Shulou(Shulou.com)06/01 Report--

Xiaobian to share with you what IPSG means, I believe most people do not know much, so share this article for your reference, I hope you have a lot of gains after reading this article, let us know together!

IPSG is a port traffic filtering technology based on IP/MAC, which can prevent IP address spoofing attacks in local area network. IPSG ensures that IP addresses of end devices in Layer 2 networks are not hijacked, and that unauthorized devices cannot access the network by assigning their own IP addresses or attack the network to cause network crashes and crashes.

IPSG Basic Concept

As networks grow in size, attacks based on source IP are increasing. Some attackers use deception to obtain network resources, obtain legal access to network resources, and even cause the deceived to be unable to access the network, or information disclosure. IPSG provides a defense mechanism against attacks based on source IP, which can effectively prevent attacks based on source address spoofing.

The IPSG function is to match IP messages based on binding tables (DHCP dynamic and static binding tables). When forwarding an IP packet, the device compares source IP, source MAC(Media Access Control), interface, VLAN(Virtual Local Area Network) information in the IP packet with information in a binding table, and if the information matches, indicating that the IP packet is a legitimate user, the device allows the IP packet to be forwarded normally, otherwise, the device considers the IP packet to be an attack packet, and discards the IP packet.

Epidemic situation, current network security is more important__IPSG characteristics Epidemic situation, current network security is more important__IPSG characteristics deployment scenario

It is generally deployed on the access switch (or aggregation or core switch) close to the user, which can prevent attacks against spoofing the source IP address, such as illegal hosts impersonating the IP address of legitimate hosts to obtain Internet access rights or attacking the network. The main application scenarios are as follows:

Scenario 1: IPSG prevents the host from changing the IP address without permission. The host can only use the IP address assigned by DHCP Server or the static address configured by the administrator. After changing the IP address at will, the host cannot access the network, so as to prevent the host from illegally obtaining Internet access. The static IP address configured for the printer is for use only by the printer, preventing hosts from accessing the network through counterfeit printer IP addresses.

Scenario 2: Illegal host access is restricted through IPSG (for environments where IP addresses are statically allocated) Fixed hosts can only access from fixed interfaces, and access locations cannot be changed at will, thus meeting the purpose of interface-based speed limit. Outsiders with their own computers are not allowed to access the intranet at will to prevent the leakage of intranet resources. For environments where IP addresses are dynamically allocated by DHCP, it is generally achieved through NAC authentication (such as Portal authentication or 802.1x authentication) to restrict illegal host access.

Network topology epidemic situation, current network security is more important_IPSG characteristics epidemic situation, current network security is more important_IPSG characteristics thinking

Configure the IPSG function on the Switch as follows (assuming that the user's IP address is statically assigned):

The interface enables IP message checking. The interfaces connecting HostA and HostB need to have this feature enabled.

Configure static binding table, and establish binding relation table for users with static IP configuration.

configuration steps

(1)Configure IP message checking function

system-view[HUAWEI] sysname Switch[Switch] interface gigabit Ethernet 0/0/1[Switch-Gigabit Ethernet 0/0/1] ip source check user-bind enable//Enable IP message checking on the GE0/0/1 interface connecting HostA. [Switch-Gigabit Ethernet 0/0/1] ip source check user-bind alarm enable//Enable IP message check alarm function and configure alarm threshold on GE0/0/1 interface connected to HostA. [Switch-Gigabit Ethernet 0/0/1] ip source check user-bind alarm threshold 200[Switch-Gigabit Ethernet 0/0/1] quit[Switch] interface gigabit Ethernet 0/0/2[Switch-Gigabit Ethernet 0/0/2] ip source check user-bind enable//Enable IP message checking on interface GE0/0/2 connected to HostB. [Switch-Gigabit Ethernet 0/0/2] ip source check user-bind alarm enable//Enable IP message check alarm function and configure alarm threshold on GE0/0/2 interface connected to HostB. [Switch-GigabitEthernet0/0/2] ip source check user-bind alarm threshold 200[Switch-GigabitEthernet0/0/2] quit

(2)Configure static binding entries

[Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001 -0001 interface gigabitethernet 0/0/1 vlan 10//Configure HostA as a static binding entry.

(3)verification results

Execute commands on Switch to view binding table information.

display dhcp static user-bind all The above is "IPSG what does it mean" All the content of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.