[x]

IP source guard configuration examples > Global static IP source guard configuration

 

 Next

Global static IP source guard configuration

Network requirements

Device A is a distribution layer device. Device B is an access device. Host A in VLAN 10 and Host B in VLAN 20 communicate with each other through Device A.

Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A and Host B.

Configure Device B to forward packets of Host A and Host B normally.

Figure 115: Network diagram

Configuration procedure

# Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10.

<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] port gigabitethernet 1/0/2
[DeviceB-vlan10] quit

# Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20.

[DeviceB] vlan 20
[DeviceB-vlan20] port gigabitethernet 1/0/3
[DeviceB-vlan20] quit

# Configure the link type of GigabitEthernet 1/0/1 as trunk, and permit packets of VLAN 10 and VLAN 20 to pass the port.

[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 10 20
[DeviceB-GigabitEthernet1/0/1] quit

# Enable IPv4 source guard on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.

[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
[DeviceB-GigabitEthernet1/0/2] quit
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address
[DeviceB-GigabitEthernet1/0/3] quit

# Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC address of Host A and Host B from being forwarded.

[DeviceB] ip source binding ip-address 192.168.0.2 mac-address 0001-0203-0406
[DeviceB] ip source binding ip-address 192.168.1.2 mac-address 0001-0203-0407

Verifying the configuration

# Display static IPv4 binding entries on Device B.

[DeviceB] display ip source binding static
Total entries found: 2
 MAC Address       IP Address       VLAN   Interface            Type
 0001-0203-0406    192.168.0.2      N/A    N/A                  Static
 0001-0203-0407    192.168.1.2      N/A    N/A                  Static

After the configurations, Host A and Host B can ping each other successfully.

prev

 

up

 next

Dynamic IPv6 source guard using ND snooping 

home

 Troubleshooting IP source guard

© Copyright 2016 Hewlett Packard Enterprise Development LP