Introduction To Ip Filtering - H3C S5600 Series Operation Manual

Introduction to IP Filtering

A denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forged
address requests with different source IP addresses to the server so that the network cannot work
normally. The specific effects are as follows:
The resources on the server are exhausted, so the server does not respond to other requests.
After receiving such type of packets, a switch needs to send them to the CPU for processing. Too
many request packets cause high CPU usage rate. As a result, the CPU cannot work normally.
The switch can filter invalid IP packets through the DHCP-snooping table and , IP static binding table, or
IP-to-MAC mappings of authenticated 802.1x clients.
DHCP-snooping table
After DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It is used to record
IP addresses obtained from the DHCP server, MAC addresses, the number of the port through which a
client is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which the
port belongs to. These records are saved as entries in the DHCP-snooping table.
IP static binding table
The DHCP-snooping table only records information about clients that obtains IP address dynamically
through DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of the
client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP
filtering of the DHCP-snooping table, thus it cannot access external networks.
To solve this problem, the switch supports the configuration of static binding table entries, that is, the
binding relationship between IP address, MAC address, and the port connecting to the client, so that
packets of the client can be correctly forwarded.
IP-to-MAC mappings of authenticated 802.1x clients
If most clients are assigned with static IP addresses, you need to configure an IP static binding for each
client. The configuration is a heavy workload and causes errors easily.
To ensure security, in actual networks, clients are usually connected to networks through 802.1x
authentication. With the authenticated 802.1x client-based IP filtering function enabled, the switch can
record and query the IP-to-MAC mappings of authenticated 802.1x clients to defend against IP attacks.
IP filtering
IP filtering can be implemented based on the DHCP-snooping table, IP static binding table, or
IP-to-MAC mappings of authenticated 802.1x clients, according to actual network requirements. The
switch can filter IP packets in the following modes:
Filtering packets based on their source IP addresses. If the source IP address in a packet and the
number of the port that receives the packet match an entry or mapping, the switch regards the
packet as a valid packet and forwards it; otherwise, the switch drops it directly.
Filtering packets based on their source IP and MAC addresses. If the source IP address and
source MAC address in the packet, and the number of the port that receives the packet match an
entry or mapping, the switch regards the packet as a valid packet and forwards it; otherwise, the
switch drops it directly.
4-5