Login
- Table of Contents
-
- 03-Security Configuration Guide
- 00-Preface
- 01-Security zone configuration
- 02-Security policy configuration
- 03-ASPF configuration
- 04-Session management
- 05-Object group configuration
- 06-Object policy configuration
- 07-IP source guard configuration
- 08-AAA configuration
- 09-User identification configuration
- 10-Password control configuration
- 11-Portal configuration
- 12-MAC authentication configuration
- 13-IPoE configuration
- 14-Public key management
- 15-PKI configuration
- 16-SSH configuration
- 17-SSL configuration
- 18-Connection limit configuration
- 19-Attack detection and prevention configuration
- 20-Server connection detection configuration
- 21-ARP attack protection configuration
- 22-ND attack defense configuration
- 23-uRPF configuration
- 24-IP-MAC binding configuration
- 25-IP reputation configuration
- 26-APR configuration
- 27-Keychain configuration
- 28-Crypto engine configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 24-IP-MAC binding configuration | 133.97 KB |
Contents
Restrictions and guidelines: IP-MAC binding configuration
IP-MAC binding tasks at a glance
Enabling the IP-MAC binding feature on an interface
Manually creating an IP-MAC binding entry
Bulk generating IP-MAC binding entries
Setting the default action for packets that do not match any IP-MAC binding entries
Display and maintenance commands for IP-MAC binding
IP-MAC binding configuration examples
Example: Configuring IPv4-MAC binding
Example: Configuring IPv6-MAC binding
Configuring IP-MAC binding
About IP-MAC binding
The device prevents user spoofing attacks by using an IP-MAC binding table to filter out illegitimate packets with forged source IP addresses or MAC addresses.
Operating mechanism
The IP-MAC binding table contains binding entries that bind IP addresses and MAC addresses. The device uses the binding entries to match an incoming packet.
As shown in Figure 1, all hosts communicate with the IP network through the device. When the device receives a packet, it compares the source IP address and source MAC address in the packet with the IP-MAC binding entries. Table 1 describes the way the device processes the packet based on the match result.
Figure 1 IP-MAC binding application scenario
Table 1 Processing of a packet based on the match result
|
Match result |
Processing of the packet |
|
The packet source IP address and source MAC address match the same IP-MAC binding entry. |
Permits the packet. |
|
Only the source IP address or source MAC address matches a binding entry. |
Drops the packet. |
|
The source IP address and source MAC address match two different binding entries. |
Drops the packet. |
|
Both the source IP address and the source MAC address of a packet match no IP-MAC binding entry. |
Processes the packet based on the default action. By default, the device permits all packets that do not match any binding entries. You can use the ip-mac binding no-match action deny command to set the default action to deny. |
IP-MAC binding entry creation
An IP-MAC binding entry binds an IP address to a MAC address. You can manually create IP-MAC binding entries one by one or generate them in bulk. All binding entries are globally effective.
Manual creation of IP-MAC binding entries
This method is applicable only to networks that do not contain many hosts and in which the hosts are statically assigned IP addresses.
Bulk generation of IP-MAC binding entries
This method is applicable to networks that contain many hosts.
This method allows a device to generate IPv4-MAC binding entries based on ARP entries and create IPv6-MAC binding entries based on ND entries on an interface.
The device generates an IP-MAC binding entry based on an ARP or ND entry as follows:
· If neither the IP address nor the MAC address in the ARP/ND entry exists in the binding table, the device generates a new binding entry. In this situation, the IP address and the MAC address are uniquely bound to each other.
· If the MAC address in the ARP/ND entry exists in the binding table but the IP address does not, the device generates a new binding entry. In this situation, the MAC address is bound to multiple IP addresses.
· If the IP address in the ARP/ND entry exists in the binding table, the device will not generate a new binding entry. This is because an IP address can be bound to only one MAC address.
IP-MAC binding entries generated based on ARP and ND entries are static. Therefore, the binding entries are not updated when the relevant ARP or ND entries change.
Restrictions and guidelines: IP-MAC binding configuration
IP-MAC binding entries are static. Therefore, the IP-MAC binding feature is applicable only to networks where all users are statically assigned IP addresses. Using this feature in a network where all users' IP addresses are dynamically assigned through DHCP might cause communication failure.
A MAC address can be bound to multiple IP addresses. To bind a MAC address in a binding entry to another IP address, use the MAC address and new IP address to create a new binding entry. You can choose to delete the existing binding entry or retain it. An IP address can be bound to only one MAC address. To bind an IP address in a binding entry to another MAC address, you must delete the existing binding entry and then create the new one.
IP-MAC binding tasks at a glance
To configure IP-MAC binding, perform the following tasks:
1. Enabling the IP-MAC binding feature on an interface
2. Configuring IP-MAC binding entries
Choose the options to configure as needed:
¡ Manually creating an IP-MAC binding entry
¡ Bulk generating IP-MAC binding entries
3. Setting the default action for packets that do not match any IP-MAC binding entries
Enabling the IP-MAC binding feature on an interface
About this task
When this feature is enabled on an interface, the device compares the source IP address and source MAC address in incoming packets of the interface with existing IP-MAC binding entries. The packets that do not exactly match any IP-MAC binding entries are dropped.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the IP-MAC binding feature on the interface.
ip-mac binding enable
By default, the IP-MAC binding feature is disabled on an interface.
Manually creating an IP-MAC binding entry
Creating an IP-MAC binding entry
1. Enter system view.
system-view
2. Create an IP-MAC binding entry.
IPv4:
ip-mac binding ipv4 ipv4-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ]
IPv6:
ip-mac binding ipv6 ipv6-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ]
By default, no IP-MAC binding entry is configured.
