Configuring IPv4 IMPB
CHAPTERS
2. IP-MAC Binding Configuration
3. ARP Detection Configuration
4. IPv4 Source Guard Configuration
6. Appendix: Default Parameters
|
|
This guide applies to: T1500G-8T v2 or above, T1500G-10PS v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3 or above, T1600G-18TS v2 or above, T1600G-28PS v3 or above, T1600G-28TS v3 or above, T1600G-52TS v3 or above, T1600G-52PS v3 or above, T1700X-16TS v3 or above, T1700G-28TQ v3 or above, T2500G-10TS v2 or above, T2600G-18TS v2 or above, T2600G-28TS v3 or above, T2600G-28MPS v3 or above, T2600G-28SQ v1 or above, T2600G-52TS v3 or above. |
1.1Overview
IPv4 IMPB (IP-MAC-Port Binding) is used to bind the IP address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent the ARP cheating attacks with the ARP Detection feature and filter the packets that don’t match the binding entries with the IP Source Guard feature.
1.2Supported Features
IP-MAC Binding
This feature is used to add binding entries. The binding entries can be manually configured, or learned by ARP scanning or DHCP snooping. The features ARP Detection and IPv4 Source Guard are based on the IP-MAC Binding entries.
ARP Detection
In an actual complex network, there are high security risks during ARP implementation procedure. The cheating attacks against ARP, such as imitating gateway, cheating gateway, cheating terminal hosts and ARP flooding attack, frequently occur to the network. ARP Detection can prevent the network from these ARP attacks.
Prevent ARP Cheating Attacks
Based on the IP-MAC Binding entries, the ARP Detection can be configured to detect the ARP packets and filter the illegal ones so as to prevent the network from ARP cheating attacks.
Prevent ARP Flooding Attack
You can limit the receiving speed of the legal ARP packets on the port to avoid ARP flooding attack.
IPv4 Source Guard
IPv4 Source Guard is used to filter the IPv4 packets based on the IP-MAC Binding table. Only the packets that match the binding rules are forwarded.
You can add IP-MAC Binding entries in three ways:
Manual Binding
Via ARP Scanning
Via DHCP Snooping
Additionally, you can view, search and edit the entries in the Binding Table.
2.1Using the GUI
2.1.1Binding Entries Manually
You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the detailed information of the hosts.
Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > Manual Binding and click 
to load the following page.
Figure 2-1 Manual Binding
Follow these steps to manually create an IP-MAC Binding entry:
1)Enter the following information to specify a host.
|
Host Name |
Enter the host name for identification. |
|
IP Address |
Enter the IP address. |
|
MAC Address |
Enter the MAC address. |
|
VLAN ID |
Enter the VLAN ID. |
2)Select protect type for the entry.
|
Protect Type |
Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature. ARP Detection: This entry will be applied to the ARP Detection feature. IP Source Guard: This entry will be applied to the IPv4 Source Guard feature. Both: This entry will be applied to both of the features. |
3)Enter or select the port that is connected to this host.
4)Click Apply.
2.1.2Binding Entries via ARP Scanning
With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts. Upon receiving the ARP reply packet, the switch can get the IP address, MAC address, VLAN ID and the connected port number of the host. You can bind these entries conveniently.
|
|
Note: Before using this feature, make sure that your network is safe and the hosts are not suffering from ARP attacks at present; otherwise, you may obtain incorrect IP-MAC Binding entries. If your network is being attacked, it’s recommended to bind the entries manually. |
Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > ARP Scanning to load the following page.
Figure 2-2 ARP Scanning
Follow these steps to configure IP-MAC Binding via ARP scanning:
1)In the Scanning Option section, specify an IP address range and a VLAN ID. Then click Scan to scan the entries in the specified IP address range and VLAN.
|
Starting IP Address/Ending IP Address |
Specify an IP range by entering a start and end IP address. |
|
VLAN ID |
Specify a VLAN ID. |
2)In the Scanning Result section, select one or more entries and configure the relevant parameters. Then click Bind.
|
Host Name |
Enter a host name for identification. |
|
IP Address |
Displays the IP address. |
|
MAC Address |
Displays the MAC address. |
|
VLAN ID |
Displays the VLAN ID. |
|
Port |
Displays the port number. |
|
Protect Type |
Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature. ARP Detection: This entry will be applied to the ARP Detection feature. IP Source Guard: This entry will be applied to the IP Source Guard feature. Both This entry will be applied to both of the features. |
2.1.3Binding Entries via DHCP Snooping
With DHCP Snooping enabled, the switch can monitor the IP address obtaining process of the host, and record the IP address, MAC address, VLAN ID and the connected port number of the host.
Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > DHCP Snooping to load the following page.
Figure 2-3 DHCP Snooping
Follow these steps to configure IP-MAC Binding via DHCP Snooping:
1)In the Global Config section, globally enable DHCP Snooping. Click Apply.
2)In the VLAN Config section, enable DHCP Snooping on a VLAN or range of VLANs. Click Apply.
|
VLAN ID |
Displays the VLAN ID. |
|
Status |
Enable or disable DHCP Snooping on the VLAN. |
3)In the Port Config section, configure the maximum number of binding entries a port can learn via DHCP snooping. Click Apply.
|
Port |
Displays the port number. |
|
Maximum Entries |
Configure the maximum number of binding entries a port can learn via DHCP snooping |
|
LAG |
Displays the LAG that the port is in. |
4)The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv4 IMPB > IP-MAC Binding > Binding Table to view or edit the entries.
2.1.4Viewing the Binding Entries
In the Binding Table, you can view, search and edit the specified binding entries.
Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > Binding Table to load the following page.
Figure 2-4 Binding Table
You can specify the search criteria to search your desired entries.
|
Source |
Select the source of the entry and click Search. All: Displays the entries from all sources. Manual Binding: Displays the manually bound entries. ARP Scanning: Displays the binding entries learned from ARP Scanning. DHCP Snooping: Displays the binding entries learned from DHCP Snooping. |
|
IP |
Enter an IP address and click Search to search the specific entry. |
Additionally, you select one or more entries to edit the host name and protect type and click Apply.
|
Host Name |
Enter a host name for identification. |
|
IP Address |
Displays the IP address. |
|
MAC Address |
Displays the MAC address. |
|
VLAN ID |
Displays the VLAN ID. |
|
Port |
Displays the port number. |
|
Protect Type |
Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature. ARP Detection: This entry will be applied to the ARP Detection feature. IP Source Guard: This entry will be applied to the IP Source Guard feature. Both: This entry will be applied to both of the features. |
|
Source |
Displays the source of the entry. |
2.2Using the CLI
Binding entries via ARP scanning is not supported by the CLI. The following sections introduce how to bind entries manually and via DHCP Snooping and view the binding entries.
2.2.1Binding Entries Manually
You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the detailed information of the hosts.
Follow these steps to manually bind entries:
|
Step 1 |
configure Enter global configuration mode. |
|
Step 2 |
ip source binding hostname ip-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | arp-detection | ip-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host. hostname: Specify a name for the host. It contains 20 characters at most. ip-addr: Enter the IP address of the host. mac-addr: Enter the MAC address of the host, in the format of xx:xx:xx:xx:xx:xx. vlan-id: Enter the VLAN ID of the host. port: Enter the number of the port on which the host is connected. none | arp-detection | ip-verify-source | both: Specify the protect type for the entry. None indicates this entry will not be applied to any feature; arp-detection indicates this entry will be applied to ARP Detection; ip-verify-source indicates this entry will be applied to IPv4 Source Guard. |
|
Step 3 |
show ip source binding Verify the binding entry. |
|
Step 4 |
end Return to privileged EXEC mode. |
|
Step 5 |
copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to bind an entry with the hostname host1, IP address 192.168.0.55, MAC address 74:d4:35:76:a4:d8, VLAN ID 10, port number 1/0/5, and enable this entry for the ARP detection feature.
