S3610 Series

H3C S3610 Series, S5510 Series Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C S3610 Series Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
  • What is IP Source Guard and how does it enhance network security?
    What are the two types of binding entries used by IP Source Guard?
    What is the default configuration for static binding entries and port filtering?
    Can static binding entries be repeatedly bound to a port?
    What are the restrictions on valid binding entries?
Operation Manual – IP Source Guard
H3C S3610&S5510 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 IP Source Guard Configuration..................................................................................1-1
1.1 IP Source Guard Overview................................................................................................1-1
1.2 Configuring a Static Binding Entry.....................................................................................1-1
1.3 Configuring Port Filtering...................................................................................................1-2
1.4 Displaying IP Source Guard ..............................................................................................1-2
1.5 IP Source Guard Configuration Examples.........................................................................1-3
1.5.1 Static Binding Entry Configuration Example...........................................................1-3
1.5.2 Port Filtering Configuration Example...................................................................... 1-5
1.6 Troubleshooting.................................................................................................................1-6
1.6.1 Failed to Configure Static Binding Entries and Port Filtering..................................1-6
Operation Manual – IP Source Guard
H3C S3610&S5510 Series Ethernet Switches Chapter 1 IP Source Guard Configuration
1-1
Chapter 1 IP Source Guard Configuration
When configuring IP Source Guard, go to these sections for information you are
interested in:
z IP Source Guard Overview
z Configuring a Static Binding Entry
z Configuring Port Filtering
z Displaying IP Source Guard
z IP Source Guard Configuration Examples
z Troubleshooting
1.1 IP Source Guard Overview
By filtering packets on a per-port basis, IP source guard prevents packets with illegal IP
addresses and MAC addresses from traveling through, improving the network security.
IP source guard filters packets based on two types of binding entries:
z IP-port binding entry: A port permits packets with source IP addresses among its
IP-port binding entries.
z MAC-IP-port binding entry: A port permits packets with source MAC address and
source IP address pairs among its MAC-IP-port binding entries.
All other packets are denied.
Caution:
IP source guard and aggregation group configuration are mutually exclusive.
1.2 Configuring a Static Binding Entry
Follow these steps to configure a static binding entry:
To do… Use the command… Remarks
Enter system view
system-view
Enter interface view
interface interface-type
interface-number
Operation Manual – IP Source Guard
H3C S3610&S5510 Series Ethernet Switches Chapter 1 IP Source Guard Configuration
1-2
To do… Use the command… Remarks
Configure a static binding
entry
user-bind ip-address
ip-address
[ mac-address
mac-address
Required
No static binding entry
exists by default.
Note:
z The system does not support repeatedly binding a binding entry to one port. A
binding entry can be configured to multiple ports
z In a valid binding entry, the MAC address cannot be all 0s, all Fs (a broadcast
address), or a multicast address, and the IP address can only be a Class A, Class B,
or Class C address and can be neither 127.x.x.x nor 0.0.0.0.
1.3 Configuring Port Filtering
Port filtering allows IP source guard to filter packets based on the MAC-IP-port binding
entries created and maintained by DHCP snooping.
Follow these steps to configure port filtering:
To do… Use the command… Remarks
Enter system view
system-view
Enter interface view
interface interface-type
interface-number
Configure port
filtering
ip check source ip-address
[ mac-address ]
Required
Not configured by default
1.4 Displaying IP Source Guard
To do… Use the command… Remarks
Display information
about static binding
entries
display user-bind [ interface
interface-type interface-number |
ip-address ip-address |
mac-address mac-address ]
Available in any view
Display information
about dynamic
binding entries
display ip check source [ interface
interface-type interface-number |
ip-address ip-address |
mac-address mac-address ]
Available in any view
Operation Manual – IP Source Guard
H3C S3610&S5510 Series Ethernet Switches Chapter 1 IP Source Guard Configuration
1-3
1.5 IP Source Guard Configuration Examples
1.5.1 Static Binding Entry Configuration Example
I. Network requirements
As shown in Figure 1-1, switches A and B and Hosts A, B and C are on an Ethernet.
Host A and Host B are connected to ports Ethernet 1/0/1 and Ethernet 1/0/2 of Switch B
respectively, Host C is connected to port Ethernet 1/0/1 of Switch A, while Switch B is
connected to port Ethernet 1/0/2 of Switch A.
Detailed requirements are as follows:
z On port Ethernet 1/0/2 of Switch A, only IP packets with the source MAC address
of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 can pass.
z On port Ethernet 1/0/1 of Switch A, only IP packets with the source MAC address
of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 can pass.
z On port Ethernet 1/0/1 of Switch B, only IP packets with the source MAC address
of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 can pass.
z On port Ethernet 1/0/2 of Switch B, only IP packets with the source MAC address
of 00-01-02-03-04-07 and the source IP address of 192.168.0.2 can pass.
II. Network diagram
Figure 1-1 Network diagram for configuring static binding entries
III. Configuration procedure
1) Configure Switch A
# Configure the IP addresses of various interfaces (omitted).
# Configure port Ethernet 1/0/2 of Switch A to allow only IP packets with the source
MAC address of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 to pass.
