目录
1 IP Source Guard配置························································································································· 1-1
1.1 IP Source Guard简介 ························································································································ 1-1
1.1.1 概述 ········································································································································ 1-1
1.1.2 绑定功能介绍 ·························································································································· 1-2
1.2 配置IPv4绑定功能····························································································································· 1-3
1.2.1 配置IPv4静态绑定功能··········································································································· 1-3
1.2.2 配置IPv4动态绑定功能··········································································································· 1-3
1.3 配置IPv6绑定功能····························································································································· 1-4
1.3.1 配置IPv6静态绑定功能··········································································································· 1-4
1.3.2 配置IPv6动态绑定功能··········································································································· 1-5
1.4 IP Source Guard显示和维护 ············································································································· 1-5
1.5 IP Source Guard典型配置举例·········································································································· 1-6
1.5.1 IPv4静态绑定表项配置举例 ··································································································· 1-6
1.5.2 与DHCP Snooping配合的IPv4动态绑定功能配置举例 ·························································· 1-7
1.5.3 与DHCP Relay配合的IPv4动态绑定功能配置举例 ································································ 1-9
1.5.4 IPv6静态绑定表项配置举例 ································································································· 1-10安全隐患排查
1.5.5 与DHCPv6 Snooping配合的IPv6动态绑定表项配置举例····················································· 1-10
1.5.6 与ND Snooping配合的IPv6动态绑定表项配置举例 ····························································· 1-12
1.6 常见配置错误举例 ··························································································································· 1-13
1.6.1 静态绑定表项配置和动态绑定功能配置失败········································································· 1-13
1 IP Source Guard配置
•本文所指的交换机(switch)或设备(device)可以代表WX3000E系列有线无线一体化交换机的交换引擎。
•WX3000E系列有线无线一体化交换机包括WX3024E和WX3010E有线无线一体化交换机。
•本手册中出现的端口编号仅作示例,并不代表设备上实际具有此编号的端口,实际使用中请以设备上存在的端口编号为准。
国际金融危机1.1 IP Source Guard简介
1.1.1 概述
通过在设备接入用户侧的端口上启用IP Source Guard功能,可以对端口收到的报文进行过滤控制,防止非法报文通过端口,从而限制了对网络资源的非法使用(比如非法主机仿冒合法用户IP接入网络),提高了端口的安全性。
IP Source Guard在端口上用于过滤报文的特征项包括:源IP地址、源MAC地址和VLAN标签。
这些特征项可单独或组合起来与端口进行绑定,形成绑定表项,具体包括:IP、MAC、IP+MAC、IP+VLAN、MAC+VLAN和IP+MAC+VLAN。
如图1-1所示,配置了IP Source Guard的端口接收到报文后查IP Source Guard绑定表项,如果报文中的特征项与绑定表项中记录的特征项匹配,则端口转发该报文,否则做丢弃处理。绑定功能是针对端口的,一个端口配置了绑定功能后,仅该端口被限制,其他端口不受该绑定影响。
图1-1IP Source Guard功能示意图
1.1.2 绑定功能介绍
1. 静态绑定
通过手工配置产生绑定表项来完成端口的控制功能,适用于局域网络中主机数较少且主机使用静态配置IP地址的情况,比如在接入某重要服务器的端口上配置绑定表项,仅允许该端口接收或者发送与该服务器通信的报文。
•IPv4静态绑定:通过手工配置IPv4静态绑定表项来过滤端口收到的IPv4报文,或者与ARP Detection功能配合使用检查接入用户的合法性;
•IPv6静态绑定:通过手工配置IPv6静态绑定表项来过滤端口收到的IPv6报文,或者与ND Detection功能配合使用检查接入用户的合法性。
•ARP Detection功能的详细介绍请参考“安全配置指导”中的“ARP攻击防御配置”。