Switch#configure
Switch(config)#ip source binding host1 192.168.0.55 74:d4:35:76:a4:d8 vlan 10 interface gigabitEthernet 1/0/5 arp-detection
Switch(config)#show ip source binding
U Host IP-Addr MAC-Addr VID Port ACL SOURCE
- ---- ------- -------- --- ---- --- ------
1 host1 192.168.0.55 74:d4:35:76:a4:d8 10 Gi1/0/5 ARP-D Manual
Notice:
1.Here, ‘ARP-D’ for ‘ARP-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’.
Switch(config)#end
Switch#copy running-config startup-config
2.2.2Binding Entries via DHCP Snooping
Follow these steps to bind entries via DHCP Snooping:
|
Step 1 |
configure Enter global configuration mode. |
|
Step 2 |
ip dhcp snooping Globally enable DHCP Snooping. |
|
Step 3 |
ip dhcp snooping vlan vlan-range Enable DHCP Snooping on the specified VLAN. vlan-range: Enter the vlan range in the format of 1-3, 5. |
|
Step 4 |
interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list } Enter interface configuration mode. |
|
Step 5 |
ip dhcp snooping max-entries value Configure the maximum number of binding entries the port can learn via DHCP snooping. value: Enter the value of maximum number of entries. The valid values are from 0 to 512. |
|
Step 6 |
show ip dhcp snooping Verify global configuration of DHCP Snooping. |
|
Step 7 |
end Return to privileged EXEC mode. |
|
Step 8 |
copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to enable DHCP Snooping globally and on VLAN 5, and set the maximum number of binding entries port 1/0/1 can learn via DHCP snooping as 100:
Switch#configure
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 5
Switch(config)#interface gigabitEthernet 1/0/1
Switch(config-if)#ip dhcp snooping max-entries 100
Switch(config-if)#show ip dhcp snooping
Global Status: Enable
VLAN ID: 5
Switch(config-if)#show ip dhcp snooping interface gigabitEthernet 1/0/1
Interface max-entries LAG
--------- ----------- ---
Gi1/0/1 100 N/A
Switch(config-if)#end
Switch#copy running-config startup-config
2.2.3Viewing Binding Entries
On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries:
|
show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port number and protect type. |
To complete ARP Detection configuration, follow these steps:
1)Add IP-MAC Binding entries.
2)Enable ARP Detection.
3)Configure ARP Detection on ports.
4)View ARP statistics.
3.1Using the GUI
3.1.1Adding IP-MAC Binding Entries
In ARP Detection, the switch detects the ARP packets based on the binding entries in the IP-MAC Binding Table. So before configuring ARP Detection, you need to complete IP-MAC Binding configuration.
3.1.2Enabling ARP Detection
Choose the menu SECURITY > IPv4 IMPB > ARP Detection > Global Config to load the following page.
Figure 3-1 ARP Detection Global Config
Follow these steps to enable ARP Detection:
1)In the Global Config section, enable ARP Detection and configure the related parameters. Click Apply.
|
ARP Detect |
Enable or disable ARP Detection globally. |
|
Validate Source MAC |
Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded. |
|
Validate Destination MAC |
Enable or disable the switch to check whether the destination MAC address and the target MAC address are the same when receiving an ARP reply packet. If not, the ARP packet will be discarded. |
|
Validate IP |
Enable or disable the switch to check whether the sender IP address of all ARP packets and the target IP address of ARP reply packets are legal. The illegal ARP packets will be discarded, including broadcast addresses, multicast addresses, Class E addresses, loopback addresses (127.0.0.0/8) and the following address: 0.0.0.0. |
2)In the VLAN Config section, enable ARP Detection on the selected VLANs. Click Apply.
|
VLAN ID |
Displays the VLAN ID. |
|
Status |
Enable or disable ARP Detection on the VLAN. |
|
Log Status |
Enable or disable Log feature on the VLAN. With this feature enabled, the switch generates a log when an illegal ARP packet is discarded. |
3.1.3Configuring ARP Detection on Ports
Choose the menu SECURITY > IPv4 IMPB > ARP Detection >Port Config to load the following page.
