1、配置通过IPSG功能对IP报文的接口+IP+MAC信息进行匹配检查示例组网需求如图1所示,HostA与HostB分别与Switch的GE0/0/1和GE0/0/2接口相连。要求使HostB不能仿冒HostA的IP和MAC欺骗Server,保证HostA的IP报文能正常上送。图1配置IPSG组网图配置思路采用如下的思路在Switch上配置IPSG功能(假设用户的IP地址是静态分配的):1.接口使能IP报文检查功能。连接HostA和HostB的接口都需要使能该功能。2.配置静态绑定表,对于静态配置IP的用户建立绑定关系表。说明:以下配置步骤中,只列出了和IP Source Guard配置相关的命令
2、。操作步骤1.配置IP报文检查功能#在连接HostA的GE0/0/1接口使能IP报文检查功能。 system-viewHUAWEI sysname SwitchSwitch interface gigabitethernet 0/0/1Switch-GigabitEthernet0/0/1 ip source check user-bind enable#在连接HostA的GE0/0/1接口使能IP报文检查告警功能并配置告警阈值。Switch-GigabitEthernet0/0/1 ip source check user-bind alarm enableSwitch-GigabitEth
3、ernet0/0/1 ip source check user-bind alarm threshold 200Switch-GigabitEthernet0/0/1 quit#在连接HostB的GE0/0/2接口使能IP报文检查功能。Switch interface gigabitethernet 0/0/2Switch-GigabitEthernet0/0/2 ip source check user-bind enable#在连接HostB的GE0/0/2接口使能IP报文检查告警功能并配置告警阈值。Switch-GigabitEthernet0/0/2 ip source check u
4、ser-bind alarm enableSwitch-GigabitEthernet0/0/2 ip source check user-bind alarm threshold 200Switch-GigabitEthernet0/0/2 quit2.配置静态绑定表项#配置HostA为静态绑定表项。Switch user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 0/0/13.验证配置结果在Switch上执行display dhcp static user-bin
5、d all命令可以查看绑定表信息。Switch display dhcp static user-bind allDHCP static Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping IP Address MAC Address VSI/VLAN(O/I/P) Interface -10.0.0.1 0001-0001-0001 - /- /- GE0/0/1 -Print count: 1 Total count: 1 从显示信息可知,HostA已经配置为静态绑定表项。配置文件Switch的配置文件#sy
6、sname Switch#user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/1 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200#interface GigabitEthernet0/0/2 ip source ch
7、eck user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200#return父主题:配置举例华为专有和保密信息版权所有华为技术有限公司资料工具箱序号资料名称链接地址/获取方式覆盖产品说明1交换机top1000问http:/ litehttp:/ 企业网络视频专区企业技术支持APP(Android)企业技术支持APP(IOS) 白俊Baijun华为企业业务中国区客户支持部Customer Support Dept., China Region Hua
8、wei Enterprise Business GroupEmail:中国(China)-成都(Chengdu)-成都市高新西区西源大道1899号邮编:611731Chengdu Research Institute U8,Huawei Chengdu Base, No.1899,Xiyuan Avenue, Hi-tech Western District,Chengdu,Sichuan Province,P.R.China)本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。
9、如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!This e-mail and its attachments contain confidential information from HUAWEI, which is intended only forthe person or entity whose address is listed above. Any use of the information contained herein in any way(including, but not limited to, total or partial disclosure
10、, reproduction, or dissemination) by persons otherthan the intended recipient(s) is prohibited. If you receivethis e-mail in error, please notify the sender byphone or email immediately and delete it!产品手册大全 丰富的技术案例 软件下载互动的技术论坛 License自助申请网站使用指引为了保护客户网络,避免人为因素导致的网络安全风险,华为公司严格要求华为员工在服务时,均需向客户明确服务所进行的操
11、作、范围及影响,所有操作均需得到客户授权,并仅在客户授权范围内进行操作。因此,华为公司要求华为员工服务时,需根据所需操作,提交书面授权申请,在得到客户书面授权后,方可操作,请客户理解并支持。To protect the customers network and prevent man-made cyber security risks, Huawei strictly requires its employees to explicitly specify the operations, scope and impacts related to the service to the cust
12、omer. It is also required that all operations shall be authorized by the customer and cannot go beyond the customers authorization. Therefore, when Huawei employees are providing services, they need to submit written application for authorization for the required operations and can only conduct the operations after they get the written authorization from the customer. Please understand and support us. Thank you.