Contents
Configuring IP-MAC binding ·········································································· 1 About IP-MAC binding········································································································································ 1 Operating mechanism ································································································································ 1 IP-MAC binding entry creation ··················································································································· 2 Restrictions and guidelines: IP-MAC binding configuration ··············································································· 2 IP-MAC binding tasks at a glance ······················································································································ 2 Enabling the IP-MAC binding feature on an interface ························································································ 3 Manually creating an IP-MAC binding entry ······································································································· 3 Bulk generating IP-MAC binding entries ············································································································ 3 Setting the default action for packets that do not match any IP-MAC binding entries ······································· 4 Display and maintenance commands for IP-MAC binding ················································································· 4 IP-MAC binding configuration examples ············································································································ 4 Example: Configuring IPv4-MAC binding ··································································································· 4 Example: Configuring IPv6-MAC binding ··································································································· 6
i
Configuring IP-MAC binding About IP-MAC binding
The device prevents user spoofing attacks by using an IP-MAC binding table to filter out illegitimate packets with forged source IP addresses or MAC addresses. Operating mechanism
The IP-MAC binding table contains binding entries that bind IP addresses and MAC addresses. The device uses the binding entries to match an incoming packet. As shown in Figure 1, all hosts communicate with the IP network through the device. When the device receives a packet, it compares the source IP address and source MAC address in the packet with the IP-MAC binding entries. Table 1 describes the way the device processes the packet based on the match result. Figure 1 IP-MAC binding application scenario
IP-MAC binding entries 1.1.1.1 0000-0000-0001 Legal host 1.1.1.2 0000-0000-0002 1.1.1.3 0000-0000-0003 … 1.1.1.1 0000-0000-0001
IP network
1.1.1.2 0000-0000-0004
Rogue host
1.1.1.4 0000-0000-0001
Rogue host
Table 1 Processing of a packet based on the match result
Match result Processing of the packet
The packet source IP address and source MAC Permits the packet. address match the same IP-MAC binding entry.
Only the source IP address or source MAC Drops the packet. address matches a binding entry.
The source IP address and source MAC address Drops the packet. match two different binding entries. Processes the packet based on the default action. Both the source IP address and the source MAC By default, the device permits all packets that do not address of a packet match no IP-MAC binding match any binding entries. You can use the ip-mac entry. binding no-match action deny command to set the default action to deny.
1
IP-MAC binding entry creation
An IP-MAC binding entry binds an IP address to a MAC address. You can manually create IP-MAC binding entries one by one or generate them in bulk. All binding entries are globally effective. Manual creation of IP-MAC binding entries This method is applicable only to networks that do not contain many hosts and in which the hosts are statically assigned IP addresses. Bulk generation of IP-MAC binding entries This method is applicable to networks that contain many hosts. This method allows a device to generate IPv4-MAC binding entries based on ARP entries and create IPv6-MAC binding entries based on ND entries on an interface. The device generates an IP-MAC binding entry based on an ARP or ND entry as follows: • If neither the IP address nor the MAC address in the ARP/ND entry exists in the binding table, the device generates a new binding entry. In this situation, the IP address and the MAC address are uniquely bound to each other. • If the MAC address in the ARP/ND entry exists in the binding table but the IP address does not, the device generates a new binding entry. In this situation, the MAC address is bound to multiple IP addresses. • If the IP address in the ARP/ND entry exists in the binding table, the device will not generate a new binding entry. This is because an IP address can be bound to only one MAC address. IP-MAC binding entries generated based on ARP and ND entries are static. Therefore, the binding entries are not updated when the relevant ARP or ND entries change. Restrictions and guidelines: IP-MAC binding configuration
IP-MAC binding entries are static. Therefore, the IP-MAC binding feature is applicable only to networks where all users are statically assigned IP addresses. Using this feature in a network where all users' IP addresses are dynamically assigned through DHCP might cause communication failure. A MAC address can be bound to multiple IP addresses. To bind a MAC address in a binding entry to another IP address, use the MAC address and new IP address to create a new binding entry. You can choose to delete the existing binding entry or retain it. An IP address can be bound to only one MAC address. To bind an IP address in a binding entry to another MAC address, you must delete the existing binding entry and then create the new one. IP-MAC binding tasks at a glance
