- Table of Contents
-
- 06-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Triple Authentication Configuration
- 05-Port Security Configuration
- 06-User Profile Configuration
- 07-HABP Configuration
- 08-Public Key Configuration
- 09-PKI Configuration
- 10-SSH2.0 Configuration
- 11-SSL Configuration
- 12-TCP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-ND Attack Defense Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
13-IP Source Guard Configuration | 196.28 KB |
Contents
Introduction to IP source guard
Configuring IPv4 source guard binding
Configuring a static IPv4 source guard binding entry
Configuring the dynamic IPv4 source guard binding function
Configuring IPv6 source guard binding
Configuring a static IPv6 source guard binding entry
Configuring the dynamic IPv6 source guard binding function
Displaying and maintaining IP source guard
IP source guard configuration examples
Static IPv4 source guard binding entry configuration example
Dynamic IPv4 source guard binding by DHCP snooping configuration example
Dynamic IPv4 source guard binding by DHCP relay configuration example
Static IPv6 source guard binding entry configuration example
Dynamic IPv6 source guard binding by DHCPv6 snooping configuration example
Dynamic IPv6 source guard binding by ND snooping configuration example
Troubleshooting IP source guard
Neither static binding entries nor the dynamic binding function can be configured
This chapter includes these sections:
· Configuring IPv4 source guard binding
· Configuring IPv6 source guard binding
· IP source guard configuration examples
· Troubleshooting IP source guard
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
IP source guard overview
Introduction to IP source guard
IP source guard is intended to work on a port connecting users. It filters received packets to block illegal access to network resources, improving the network security. For example, it can prevent illegal hosts from using a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag. It supports these types of binding entries:
· IP-port binding entry
· MAC-port binding entry
· IP-MAC-port binding entry
· IP-VLAN-port binding entry
· MAC-VLAN-port binding entry
· IP-MAC-VLAN-port binding entry
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address, source MAC address and VLAN tag) of the packet and then looks them up in the binding entries of the IP source guard. If there is a match, the port forwards the packet; otherwise, the port discards the packet, as shown in Figure 1. IP source guard binding entries are on a per-port basis. After a binding entry is configured on a port, it is effective only on the port.
Figure 1 Diagram for the IP source guard function
IP source guard binding
An IP source guard binding entry can be static or dynamic.
Static IP source guard binding
A static IP source guard binding entry is configured manually. It is suitable for scenarios where only a few hosts exist in a LAN and their IP addresses are manually configured. For example, you can configure a static binding entry on a port that connects a server, allowing the port to receive packets from and send packets to only the server.
· Static IPv4 source guard binding filters IPv4 packets received by the port or checks the validity of users by cooperating with the ARP detection feature.
· Static IPv6 source guard binding filters IPv6 packets received by the port or checks the validity of users by cooperating with the ND detection feature.
|
NOTE: · For information about ARP detection, see the chapter “ARP attack protection configuration.” · For information about ND detection, see the chapter “ND attack defense configuration.” |
Dynamic IP source guard binding
Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP snooping or DHCP relay agent device. They are suitable for scenarios where many hosts reside in a LAN and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically adds the client entry to allow the client to access the network. A user using an IP address not obtained through DHCP cannot access the network. Dynamic IPv6 source guard entries can also be obtained from client entries on the ND snooping device.
· Dynamic IPv4 source guard binding generates IPv4 source guard binding entries dynamically based on DHCP snooping or DHCP relay entries to filter IPv4 packets received on a port.
· Dynamic IPv6 source guard binding generates IPv6 source guard binding entries dynamically based on DHCPv6 snooping or ND snooping entries to filter IPv6 packets received on a port.
|
NOTE: For information about DHCP snooping, DHCP relay, DHCPv6 snooping, and ND snooping, see the Layer 3 Configuration Guide. |
Configuring IPv4 source guard binding
|
NOTE: You cannot configure the IP source guard function on a port in an aggregation group, nor can you add a port configured with IP source guard to an aggregation group. |
Configuring a static IPv4 source guard binding entry
Follow these steps to configure a static IPv4 source guard binding entry:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enter interface view |
interface interface-type interface-number |
— |
Configure a static IPv4 source guard binding entry |
user-bind { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] |
Required No static IPv4 source guard binding entry exists by default. A static source guard binding entry can be configured on only Ethernet ports. |
|
NOTE: · You cannot configure the same static binding entry on one port for multiple times, but you can configure the same static entry on different ports. · In an IPv4 source guard binding entry, the MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address, and the IPv4 address must be a Class A, B, or C address and cannot be all 0s or a loopback address (127.x.x.x). |
Configuring the dynamic IPv4 source guard binding function
After the dynamic IPv4 source guard binding function is enabled on a port, IP source guard generates binding entries dynamically through cooperation with DHCP protocols:
· On an Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains the DHCP snooping entries generated during dynamic IP address allocation, and generates IP source guard entries accordingly.