Figure 3-2 ARP Detection on Port
Follow these steps to configure ARP Detection on ports:
1)Select one or more ports and configure the parameters.
|
Trust Status |
Enable or disable this port to be a trusted port. On a trusted port, the ARP packets are forwarded directly without checked. The specific ports, such as up-link ports and routing ports are suggested to be set as trusted. |
|
Limit Rate |
Specify the maximum number of the ARP packets that can be received on the port per second. |
|
Current Speed |
Displays the current speed of receiving the ARP packets on the port. |
|
Burst Interval |
Specify a time range. If the average speed of received ARP packets in this time range reaches the limit, the port will be shut down. |
|
Status |
Displays the status of the ARP attack: Normal: The forwarding of ARP packets on the port is normal. Down: The transmission speed of the legal ARP packet exceeds the defined value. The port will be shut down for 300 seconds. You can also click the Recovery button to recover |
|
Operation |
If Status is changed to Down, there will be a Recover button. You can click the button to restore the port to the normal status. |
|
LAG |
Displays the LAG that the port is in. |
2)Click Apply.
3.1.4Viewing ARP Statistics
You can view the number of the illegal ARP packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures.
Choose the menu SECURITY > IPv4 IMPB > ARP Detection > ARP Statistics to load the following page.
Figure 3-3 View ARP Statistics
In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed.
In the Illegal ARP Packet section, you can view the number of illegal ARP packets in each VLAN.
|
VLAN ID |
Displays the VLAN ID. |
|
Forwarded |
Displays the number of forwarded ARP packets in this VLAN. |
|
Dropped |
Displays the number of dropped ARP packets in this VLAN. |
3.2Using the CLI
3.2.1Adding IP-MAC Binding Entries
In ARP Detection, the switch detects the ARP packets based on the binding entries in the IP-MAC Binding Table. So before configuring ARP Detection, you need to complete IP-MAC Binding configuration.
3.2.2Enabling ARP Detection
Follow these steps to enable ARP Detection:
|
Step 1 |
configure Enter global configuration mode. |
|
Step 2 |
ip arp inspection Globally enable the ARP Detection feature. |
|
Step 3 |
ip arp inspection validate { src-mac | dst-mac | ip } Configure the switch to check the IP address or MAC address of the received packets. src-mac: Enable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded. dst-mac: Enable the switch to check whether the sender IP address of all ARP packets and the target IP address of ARP reply packets are legal. The illegal packets will be discarded. ip: Enable or disable the switch to check whether the sender IP address of all ARP packets and the target IP address of ARP reply packets are legal. The illegal ARP packets will be discarded, including broadcast addresses, multicast addresses, Class E addresses, loopback addresses (127.0.0.0/8) and the following address: 0.0.0.0. |
|
Step 4 |
ip arp inspection vlan vlan-list [ logging ] Enable ARP Detection on one or more 802.1Q VLANs that already exist. vlan-list: Enter the VLAN ID. The format is 1,5-9. logging: Enable the Log feature to make the switch generate a log when an ARP packet is discarded. |
|
Step 5 |
show ip arp inspection Verify the ARP Detection configuration. |
|
Step 6 |
end Return to privileged EXEC mode. |
|
Step 7 |
copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to enable ARP Detection globally and on VLAN 2, and enable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet:
Switch#configure
Switch(config)#ip arp inspection
Switch(config)#ip arp inspection validate src-mac
Switch(config)#ip arp inspection vlan 2
Switch(config)#show ip arp inspection
Global Status: Enable
Verify SMAC: Enable
Verify DMAC: Disable
Verify IP: Disable
Switch(config)#show ip arp inspection vlan
VID Enable status Log Status
---- ------------- ----------
1 Disable Disable
2 Enable Disable
Switch(config)#end
Switch#copy running-config startup-config
3.2.3Configuring ARP Detection on Ports
Follow these steps to configure ARP Detection on ports:
|
Step 1 |
configure Enter global configuration mode. |
|