Bulk generating IP-MAC binding entries
About this task
This task allows the device to generate IP-MAC binding entries in bulk based on existing ARP and ND entries on an interface.
Procedure
1. Enter system view.
system-view
2. Bulk generate IP-MAC binding entries.
ip-mac binding interface interface-type interface-number
Setting the default action for packets that do not match any IP-MAC binding entries
About this task
By default, the device permits packets that do not match any IP-MAC binding entries to pass through. This task allows you to set the default action to deny for these packets.
Procedure
1. Enter system view.
system-view
2. Set the default action to deny for packets that do not match any IP-MAC binding entries.
ip-mac binding no-match action deny
By default, the action for packets that do not match any IP-MAC binding entries is permit.
Display and maintenance commands for IP-MAC binding
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display IPv4-MAC binding entries. |
display ip-mac binding ipv4 [ ipv4-address ] [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ] |
|
Display IPv6-MAC binding entries. |
display ip-mac binding ipv6 [ ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ] |
|
Display statistics about packets dropped by the IP-MAC binding feature. |
display ip-mac binding statistics [ chassis chassis-number slot slot-number ] |
|
Display the status of the IP-MAC binding feature. |
display ip-mac binding status |
|
Clear statistics about packets dropped by the IP-MAC binding feature. |
reset ip-mac binding statistics [ chassis chassis-number slot slot-number ] |
IP-MAC binding configuration examples
Example: Configuring IPv4-MAC binding
Network configuration
As shown in Figure 2, Host A, Host B, and the server are statically assigned IPv4 addresses. Host A and Host B communicate with the server through the gateway (the device).
Create the following IPv4-MAC binding entries on the device to permit packets only from Host A, Host B, and the server:
· Bind IPv4 address 192.168.0.1 to MAC address 0001-0203-0404 for Host A.
· Bind IPv4 address 192.168.0.2 to MAC address 0001-0203-0405 for Host B.
· Bind IPv4 address 192.168.1.3 to MAC address 0001-0203-0407 for the server.
Procedure
# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)
# Enable the IP-MAC binding feature on GigabitEthernet 1/2/5/1 and GigabitEthernet 1/2/5/2.
<Device> system-view
[Device] interface gigabitethernet 1/2/5/1
[Device-GigabitEthernet1/2/5/1] ip-mac binding enable
[Device-GigabitEthernet1/2/5/1] quit
[Device] interface gigabitethernet 1/2/5/2
[Device-GigabitEthernet1/2/5/2] ip-mac binding enable
[Device-GigabitEthernet1/2/5/2] quit
# Create IPv4-MAC binding entries to permit packets only from Host A, Host B, and the server.
[Device] ip-mac binding ip 192.168.0.1 mac-address 0001-0203-0404
[Device] ip-mac binding ip 192.168.0.2 mac-address 0001-0203-0405
[Device] ip-mac binding ip 192.168.1.3 mac-address 0001-0203-0407
# Set the default action to deny for packets that do not match any IP-MAC binding entries.
[Device] ip-mac binding no-match action deny
Verifying the configuration
# Display IPv4-MAC binding entries.
<Device> display ip-mac binding ipv4
Total entries: 1
IP address MAC address VPN instance VLAN ID
192.168.0.1 0001-0203-0404 public N/A
192.168.0.2 0001-0203-0405 public N/A
192.168.1.3 0001-0203-0407 public N/A
# Ping the server from Host C.
C:\> ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The ping requests timed out, which indicates that the requests are blocked by the device.
Example: Configuring IPv6-MAC binding
Network configuration
As shown in Figure 3, Host A, Host B, and the server are statically assigned IPv6 addresses. Host A and Host B communicate with the server through the gateway (the device).
Create the following IPv6-MAC binding entries on the device to permit packets only from Host A, Host B, and the server:
· Bind IPv6 address 2000::1/64 to MAC address 0001-0203-0404 for Host A.
· Bind IPv6 address 2000::2/64 to MAC address 0001-0203-0405 for Host B.
· Bind IPv6 address 2001::3/64 to MAC address 0001-0203-0407 for the server.
Procedure
# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)
# Enable the IP-MAC binding feature on GigabitEthernet 1/2/5/1 and GigabitEthernet 1/2/5/2.
<Device> system-view
[Device] interface gigabitethernet 1/2/5/1
[Device-GigabitEthernet1/2/5/1] ip-mac binding enable
[Device-GigabitEthernet1/2/5/1] quit
[Device] interface gigabitethernet 1/2/5/2
[Device-GigabitEthernet1/2/5/2] ip-mac binding enable
[Device-GigabitEthernet1/2/5/2] quit
# Create IPv6-MAC binding entries to permit packets only from Host A, Host B, and the server.
[Device] ip-mac binding ipv6 2000::1 mac-address 0001-0203-0404
[Device] ip-mac binding ipv6 2000::2 mac-address 0001-0203-0405
[Device] ip-mac binding ipv6 2001::3 mac-address 0001-0203-0407
# Set the default action to deny for packets that do not match any IP-MAC binding entries.
[Device] ip-mac binding no-match action deny
Verifying the configuration
# Display IPv6-MAC binding entries.
<Device> display ip-mac binding ipv6
Total entries: 1
IP address MAC address VPN instance VLAN ID
2000::1 0001-0203-0404 public N/A
2000::2 0001-0203-0405 public N/A
2001::3 0001-0203-0407 public N/A
# Ping the server from Host C.
C:\> ping 2001::3
Pinging 2001::3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 2001::3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The ping requests timed out, which indicates that the requests are blocked by the device.