· On a VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP relay entries generated during dynamic IP address allocation across network segments, and generates IP source guard entries accordingly.
Dynamic IPv4 source guard entries can contain such information as MAC address, IP address, VLAN tag, ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address, IP address, or VLAN tag information may not be included depending on your configuration. IP source guard applies these entries to the port to filter packets.
Follow these steps to configure the dynamic IPv4 source guard binding function:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enter interface view |
interface interface-type interface-number |
— |
Configure the dynamic IPv4 source guard binding function |
ip check source { ip-address | ip-address mac-address | mac-address } |
Required Not configured by default |
|
NOTE: · To implement dynamic IPv4 source guard binding in IP source guard, make sure that DHCP snooping or DHCP relay is configured and works normally. For information about DHCP snooping configuration and DHCP relay configuration, see the Layer 3 Configuration Guide. · If you configure dynamic IPv4 source guard binding on a port multiple times, only the last configuration takes effect. |
Configuring IPv6 source guard binding
|
NOTE: You cannot configure the IP source guard function on a port in an aggregation group, nor can you add a port configured with IP source guard to an aggregation group. |
Configuring a static IPv6 source guard binding entry
Follow the steps to configure a static IPv6 source guard binding entry:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enter interface view |
interface interface-type interface-number |
— |
Configure a static IPv6 source guard binding entry |
user-bind ipv6 { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] |
Required No static IPv6 source guard binding entry exists by default. |
|
NOTE: · You cannot configure the same static binding entry on one port repeatedly, but you can configure the same static binding entry on different ports. · In an IPv6 source guard binding entry, the MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address, and the IPv6 address must be a unicast address and cannot be all 0s, all Fs, or a loopback address. · When the ND detection function is configured, be sure to specify the VLAN where ND detection is configured in static binding entries. Otherwise, ND packets will be discarded because they cannot match any static IPv6 binding entry. |
Configuring the dynamic IPv6 source guard binding function
With the dynamic IPv6 source guard binding function enabled on a port, IP source guard dynamically generates IP source guard entries through cooperation with DHCP snooping or ND snooping.
· Cooperating with DHCPv6 snooping, IP source guard dynamically generates IP source guard entries based on the DHCPv6 snooping entries that are generated during dynamic IP address allocation.
· Cooperating with ND snooping, IP source guard dynamically generates IP source guard entries based on dynamic ND snooping entries.
Dynamic IPv6 source guard entries can contain such information as MAC address, IPv6 address, VLAN tag, ingress port information and entry type (DHCPv6 snooping or ND snooping), where the MAC address, IPv6 address, and/or VLAN tag information may not be included depending on your configuration. IP source guard applies these entries to the port, so that the port can filter packets accordingly.
Follow these steps to configure the dynamic IPv6 source guard binding function:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enter interface view |
interface interface-type interface-number |
— |
Configure dynamic IPv6 source guard binding function |
ip check source ipv6 { ip-address | ip-address mac-address | mac-address } |
Required Not configured by default |
|
NOTE: · To implement dynamic IPv6 source guard binding, make sure that DHCPv6 snooping or ND snooping is configured and works normally. For DHCPv6 and ND snooping configuration information, see the Layer 3 Configuration Guide. · If you configure dynamic IPv6 source guard binding on a port for multiple times, the last configuration will overwrite the previous configuration on the port. · If you configure both ND snooping and DHCPv6 snooping on the device, IP source guard generates IP source guard entries based on the DHCPv6 snooping entries, which are usually generated first, to filter packets on a port. |
Displaying and maintaining IP source guard
For IPv4:
To do… |
Use the command… |
Remarks |
Display static IP source guard binding entries |
display user-bind [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display dynamic IP source guard binding entries |
display ip check source [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
For IPv6:
To do… |
Use the command… |
Remarks |
Display static IPv6 source guard binding entries |
display user-bind ipv6 [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display dynamic IPv6 source guard binding entries |
display ip check source ipv6 [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
IP source guard configuration examples
Static IPv4 source guard binding entry configuration example
Network requirements
As shown in Figure 2, Host A and Host B are connected to ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/1 of Device B respectively, Host C is connected to port GigabitEthernet 1/0/2 of Device A, and Device B is connected to port GigabitEthernet 1/0/1 of Device A. All hosts use static IP addresses.