To configure IP-MAC binding, perform the following tasks: 1. Enabling the IP-MAC binding feature on an interface 2. Configuring IP-MAC binding entries Choose the options to configure as needed:
Manually creating an IP-MAC binding entry
Bulk generating IP-MAC binding entries 3. Setting the default action for packets that do not match any IP-MAC binding entries
2
Enabling the IP-MAC binding feature on an interface
About this task When this feature is enabled on an interface, the device compares the source IP address and source MAC address in incoming packets of the interface with existing IP-MAC binding entries. The packets that do not exactly match any IP-MAC binding entries are dropped. Procedure 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Enable the IP-MAC binding feature on the interface. ip-mac binding enable By default, the IP-MAC binding feature is disabled on an interface. Manually creating an IP-MAC binding entry
Creating an IP-MAC binding entry 1. Enter system view. system-view 2. Create an IP-MAC binding entry. IPv4: ip-mac binding ipv4 ipv4-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] IPv6: ip-mac binding ipv6 ipv6-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] By default, no IP-MAC binding entry is configured. Bulk generating IP-MAC binding entries
About this task This task allows the device to generate IP-MAC binding entries in bulk based on existing ARP and ND entries on an interface. Procedure 1. Enter system view. system-view 2. Bulk generate IP-MAC binding entries. ip-mac binding interface interface-type interface-number
3
Setting the default action for packets that do not match any IP-MAC binding entries
About this task By default, the device permits packets that do not match any IP-MAC binding entries to pass through. This task allows you to set the default action to deny for these packets. Procedure 1. Enter system view. system-view 2. Set the default action to deny for packets that do not match any IP-MAC binding entries. ip-mac binding no-match action deny By default, the action for packets that do not match any IP-MAC binding entries is permit. Display and maintenance commands for IP-MAC binding
Execute commands in any view and commands in user view. display reset
Task Command
display ip-mac binding ipv4 [ ipv4-address ] Display IPv4-MAC binding entries. [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ] display ip-mac binding ipv6 [ ipv6-address ] Display IPv6-MAC binding entries. [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ] Display statistics about packets display ip-mac binding statistics [ chassis dropped by the IP-MAC binding chassis-number slot-number feature. slot ]
Display the status of the IP-MAC
binding feature. display ip-mac binding status
Clear statistics about packets reset ip-mac binding statistics [ chassis dropped by the IP-MAC binding chassis-number slot-number feature. slot ]
IP-MAC binding configuration examples Example: Configuring IPv4-MAC binding
Network configuration As shown in Figure 2, Host A, Host B, and the server are statically assigned IPv4 addresses. Host A and Host B communicate with the server through the gateway (the device). Create the following IPv4-MAC binding entries on the device to permit packets only from Host A, Host B, and the server:
4
• Bind IPv4 address 192.168.0.1 to MAC address 0001-0203-0404 for Host A. • Bind IPv4 address 192.168.0.2 to MAC address 0001-0203-0405 for Host B. • Bind IPv4 address 192.168.1.3 to MAC address 0001-0203-0407 for the server. Figure 2 Network diagram
Host A IP: 192.168.0.1/24 MAC: 0001-0203-0404
Switch Device GE1/2/5/2 GE1/2/5/1
Host B Server IP: 192.168.0.2/24 IP: 192.168.1.3/24 MAC: 0001-0203-0405 MAC : 0001-0203-0407
Host C IP: 192.168.0.3/24 MAC: 0001-0203-0406
Procedure # Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.) # Enable the IP-MAC binding feature on GigabitEthernet 1/2/5/1 and GigabitEthernet 1/2/5/2.
5
Pinging 192.168.1.3 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 192.168.1.3: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The ping requests timed out, which indicates that the requests are blocked by the device. Example: Configuring IPv6-MAC binding
Network configuration As shown in Figure 3, Host A, Host B, and the server are statically assigned IPv6 addresses. Host A and Host B communicate with the server through the gateway (the device). Create the following IPv6-MAC binding entries on the device to permit packets only from Host A, Host B, and the server: • Bind IPv6 address 2000::1/64 to MAC address 0001-0203-0404 for Host A. • Bind IPv6 address 2000::2/64 to MAC address 0001-0203-0405 for Host B. • Bind IPv6 address 2001::3/64 to MAC address 0001-0203-0407 for the server. Figure 3 Network diagram
Host A IP: 2000::1/64 MAC: 0001-0203-0404
Switch Device GE1/2/5/2 GE1/2/5/1
Host B Sever IP: 2000::2/64 IP: 2001::3/64 MAC: 0001-0203-0405 MAC : 0001-0203-0407
Host C IP: 2000::3/64 MAC: 0001-0203-0406
Procedure # Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.) # Enable the IP-MAC binding feature on GigabitEthernet 1/2/5/1 and GigabitEthernet 1/2/5/2.
6
[Device-GigabitEthernet1/2/5/2] ip-mac binding enable [Device-GigabitEthernet1/2/5/2] quit # Create IPv6-MAC binding entries to permit packets only from Host A, Host B, and the server. [Device] ip-mac binding ipv6 2000::1 mac-address 0001-0203-0404 [Device] ip-mac binding ipv6 2000::2 mac-address 0001-0203-0405 [Device] ip-mac binding ipv6 2001::3 mac-address 0001-0203-0407 # Set the default action to deny for packets that do not match any IP-MAC binding entries. [Device] ip-mac binding no-match action deny Verifying the configuration # Display IPv6-MAC binding entries.
Pinging 2001::3 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 2001::3: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The ping requests timed out, which indicates that the requests are blocked by the device.
7