Step 2 |
interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }Enter interface configuration mode. |
|
Step 3 |
ip arp inspection trust Configure the port as a trusted port, on which the ARP Detection function will not take effect. The specific ports, such as up-linked ports and routing ports are suggested to be set as trusted ports. |
|
Step 4 |
ip arp inspection limit-rate value Specify the maximum number of the ARP packets can be received on the port per second. value: Specify the limit rate value. The valid values are from 0 to 300 pps (packets/second), and the default value is 100. |
|
Step 5 |
ip arp inspection burst-interval value Specify a time range. If the average speed of received ARP packets in this time range reach the limit, the port will be shut down. value: Specify the time range. The valid values are from 1 to 15 seconds, and the default value is 1 second. |
|
Step 6 |
show ip arp inspection interface View the configurations and status of the ports. |
|
Step 7 |
ip arp inspection recover (Optional) For ports on which the speed of receiving ARP packets has exceeded the limit, use this command to restore the port from Down status to Normal status. |
|
Step 8 |
end Return to privileged EXEC mode. |
|
Step 9 |
copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to set port 1/02 as a trusted port, and set limit-rate as 20 pps and burst interval as 2 seconds on port 1/0/2:
Switch#configure
Switch(config)#interface gigabitEthernet 1/0/2
Switch(config-if)#ip arp inspection trust
Switch(config-if)#ip arp inspection limit-rate 20
Switch(config-if)#ip arp inspection burst-interval 2
Switch(config-if)#show ip arp inspection interface gigabitEthernet 1/0/2
Interface Trust state limit Rate(pps) Current speed(pps) Burst Interval Status LAG
--------- ----------- --------------- ------------------ -------------- -------- ---
Gi1/0/2 Enable 20 0 2 --- N/A
Switch(config-if)#end
Switch#copy running-config startup-config
The following example shows how to restore the port 1/0/1 that is in Down status to Normal status:
Switch#configure
Switch(config)#interface gigabitEthernet 1/0/1
Switch(config-if)#ip arp inspection recover
Switch(config-if)#end
Switch#copy running-config startup-config
3.2.4Viewing ARP Statistics
On privileged EXEC mode or any other configuration mode, you can use the following command to view ARP statistics:
|
show ip arp inspection statistics View the ARP statistics on each port, including the number of forwarded ARP packets and the number of dropped ARP packets. |
4IPv4 Source Guard Configuration
To complete IPv4 Source Guard configuration, follow these steps:
1)Add IP-MAC Binding entries.
2)Configure IPv4 Source Guard.
4.1Using the GUI
4.1.1Adding IP-MAC Binding Entries
In IPv4 Source Guard, the switch filters the packets that do not match the rules of IPv4-MAC Binding Table. So before configuring ARP Detection, you need to complete IP-MAC Binding configuration.
4.1.2Configuring IPv4 Source Guard
Choose the menu SECURITY > IPv4 IMPB > IPv4 Source Guard to load the following page.
Figure 4-1 IPv4 Source Guard Config
Follow these steps to configure IPv4 Source Guard:
1)In the Global Config section, choose whether to enable the Log feature. Click Apply.
|
Pv4 Source Guard Log |
Enable or disable IPv4 Source Guard Log feature. With this feature enabled, the switch generates a log when illegal packets are received. |
2)In the Port Config section, configure the protect type for ports and click Apply.
|
Port |
Displays the port number. |
|
Security Type |
Select Security Type on the port for IPv4 packets. The following options are provided: Disable: The IP Source Guard feature is disabled on the port. SIP+MAC: Only the packet with its source IP address, source MAC address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded. SIP: Only the packet with its source IP address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded. |
|
LAG |
Displays the LAG that the port is in. |
4.2Using the CLI
4.2.1Adding IP-MAC Binding Entries
In IPv4 Source Guard, the switch filters the packets that do not match the rules of IPv4-MAC Binding Table. So before configuring ARP Detection, you need to complete IP-MAC Binding configuration.