Configure static IPv4 source guard binding entries on Device A and Device B to meet the following requirements:
· On port GigabitEthernet 1/0/2 of Device A, only IP packets from Host C can pass.
· On port GigabitEthernet 1/0/1 of Device A, only IP packets from Host A can pass.
· On port GigabitEthernet 1/0/2 of Device B, only IP packets from Host A can pass.
· On port GigabitEthernet 1/0/1 of Device B, only IP packets sourced from 192.168.0.2/24 can pass.
Figure 2 Network diagram for configuring static IPv4 source guard binding entries
Configuration procedure
1. Configure Device A
# Configure port GigabitEthernet 1/0/2 of Device A to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405
[DeviceA-GigabitEthernet1/0/2] quit
# Configure port GigabitEthernet 1/0/1 of Device A to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406
[DeviceA-GigabitEthernet1/0/1] quit
2. Configure Device B
# Configure port GigabitEthernet 1/0/2 of Device B to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406
[DeviceB-GigabitEthernet1/0/2] quit
# Configure port GigabitEthernet 1/0/1 of Device B to allow only IP packets with the source IP address of 192.168.0.2 to pass.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.2
[DeviceB-GigabitEthernet1/0/1] quit
Verification
# On Device A, display information about static IPv4 source guard binding entries. The output shows that the static IPv4 source guard binding entries are configured successfully.
[DeviceA] display user-bind
Total entries found: 2
MAC Address IP Address VLAN Interface Type
0001-0203-0405 192.168.0.3 N/A GE1/0/2 Static
0001-0203-0406 192.168.0.1 N/A GE1/0/1 Static
# On Device B, display information about static IPv4 source guard binding entries. The output shows that the static IPv4 source guard binding entries are configured successfully.
[DeviceB] display user-bind
Total entries found: 2
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 N/A GE1/0/2 Static
N/A 192.168.0.2 N/A GE1/0/1 Static
Dynamic IPv4 source guard binding by DHCP snooping configuration example
Network requirements
As shown in Figure 3, the device connects to the host (client) and the DHCP server through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. The host obtains an IP address from the DHCP server.
Enable DHCP snooping on the device to record the DHCP snooping entry of the host. Enable the dynamic IPv4 source guard binding function on the device’s port GigabitEthernet 1/0/1 to filter packets based on the DHCP snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to pass.
|
NOTE: For information about DHCP server configuration, see the Layer 3 Configuration Guide. |
Figure 3 Network diagram for configuring dynamic IPv4 source guard binding by DHCP snooping
Configuration procedure
1. Configure DHCP snooping
# Enable DHCP snooping.
<Device> system-view
[Device] dhcp-snooping
# Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] dhcp-snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Configure the dynamic IPv4 source guard binding function
# Configure the dynamic IPv4 source guard binding function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip check source ip-address mac-address
[Device-GigabitEthernet1/0/1] quit
Verification
# Display the IPv4 source guard binding entries generated on port GigabitEthernet 1/0/1.
[Device] display ip check source
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 1 GE1/0/1 DHCP-SNP
# Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated on GigabitEthernet 1/0/1.
[Device] display dhcp-snooping
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== ============== ============ ==== =================
D 192.168.0.1 0001-0203-0406 86335 1 GigabitEthernet1/0/1
The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP snooping entry.
Dynamic IPv4 source guard binding by DHCP relay configuration example
Network requirements
As shown in Figure 4, the host and the DHCP server are connected to the switch through interfaces VLAN-interface 100 and VLAN-interface 200 respectively. DHCP relay is enabled on the switch. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP server through DHCP relay.
Enable the dynamic IPv4 source guard binding function on the switch’s VLAN-interface 100 to filter packets based on the DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to pass.
Figure 4 Network diagram for configuring dynamic IPv4 source guard binding through DHCP relay
Configuration procedure
1. Configure the dynamic IPv4 source guard binding function
# Configure the IP addresses of the interfaces. (Details not shown)
# Configure the dynamic IPv4 source guard binding function on VLAN-interface 100 to filter packets based on both the source IP address and MAC address.
<Switch> system-view
[Switch] vlan 100
[Switch-Vlan100] quit
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] ip check source ip-address mac-address
[Switch-Vlan-interface100] quit
2. Configure DHCP relay
# Enable DHCP relay.
[Switch] dhcp enable
# Configure the IP address of the DHCP server.
[Switch] dhcp relay server-group 1 ip 10.1.1.1
# Configure VLAN-interface 100 to work in DHCP relay mode.
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] dhcp select relay
# Correlate VLAN-interface 100 with DHCP server group 1.
[Switch-Vlan-interface100] dhcp relay server-select 1
[Switch-Vlan-interface100] quit
Verification
# Display the generated IPv4 source guard binding entries.
[Switch] display ip check source
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 100 Vlan100 DHCP-RLY
Static IPv6 source guard binding entry configuration example
Network requirements
As shown in Figure 5, the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a static IPv6 source guard binding entry for GigabitEthernet 1/0/1 of the device to allow only packets from the host to pass.
