 N/A DHCP relay
192.168.0.5 0001-0203-0405 XGE0/0/15 N/A DHCP relay
# Verify that the DHCP server can be pinged from the clients. (Details not shown.)
# Verify that the DHCP server cannot be pinged from the clients when the clients are assigned IP addresses manually. (Details not shown.)
Configuration files
#
dhcp enable
dhcp relay client-information record
#
interface Ten-GigabitEthernet0/0/15
port link-mode route
ip address 192.168.0.1 255.255.255.0
dhcp select relay
dhcp relay server-address 10.10.0.2
ip verify source ip-address mac-address
#
interface Ten-GigabitEthernet0/0/16
port link-mode route
ip address 10.10.0.1 255.255.255.0
#
Related documentation
· H3C CR16000-M1A Router Security Command Reference
· H3C CR16000-M1A Router Security Configuration Guide