•ND Detection功能的详细介绍请参考“安全配置指导”中的“ND攻击防御配置”。
2. 动态绑定
根据DHCP的相关表项动态生成绑定表项来完成端口控制功能,通常适用于局域网络中主机较多,并且采用DHCP进行动态主机配置的情况。其原理是每当DHCP为用户分配IP地址而生成一条DHCP表项时,动态绑定功能就相应地增加一条绑定表项以允许该用户访问网络。如果某个用户私自设置IP地址,则不会触发设备生成相应的DHCP表项,因此动态绑定功能也不会增加相应的访问规则来允许该用户访问网络。除此之外,IPv6类型的动态绑定还支持自动获取ND Snooping表项。
•IPv4动态绑定:根据DHCP Snooping表项或DHCP Relay表项动态生成绑定表项来过滤端口收到的IPv4报文;
•IPv6动态绑定:根据DHCPv6 Snooping表项或ND Snooping表项动态生成绑定表项来过滤端口收到的IPv6报文。
•DHCP Snooping和DHCP Relay功能的详细介绍请参考“三层技术配置指导”中的“DHCP Snooping配置”和“DHCP中继配置”。
•DHCPv6 Snooping功能的详细介绍请参考“三层技术配置指导”中的“DHCPv6 Snooping配置”。
•ND Snooping功能的详细介绍请参考“三层技术配置指导”中的“IPv6基础配置”。
1.2 配置IPv4绑定功能
加入聚合组的端口上不能配置IP Source Guard 功能,反之亦然。
1.2.1 配置IPv4静态绑定功能
表1-1 配置IPv4
静态绑定功能
操作
命令
说明
进入系统视图
system-view
-
进入二层以太网端口视图
interface interface-type interface-number - 配置IPv4静态绑定表项
user-bind { ip-address ip-address |
无法获取ip地址ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
必选
缺省情况下,端口上无IPv4静态绑定表项
• 一个表项不能在同一个端口上重复绑定,但可以在不同端口上绑定。
• 绑定表项中的MAC 地址不能为全0、全F (广播MAC )和组播MAC 。绑定表项中的IPv4地址
必须为A 、B 、C 三类地址之一,不能为 和0.0.0.0。
1.2.2 配置IPv4动态绑定功能
配置了IPv4动态绑定功能的端口,通过与不同的DHCP 协议配合来动态生成绑定表项: • 在二层以太网端口上,IP Source Guard 可与DHCP Snooping 配合,通过获取IP 地址动态分配时产生的DHCP Snooping 表项来生成动态绑定表项;
•
在VLAN 接口上,IP Source Guard 可与DHCP Relay 配合,通过获取IP 地址跨网段动态分配时产生的DHCP Relay 表项来生成动态绑定表项。
动态绑定表项中可能包含的内容有:MAC 地址、IP 地址、VLAN 信息、入端口信息及表项类型(DHCP Snooping 或DHCP Relay ),其中MAC 地址、IP 地址和VLAN 信息的包含情况由动态绑定配置决定。IP Source Guard 把这些动态绑定表项下发到端口后,可对端口上转发的报文进行过滤。 表1-2 配置IPv4动态绑定功能
操作
命令
说明
进入系统视图 system-view
- 进入接口视图
interface interface-type interface-number
-
操作
命令
关于油价上涨说明
配置IPv4动态绑定功能
ip check source { ip-address | ip-address mac-address | mac-address }
必选
缺省情况下,端口上未配置IPv4动态绑定功能
• 要实现IPv4动态绑定功能,请保证网络中的DHCP Snooping 或DHCP Relay 配置有效且工作
正常,配置的具体介绍请参见“三层技术配置指导”中的“DHCP Snooping 配置”和“DHCP 中继配置”。 •
接口下的动态绑定表项可多次配置,后配置的覆盖先配置的。
1.3 配置IPv6绑定功能
加入聚合组的端口上不能配置IP Source Guard 功能,反之亦然。
1.3.1
配置IPv6静态绑定功能
表1-3 配置IPv6静态绑定功能
操作
命令
说明
进入系统视图
system-view
- 进入二层以太网端口视图/或OLT 端口视图
interface interface-type interface-number
- 配置IPv6静态绑定表项
user-bind ipv6 { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
必选
缺省情况下,端口上无IPv6静态绑定表项
• 同一个表项不能在同一个端口上重复绑定,但可以在不同端口上绑定。
• 绑定表项中的MAC 地址不能为全0、全F (广播MAC )和组播MAC 。绑定表项中的IPv6地址
必须为单播地址,不能为全0地址、组播地址、环回地址。
• 在与ND Detection 功能配合时,绑定表项中必须指定VLAN 参数,且该VLAN 为使能ND
Detection 功能的VLAN ,否则ND 报文将无法通过IPv6静态绑定表项的检查。
1.3.2 配置IPv6动态绑定功能
配置了IPv6动态绑定功能的端口,通过与DHCPv6 Snooping或ND Snooping配合来动态生成绑定表项:
•在二层以太网端口上,IP Source Guard可与DHCPv6 Snooping配合,通过获取IPv6地址动态分配时产生的DHCPv6 Snooping表项来生成动态绑定表项;
•在二层以太网端口上,IP Source Guard可与ND Snooping配合,通过获取动态产生的ND Snooping表项来生成动态绑定表项。
动态绑定表项中可能包含的内容有:MAC地址、IPv6地址、VLAN信息、入端口信息及表项类型(DH
CPv6 Snooping或ND Snooping),其中MAC地址、IPv6地址和VLAN信息的包含情况由动态绑定配置决定。IP Source Guard把这些动态绑定表项下发到端口后,可对端口上转发的报文进行过滤。
表1-4配置IPv6动态绑定功能
操作命令说明进入系统视图system-view -
进入接口视图interface interface-type interface-number-
配置IPv6动态绑定功能ip check source ipv6 { ip-address | ip-address
mac-address | mac-address }
初三物理必选
职业医师资格考试缺省情况下,端口上未配
置IPv6动态绑定功能
•要实现IPv6动态绑定功能,请保证网络中的DHCPv6 Snooping或ND Snooping配置有效且工作正常,配置的具体介绍请分别参见“三层技术配置指导”中的“DHCPv6 Snooping配置”和“IPv6基础配置”。
•接口下的IPv6动态绑定表项可多次配置,后配置的覆盖先配置的。
•若设备上同时配置了ND Snooping和DHCPv6 Snooping,IP Source Guard会使用通常首先生成的DHCPv6 Snooping表项来过滤端口报文。
1.4 IP Source Guard显示和维护
在完成上述配置后,在任意视图下执行display命令可以显示配置后IP Source Guard的运行情况,通过查看显示信息验证配置的效果。
表1-5IP Source Guard显示和维护(IPv4)
操作命令
显示静态绑定表项信息display user-bind [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address] [ | { begin | exclude | include } regular-expression ]
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论