Figure 5 Network diagram for configuring static IPv6 source guard binding entries
Configuration procedure
# Configure port GigabitEthernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] user-bind ipv6 ip-address 2001::1 mac-address 0001-0202-0202
[Device-GigabitEthernet1/0/1] quit
Verification
# On Device, display the information about static IPv6 source guard binding entries. The output shows that the binding entry is configured successfully.
[Device] display user-bind ipv6
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0202-0202 2001::1 N/A GE1/0/1 Static-IPv6
Dynamic IPv6 source guard binding by DHCPv6 snooping configuration example
Network requirements
As shown in Figure 6, the host (DHCPv6 client) and the DHCPv6 server are connected to the device through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively.
Enable DHCPv6 and DHCPv6 snooping on the device, so that the host can obtain an IP address through the DHCPv6 server and the IPv6 IP address and MAC address of the host can be recorded in a DHCPv6 snooping entry.
Enable dynamic IPv6 source guard binding function on the device’s port GigabitEthernet 1/0/1 to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through DHCP server.
Figure 6 Network diagram for configuring dynamic IPv6 source guard binding by DHCPv6 snooping
Configuration procedure
1. Configure DHCPv6 snooping
# Enable DHCPv6 snooping globally.
<Device> system-view
[Device] ipv6 dhcp snooping enable
# Enable DHCPv6 snooping in VLAN 2.
[Device] vlan 2
[Device-vlan2] ipv6 dhcp snooping vlan enable
[Device-vlan2] quit
# Configure the port connecting to the DHCP server as a trusted port.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Configure the dynamic IPv6 source guard binding function
# Configure dynamic IPv6 source guard binding of packet source IP address and MAC address on GigabitEthernet 1/0/1 to filter packets based on the dynamically generated DHCPv6 snooping entries.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address
[Device-GigabitEthernet1/0/1] quit
Verification
# Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1.
[Device] display ip check source ipv6
Total entries found: 1
MAC Address IP Address VLAN Interface Type
040a-0000-0001 2001::1 2 GE1/0/1 DHCPv6-SNP
# Display all DHCPv6 snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1/0/1.
[Device] display ipv6 dhcp snooping user-binding dynamic
IP Address MAC Address Lease VLAN Interface
============================== ============== ========== ==== ==================
2001::1 040a-0000-0001 286 2 GigabitEthernet1/0/1
--- 1 DHCPv6 snooping item(s) found ---
The output shows that a dynamic IPv6 source guard entry has been generated on port GigabitEthernet 1/0/1 based on the DHCPv6 snooping entry.
Dynamic IPv6 source guard binding by ND snooping configuration example
Network requirements
The client is connected to the device through port GigabitEthernet 1/0/1.
Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages.
Enable the dynamic IPv6 source guard binding function on port GigabitEthernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.
Figure 7 Network diagram for configuring dynamic IPv6 source guard binding by ND snooping
Configuration procedure
1. Configure ND snooping
# In VLAN 2, enable ND snooping.
<Device> system-view
[Device] vlan 2
[Device-vlan2] ipv6 nd snooping enable
[Device-vlan2] quit
2. Configure the dynamic IPv6 source guard binding function.
# Configure dynamic IPv6 source guard binding of packet source IP address and MAC address on GigabitEthernet 1/0/1 to filter packets based on the dynamically generated ND snooping entries.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address
[Device-GigabitEthernet1/0/1] quit
Verification
# Display the IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1.
[Device] display ip check source ipv6
Total entries found: 1
MAC Address IP Address VLAN Interface Type
040a-0000-0001 2001::1 2 GE1/0/1 ND-SNP
# Display the IPv6 ND snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1/0/1.
[Device] display ipv6 nd snooping
IPv6 Address MAC Address VID Interface Aging Status
2001::1 040a-0000-0001 2 GE1/0/1 25 Bound
---- Total entries: 1 ----
The output shows that a dynamic IPv6 source guard entry has generated on port GigabitEthernet 1/0/1 based on the ND snooping entry.
Troubleshooting IP source guard
Neither static binding entries nor the dynamic binding function can be configured
Symptom
Failed to configure static binding entries or the dynamic binding function on a port.
Analysis
IP source guard is not supported on a port in an aggregation group.
Solution
Remove the port from the aggregation group.