Shulou(Shulou.com)06/01 Report--

IPSG is the abbreviation of IP Source Guard. IPSG protects against spoofing attacks against source IP addresses. Basic concepts of IPSG

With the increasing scale of the network, there are more and more attacks based on source IP. Some attackers use deceptive means to obtain network resources, obtain the right to legally use network resources, and even cause the deceived to be unable to access the network, or information disclosure. IPSG provides a defense mechanism against attacks based on source IP, which can effectively prevent network attacks based on source address spoofing.

The IPSG function is based on the binding table (DHCP dynamic and static binding tables) to check the matching of IP messages. When the device is forwarding the IP message, the source IP, the source MAC (Media Access Control), the interface, the VLAN (Virtual Local Area Network) information in the IP message and the information of the binding table are compared. If the information matches, indicating that it is a legitimate user, the message is allowed to be forwarded normally, otherwise it is regarded as an attack message, and the IP message is discarded.

Deployment scenario

Generally deployed on the access switch close to the user (can also be on the aggregation or core switch), you can prevent the source IP address spoofing attacks, such as illegal hosts impersonating the IP address of legitimate hosts to obtain Internet access or attack the network. The main application scenarios are as follows:

Scenario 1: prevent the host from changing the IP address through IPSG. The host can only use the IP address assigned by DHCP Server or the static address configured by the administrator. After changing the IP address at will, the host cannot access the network to prevent the host from illegally obtaining Internet access. The static IP address configured by the printer is used only by the printer, preventing hosts from accessing the network through the IP address of the phishing printer.

Scenario 2: restrict illegal host access through IPSG (for the environment where the IP address is statically assigned) fixed hosts can only be accessed from fixed interfaces, and the access location cannot be changed at will to meet the purpose of speed limit based on the interface. Foreigners with their own computers can not be connected to the intranet at will to prevent the leakage of intranet resources. For the environment where IP addresses are dynamically assigned by DHCP, illegal host access is generally restricted through NAC authentication (such as Portal authentication or 802.1x authentication, etc.).

Networking topology

Train of thought

Configure the IPSG function on Switch using the following ideas (assuming the user's IP address is statically assigned):

The interface enables IP message checking function. Interfaces that connect HostA and HostB need to enable this feature.

Configure a static binding table to establish a binding relationship table for users who statically configure IP.

Configuration step

(1) configure IP message checking function

System-view [HUAWEI] sysname Switch [Switch] interface gigabitethernet 0ta Switch-GigabitEthernet0/0/1 1 [Switch-GigabitEthernet0/0/1] ip source check user-bind enable/// enables IP message checking in the GE0/0/1 interface connected to HostA. [Switch-GigabitEthernet0/0/1] ip source check user-bind alarm enable// enables the IP message to check the alarm function and configure the alarm threshold in the GE0/0/1 interface connected to HostA. [Switch-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 200 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0Unique 2 [Switch-GigabitEthernet0/0/2] ip source check user-bind enable// enables IP message checking function in the GE0/0/2 interface connected to HostB. [Switch-GigabitEthernet0/0/2] ip source check user-bind alarm enable// enables the IP message to check the alarm function and configure the alarm threshold in the GE0/0/2 interface connected to HostB. [Switch-GigabitEthernet0/0/2] ip source check user-bind alarm threshold 200 [Switch-GigabitEthernet0/0/2] quit

(2) configure static binding table items

[Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 0swap 1 vlan 10max / configure HostA to be statically bound to the table item.

(3) Verification result

Execute the command on Switch to view the binding table information.

Display dhcp static user-bind all

Original address: https://www.linuxprobe.com/ipsg-switch.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.