Introduction To Ip Source Guard; Ip Source Guard Features Supported By The S9300; Figure 3-1 Diagram Of Ip/Mac Spoofing Attack - Huawei Quidway S9300 Configuration Manual

3 IP Source Guard Configuration

3.1 Introduction to IP Source Guard

This section describes the principle of IP source guard.
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot
pass through the interfaces and the security of the interfaces is improved.
The attacker sends a packet carrying the IP address and MAC address of an authorized client to
the server. The server considers the attacker as an authorized client and learns the IP address
and MAC address. In this case, the authorized client, however, cannot obtain service from the
server, as shown in

Figure 3-1 Diagram of IP/MAC spoofing attack

IP:1.1.1.3/24
MAC:3-3-3
To prevent the attack, you can configure the IP source guard function on the S9300. Then the
S9300 matches the IP packets entering an interface with the content of the binding table. If the
packets match the content of the binding table, the packets can pass through the interface;
otherwise, the packets are discarded.

3.2 IP Source Guard Features Supported by the S9300

This section describes the IP source guard features supported by the S9300.
The IP source guard function is used to check the IP packets according to the binding table,
including source IP addresses, source MAC addresses, and VLAN. In addition, the S9300 can
check IP packets based on:
l
l
l
The S9300 provides two binding mechanisms:
3-2
Figure
DHCP server
IP:1.1.1.2/24
MAC:2-2-2
Attacker
IP+MAC
IP+VLAN
IP+MAC+VLAN
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3-1.
IP:1.1.1.1/24
MAC:1-1-1
S9300
IP:1.1.1.3/24
MAC:3-3-3
DHCP client
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Issue 01 (2009-07-28)