4.2.2Configuring IPv4 Source Guard
Follow these steps to configure IPv4 Source Guard:
|
Step 1 |
configure Enter global configuration mode. |
|
Step 2 |
interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. |
|
Step 3 |
ip verify source { sip+mac | sip } Enable IP Source Guard for IPv4 packets. sip+mac: Only the packet with its source IP address, source MAC address and port number matching the IP-MAC binding rules can be processed, otherwise the packet will be discarded. sip: Only the packet with its source IP address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded. |
|
Step 4 |
show ip verify source [ interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } ] Verify the IP Source Guard configuration for IPv4 packets. |
|
Step 5 |
end Return to privileged EXEC mode. |
|
Step 6 |
copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to enable IPv4 Source Guard on port 1/0/1:
Switch#configure
Switch(config)#interface gigabitEthernet 1/0/1
Switch(config-if)#ip verify source sip+mac
Switch(config-if)#show ip verify source interface gigabitEthernet 1/0/1
Port Security-Type LAG
---- ------------- ----
Gi1/0/1 SIP+MAC N/A
Switch(config-if)#end
Switch#copy running-config startup-config
5.1Example for ARP Detection
5.1.1Network Requirements
As shown below, User 1 and User 2 are legal users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN. Now the network administrator wants to configure Switch A to prevent ARP attacks from the LAN.
Figure 5-1 Network Topology
5.1.2Configuration Scheme
To meet the requirement, you can configure ARP Detection to prevent the network from ARP attacks in the LAN.
The overview of configurations on the switch is as follows:
1)Configure IP-MAC Binding. The binding entries for User 1 and User 2 should be manually bound.
2)Configure ARP Detection globally.
3)Configure ARP Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. To prevent ARP flooding attacks, limit the speed of receiving the legal ARP packets on all ports.
Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
5.1.3Using the GUI
1)Choose the menu SECURITY > IPv4 IMBP > IP-MAC Binding > Manual Binding and click 
to load the following page. Enter the host name, IP address, MAC address and VLAN ID of User 1, select the protect type as ARP Detection, and select port 1/0/1 on the panel. Click Apply.
Figure 5-2 Binding Entry for User 1
2)On the same page, add a binding entry for User 2. Enter the host name, IP address, MAC address and VLAN ID of User 2, select the protect type as ARP Detection, and select port 1/0/2 on the panel. Click Apply.
Figure 5-3 Binding Entry for User 2
3)Choose the menu SECURITY > IPv4 IMBP > ARP Detection > Global Config to load the following page. Enable APP Detect, Validate Source MAC, Validate Destination MAC and Validate IP, and click Apply. Select VLAN 1, change Status as Enabled and click Apply.
Figure 5-4 Enable ARP Detection
4)Choose the menu SECURITY > IPv4 IMBP > ARP Detection > Port Config to load the following page. By default, all ports are enabled with ARP Detection and ARP flooding defend. Configure port 1/0/3 as trusted port and keep other defend parameters as default. Click Apply.
Figure 5-5 Port Config
5)Click 
to save the settings.
5.1.4Using the CLI
1)Manually bind the entries for User 1 and User 2.
Switch_A#configure
Switch_A(config)#ip source binding User1 192.168.0.31 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 arp-detection
Switch_A(config)#ip source binding User1 192.168.0.32 88:a9:d4:54:fd:c3 vlan 1 interface gigabitEthernet 1/0/2 arp-detection
2)Enable ARP Detection globally and on VLAN 1.
Switch_A(config)#ip arp inspection
Switch_A(config)#ip arp inspection vlan 1
3)Configure port 1/0/3 as trusted port.
Switch_A(config)#interface gigabitEthernet 1/0/3
Switch_A(config-if)#ip arp inspection trust
Switch_A(config-if)#end
Switch_A#copy running-config startup-config
Verify the Configuration
Verify the IP-MAC Binding entries:
Switch_A#show ip source binding
U Host IP-Addr MAC-Addr VID Port ACL SOURCE
- ---- ------- -------- --- ---- --- ------
1 User1 192.168.0.31 74:d3:45:32:b6:8d 1 Gi1/0/1 ARP-D Manual
1 User2 192.168.0.33 88:a9:d4:54:fd:c3 1 Gi1/0/2 ARP-D Manual
Notice:
1.Here, ‘ARP-D’ for ‘ARP-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’.
