During the epidemic, network security is also very important. Learn about the features of IPSG in one minute

1. Basic Concepts of IPSG

IPSG is the abbreviation of IP Source Guard. IPSG can prevent attacks that spoof the source IP address.

As the scale of the network grows, attacks based on source IP are also increasing. Some attackers use deception to obtain network resources and obtain the right to use network resources legally, and even cause the deceived to be unable to access the network or information leakage. IPSG provides a defense mechanism for attacks based on source IP, which can effectively prevent network attacks based on source address deception.

The IPSG function is to match and check the IP message based on the binding table (DHCP dynamic and static binding table). When the device is forwarding an IP message, it compares the source IP, source MAC (Media Access Control), interface, VLAN (Virtual Local Area Network) information in the IP message with the information in the binding table. If the information matches, indicating that it is a legitimate user, the message is allowed to be forwarded normally. Otherwise, it is considered to be an attack message and the IP message is discarded.

2. Deployment Scenario

Generally deployed on access switches close to users (can also be on aggregation or core switches), it can prevent attacks that spoof source IP addresses, such as illegal hosts impersonating legitimate hosts' IP addresses to gain Internet access or attack the network. The main application scenarios are as follows:

Scenario 1: Prevent the host from changing its IP address privately through IPSG. The host can only use the IP address assigned by the DHCP server or the static address configured by the administrator. If the IP address is changed at will, the host cannot access the network, preventing the host from illegally obtaining Internet access rights. The static IP address configured for the printer is only used by the printer, preventing the host from accessing the network by spoofing the printer's IP address.

Scenario 2: Limit illegal host access through IPSG (for environments where IP addresses are statically assigned) Fixed hosts can only access from fixed interfaces and cannot change their access locations at will, thus meeting the purpose of interface-based speed limiting. Outsiders cannot access the intranet with their own computers at will to prevent leakage of intranet resources. For environments where IP addresses are dynamically assigned by DHCP, limiting illegal host access is generally achieved through NAC authentication (such as Portal authentication or 802.1x authentication, etc.).

3. Network topology

1. Idea

The configuration roadmap is as follows:

• Enable the IP packet inspection function on the interface. The interfaces connecting HostA and HostB need to have this function enabled.
• Configure a static binding table to establish a binding relationship table for users with statically configured IP addresses.

II. Configuration procedure

(1) Configuring the IP packet inspection function

• system-view
• [HUAWEI] sysname Switch
• [Switch] interface gigabitethernet 0/0/1
• [Switch-GigabitEthernet0/0/1] ip source check user-bind enable /// Enable the IP packet check function on the GE0/0/1 interface connected to HostA.
• [Switch-GigabitEthernet0/0/1] ip source check user-bind alarm enable // Enable the IP packet check alarm function on the GE0/0/1 interface connected to HostA and configure the alarm threshold.
• [Switch-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 200
• [Switch-GigabitEthernet0/0/1] quit
• [Switch] interface gigabitethernet 0/0/2
• [Switch-GigabitEthernet0/0/2] ip source check user-bind enable //Enable the IP packet check function on the GE0/0/2 interface connected to Host B.
• [Switch-GigabitEthernet0/0/2] ip source check user-bind alarm enable // Enable the IP packet check alarm function on the GE0/0/2 interface connected to HostB and configure the alarm threshold.
• [Switch-GigabitEthernet0/0/2] ip source check user-bind alarm threshold 200
• [Switch-GigabitEthernet0/0/2] quit

(2) Configuring a static binding entry

[Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 0/0/1 vlan 10 //Configure HostA as a static binding entry.

(3) Verification results

Run the display dhcp static user-bind all command on the Switch to view the binding table information.