Huawei Quidway S3700 Series Configuration Manual page 188

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Figure 5-2 Networking diagram for configuring IP source guard
Ethernet0/0/1
IP:10.0.0.1/24
MAC:1-1-1
Configuration Roadmap
Assume that the user obtains an IP address through DHCP. The configuration roadmap is as
follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
Procedure
Step 1 Enable the IP source guard function.
# Enable the IP source guard function on Ethernet 0/0/1 connected to Host A.
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] ip source check user-bind enable
# Enable the alarm function for checking the received IP packets on Ethernet 0/0/1 connected
to Host A.
[Quidway-Ethernet0/0/1] ip source check user-bind alarm enable
[Quidway-Ethernet0/0/1] ip source check user-bind alarm threshold 200
[Quidway-Ethernet0/0/1] quit
Issue 01 (2011-07-15)
Server
Ethernet0/0/2
Host A
Enable the IP source guard function on the interfaces connected to Host A and Host B.
Configure a static binding table.
Interface connected to Host A: Ethernet 0/0/1; interface connected to Host B: Ethernet 0/0/2
IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1
VLAN where Host A resides: VLAN 10
NOTE
This configuration example provides only the commands related to the IP Source Guard configuration.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Switch
Packets:
SIP:10.0.0.1/24
SMAC:2-2-2
Host B (Attacker)
IP:10.0.0.2/24
MAC:2-2-2
5 Source IP Attack Defense Configuration
175