Verify the global configuration of ARP Detection:
Switch_A#show ip arp inspection
Global Status: Enable
Verify SMAC: Enable
Verify DMAC: Enable
Verify IP: Enable
Verify the ARP Detection configuration on VLAN:
Switch_A#show ip arp inspection vlan
VID Enable status Log Status
---- ------------- ----------
1 Enable Disable
Verify the ARP Detection configuration on ports:
Switch_A#show ip arp inspection interface
Interface Trust state limit Rate(pps) Current speed(pps) Burst Interval Status LAG
--------- ----------- --------------- ------------------ -------------- ------- ---
Gi1/0/1 Disable 100 0 1 --- N/A
Gi1/0/2 Disable 100 0 1 --- N/A
Gi1/0/3 Enable 100 0 1 --- N/A
...
5.2Example for IP Source Guard
5.2.1Network Requirements
As shown below, the legal host connects to the switch via port 1/0/1 and belongs to the default VLAN 1. It is required that only the legal host can access the network via port 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3.
Figure 5-6 Network Topology
5.2.2Configuration Scheme
To implement this requirement, you can use IP-MAC Binding and IP Source Guard to filter out the packets received from the unknown hosts. The overview of configuration on the switch is as follows:
1)Bind the MAC address, IP address, connected port number and VLAN ID of the legal host with IP-MAC Binding.
2)Enable IP Source Guard on ports 1/0/1-3.
Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
5.2.3Using the GUI
1)Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > Manual Binding and click to load the following page. Enter the host name, IP address, MAC address and VLAN ID of the legal host, select the protect type as , and select port 1/0/1 on the panel. Click Apply.
Figure 5-7 Manual Binding
2)Choose the menu SECURITY > IPv4 IMPB > IPv4 Source Guard to load the following page. Enable IPv4 Source Guard Logging to make the switch generate logs when receiving illegal packets, and click Apply. Select ports 1/0/1-3, configure the Security Type as SIP+MAC, and click Apply.
Figure 5-8 IPv4 Source Guard
3)Click to save the settings.
5.2.4Using the CLI
1)Manually bind the IP address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IP Source Guard feature.
Switch#configure
Switch(config)#ip source binding legal-host 192.168.0.100 74:d3:45:32:b5:6d vlan 1 interface gigabitEthernet 1/0/1 ip-verify-source
2)Enable the log feature and IP Source Guard on ports 1/0/1-3.
Switch(config)# ip verify source logging
Switch(config)# interface range gigabitEthernet 1/0/1-3
Switch(config-if-range)#ip verify source sip+mac
Switch(config-if-range)#end
Switch#copy running-config startup-config
Verify the Configuration
Verify the binding entry:
Switch#show ip source binding
U Host IP-Addr MAC-Addr VID Port ACL SOURCE
- ---- ------- -------- --- ---- --- ------
1 User1 192.168.0.100 74:d3:45:32:b5:6d 1 Gi1/0/1 IP-V-S Manual
Notice:
1.Here, ‘ARP-D’ for ‘ARP-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’.
Verify the configuration of IP Source Guard:
Switch#show ip verify source
IP Source Guard log: Enabled
Port Security-Type LAG
Gi1/0/1 SIP+MAC N/A
Gi1/0/2 SIP+MAC N/A
Gi1/0/3 SIP+MAC N/A
...
Default settings of DHCP Snooping are listed in the following table:
Table 6-1DHCP Snooping
|
Parameter |
Default Setting |
|
Global Config |
|
|
DHCP Snooping |
Disable |
|
VLAN Config |
|
|
Status |
Disable |
|
Port Config |
|
|
Maximum Entry |
512 |
Default settings of ARP Detection are listed in the following table:
Table 6-2ARP Detection
|
Parameter |
Default Setting |
|
Global Config |
|
|
ARP Detect |
Disable |
|
Validate Source MAC |
Disable |
|
Validate Destination MAC |
Disable |
|
Validate IP |
Disable |
|
VLAN Config |
|
|
Status |
Disable |
|
Log Status |
Disable |
|
Port Config |
|
|
Trust Status |
Disable |
|
Limit Rate |
100 pps |
|
Burst Interval |
1 second |
Default settings of IPv4 Source Guard are listed in the following table:
Table 6-3IPv4 Source Guard
|
Parameter |
Default Setting |
|
Global Config |
|
|
IPv4 Source Guard Log |
Disable |
|
Port Config |
|
|
Security Type |
Disable |