<SwitchA> system-view
Operation Manual – IP Source Guard
H3C S3610&S5510 Series Ethernet Switches Chapter 1 IP Source Guard Configuration
1-4
[SwitchA] interface ethernet 1/0/2
[SwitchA-Ethernet1/0/2] user-bind ip-address 192.168.0.3 mac-address
0001-0203-0405
[SwitchA-Ethernet1/0/2] quit
# Configure port Ethernet 1/0/1 of Switch A to allow only IP packets with the source
MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass.
[SwitchA] interface ethernet 1/0/1
[SwitchA-Ethernet1/0/1] user-bind ip-address 192.168.0.1 mac-address
0001-0203-0406
2) Configure Switch B
# Configure the IP addresses of various interfaces (omitted).
# Configure port Ethernet 1/0/1 of Switch B to allow only IP packets with the source
MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass.
<SwitchB> system-view
[SwitchB] interface ethernet 1/0/1
[SwitchB-Ethernet1/0/1] user-bind ip-address 192.168.0.1 mac-address
0001-0203-0406
[SwitchB-Ethernet1/0/1] quit
# Configure port Ethernet 1/0/2 of Switch B to allow only IP packets with the source
MAC address of 00-01-02-03-04-07 and the source IP address of 192.168.0.2 to pass.
[SwitchB] interface ethernet 1/0/2
[SwitchB-Ethernet1/0/2] user-bind ip-address 192.168.0.2 mac-address
0001-0203-0407
3) Verify the configuration
# On Switch A, static binding entries are configured successfully.
<SwitchA> display user-bind
The Following User address bind have been configured:
Mac IP Port Status
0001-0203-0405 192.168.0.3 Ethernet1/0/2 Static
0001-0203-0406 192.168.0.1 Ethernet1/0/1 Static
-------------2 bind entries queried, 2 listed------------
# On Switch B, static binding entries are configured successfully.
<SwitchB> display user-bind
The Following User address bind have been configured:
Mac IP Port Status
0001-0203-0406 192.168.0.1 Ethernet1/0/1 Static
0001-0203-0407 192.168.0.2 Ethernet1/0/2 Static
-------------2 bind entries queried, 2 listed------------
Operation Manual – IP Source Guard
H3C S3610&S5510 Series Ethernet Switches Chapter 1 IP Source Guard Configuration
1-5
1.5.2 Port Filtering Configuration Example
I. Network requirements
Switch A connects to Client A and the DHCP Server through Ethernet 1/0/1 and
Ethernet 1/0/2 respectively. DHCP Snooping is enabled on Switch A.
Detailed requirements are as follows:
z Client A with the MAC address of 00-01-02-03-04-06 obtains an IP address
through the DHCP Server.
z On Switch A, create the DHCP Snooping entry of Client A.
z Enable IP filtering on port Ethernet 1/0/1 of Switch A to prevent attacks from clients
using fake source IP addresses to the DHCP server.
Note:
For detailed configuration of DHCP Server, refer to DHCP Configuration in this manual.
II. Network diagram
Figure 1-2 Network diagram for configuring port filtering
III. Configuration procedure
1) Configure Switch A
# Configure port filtering on port Ethernet 1/0/1.
<SwitchA> system-view
[SwitchA] interface ethernet1/0/1
[SwitchA-Ethernet1/0/1] ip check source ip-address mac-address
[SwitchA-Ethernet1/0/1] quit
# Enable DHCP snooping on Switch A.
[SwitchA] dhcp-snooping
# Configure port Ethernet 1/0/2 connected to the DHCP server as a trusted port.
[SwitchA] interface ethernet1/0/2
[SwitchA-Ethernet1/0/2] dhcp-snooping trust
[SwitchA-Ethernet1/0/2] quit
2) Verify the configuration
Operation Manual – IP Source Guard
H3C S3610&S5510 Series Ethernet Switches Chapter 1 IP Source Guard Configuration
1-6
# Port filtering is configured successfully on port Ethernet 1/0/1.
[SwitchA] interface ethernet1/0/1
[SwitchA-Ethernet1/0/1] display this
#
interface Ethernet1/0/1
ip check source ip-address mac-address
#
return
# Display the dynamic binding entries that port Ethernet 1/0/1 has obtained from DHCP
Snooping.
<SwitchA> display ip check source
The Following User address bind have been configured:
Mac IP Port Status
0001-0203-0406 192.168.0.1 Ethernet 1/0/1 Dynamic
-------------1 bind entries queried, 1 listed------------
# Display the dynamic entries of DHCP Snooping and check it is identical with the
dynamic entries that port Ethernet 1/0/1 has obtained.
<SwitchA> display dhcp-snooping
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== ============== ============ ==== =================
D 192.168.0.1 0001-0203-0406 86335 1 Ethernet1/0/1
As you see, port Ethernet 1/0/1 has obtained the dynamic entries generated by DHCP
Snooping after it is configured with port filtering.
1.6 Troubleshooting
1.6.1 Failed to Configure Static Binding Entries and Port Filtering
I. Symptom
Configuring static binding entries and port filtering fails on a port.
II. Analysis
IP Source Guard is not supported on the port which has joined an aggregation group.
Neither static binding entries nor port filtering can be configured on the port which has
joined an aggregation group.
III. Solution
Remove the port from the aggregation group.
/