Overview Of Ip Source Guard; Ip Source Guard Features Supported By The S2700 - Huawei Quidway S2700 Series Configuration Manual

Quidway S2700 Series Ethernet Switches
Configuration Guide - Security

4.1 Overview of IP Source Guard

This section describes the principle of the IP source Guard.
The source IP address spoofing is a common attack on the network, for example, the attacker
forges a valid user and sends IP packets to the server or forges the source IP address of users for
communication. As a result, valid users cannot acquire normal network services. To tackle such
attacks, the S2700 provides IP Source Guard function.
IP Source Guard
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot
pass through the interfaces and the security of the interfaces is improved.
The attacker sends a packet carrying the IP address and MAC address of an authorized user to
the server. The server considers the attacker as an authorized user and learns the IP address and
MAC address. The actual user, however, cannot obtain service from the server.
the diagram of IP/MAC spoofing attack.
Figure 4-1 Diagram of IP/MAC spoofing attack
IP:1.1.1.3/24
To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on the
S2700. Then the S2700 matches the IP packets reaching an interface with the entries in the
binding table. If the packets match entries in the binding table, the packets can pass through the
interface; otherwise, the packets are discarded.

4.2 IP Source Guard Features Supported by the S2700

This section describes how the IP Source Guard feature is supported in the S2700.
Issue 01 (2011-07-15)
DHCP server
MAC:3-3-3
IP:1.1.1.2/24
MAC:2-2-2
Attacker
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 Source IP Attack Defense Configuration
IP:1.1.1.1/24
MAC:1-1-1
Switch
IP:1.1.1.3/24
MAC:3-3-3
DHCP client
Figure 4-1 shows
121