Contents Configuring IP-MAC binding ·········································································· 1 About IP-MAC binding········································································································································ 1 Operating mechanism ································································································································ 1 IP-MAC binding entry creation ··················································································································· 2 Restrictions and guidelines: IP-MAC binding configuration ··············································································· 2 IP-MAC binding tasks at a glance ······················································································································ 2 Enabling the IP-MAC binding feature on an interface ························································································ 3 Manually creating an IP-MAC binding entry ······································································································· 3 Bulk generating IP-MAC binding entries ············································································································ 3 Setting the default action for packets that do not match any IP-MAC binding entries ······································· 4 Display and maintenance commands for IP-MAC binding ················································································· 4 IP-MAC binding configuration examples ············································································································ 4 Example: Configuring IPv4-MAC binding ··································································································· 4 Example: Configuring IPv6-MAC binding ··································································································· 6 i Configuring IP-MAC binding About IP-MAC binding The device prevents user spoofing attacks by using an IP-MAC binding table to filter out illegitimate packets with forged source IP addresses or MAC addresses. Operating mechanism The IP-MAC binding table contains binding entries that bind IP addresses and MAC addresses. The device uses the binding entries to match an incoming packet. As shown in Figure 1, all hosts communicate with the IP network through the device. When the device receives a packet, it compares the source IP address and source MAC address in the packet with the IP-MAC binding entries. Table 1 describes the way the device processes the packet based on the match result. Figure 1 IP-MAC binding application scenario IP-MAC binding entries 1.1.1.1 0000-0000-0001 Legal host 1.1.1.2 0000-0000-0002 1.1.1.3 0000-0000-0003 … 1.1.1.1 0000-0000-0001 IP network 1.1.1.2 0000-0000-0004 Rogue host 1.1.1.4 0000-0000-0001 Rogue host Table 1 Processing of a packet based on the match result Match result Processing of the packet The packet source IP address and source MAC Permits the packet. address match the same IP-MAC binding entry. Only the source IP address or source MAC Drops the packet. address matches a binding entry. The source IP address and source MAC address Drops the packet. match two different binding entries. Processes the packet based on the default action. Both the source IP address and the source MAC By default, the device permits all packets that do not address of a packet match no IP-MAC binding match any binding entries. You can use the ip-mac entry. binding no-match action deny command to set the default action to deny. 1 IP-MAC binding entry creation An IP-MAC binding entry binds an IP address to a MAC address. You can manually create IP-MAC binding entries one by one or generate them in bulk. All binding entries are globally effective. Manual creation of IP-MAC binding entries This method is applicable only to networks that do not contain many hosts and in which the hosts are statically assigned IP addresses. Bulk generation of IP-MAC binding entries This method is applicable to networks that contain many hosts. This method allows a device to generate IPv4-MAC binding entries based on ARP entries and create IPv6-MAC binding entries based on ND entries on an interface. The device generates an IP-MAC binding entry based on an ARP or ND entry as follows: • If neither the IP address nor the MAC address in the ARP/ND entry exists in the binding table, the device generates a new binding entry. In this situation, the IP address and the MAC address are uniquely bound to each other. • If the MAC address in the ARP/ND entry exists in the binding table but the IP address does not, the device generates a new binding entry. In this situation, the MAC address is bound to multiple IP addresses. • If the IP address in the ARP/ND entry exists in the binding table, the device will not generate a new binding entry. This is because an IP address can be bound to only one MAC address. IP-MAC binding entries generated based on ARP and ND entries are static. Therefore, the binding entries are not updated when the relevant ARP or ND entries change. Restrictions and guidelines: IP-MAC binding configuration IP-MAC binding entries are static. Therefore, the IP-MAC binding feature is applicable only to networks where all users are statically assigned IP addresses. Using this feature in a network where all users' IP addresses are dynamically assigned through DHCP might cause communication failure. A MAC address can be bound to multiple IP addresses. To bind a MAC address in a binding entry to another IP address, use the MAC address and new IP address to create a new binding entry. You can choose to delete the existing binding entry or retain it. An IP address can be bound to only one MAC address. To bind an IP address in a binding entry to another MAC address, you must delete the existing binding entry and then create the new one. IP-MAC binding tasks at a glance To configure IP-MAC binding, perform the following tasks: 1. Enabling the IP-MAC binding feature on an interface 2. Configuring IP-MAC binding entries Choose the options to configure as needed: Manually creating an IP-MAC binding entry Bulk generating IP-MAC binding entries 3. Setting the default action for packets that do not match any IP-MAC binding entries 2 Enabling the IP-MAC binding feature on an interface About this task When this feature is enabled on an interface, the device compares the source IP address and source MAC address in incoming packets of the interface with existing IP-MAC binding entries. The packets that do not exactly match any IP-MAC binding entries are dropped. Procedure 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Enable the IP-MAC binding feature on the interface. ip-mac binding enable By default, the IP-MAC binding feature is disabled on an interface. Manually creating an IP-MAC binding entry Creating an IP-MAC binding entry 1. Enter system view. system-view 2. Create an IP-MAC binding entry. IPv4: ip-mac binding ipv4 ipv4-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] IPv6: ip-mac binding ipv6 ipv6-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] By default, no IP-MAC binding entry is configured. Bulk generating IP-MAC binding entries About this task This task allows the device to generate IP-MAC binding entries in bulk based on existing ARP and ND entries on an interface. Procedure 1. Enter system view. system-view 2. Bulk generate IP-MAC binding entries. ip-mac binding interface interface-type interface-number 3 Setting the default action for packets that do not match any IP-MAC binding entries About this task By default, the device permits packets that do not match any IP-MAC binding entries to pass through. This task allows you to set the default action to deny for these packets. Procedure 1. Enter system view. system-view 2. Set the default action to deny for packets that do not match any IP-MAC binding entries. ip-mac binding no-match action deny By default, the action for packets that do not match any IP-MAC binding entries is permit. Display and maintenance commands for IP-MAC binding Execute commands in any view and commands in user view. display reset Task Command display ip-mac binding ipv4 [ ipv4-address ] Display IPv4-MAC binding entries. [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ] display ip-mac binding ipv6 [ ipv6-address ] Display IPv6-MAC binding entries. [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ] Display statistics about packets display ip-mac binding statistics [ chassis dropped by the IP-MAC binding chassis-number slot-number feature. slot ] Display the status of the IP-MAC binding feature. display ip-mac binding status Clear statistics about packets reset ip-mac binding statistics [ chassis dropped by the IP-MAC binding chassis-number slot-number feature. slot ] IP-MAC binding configuration examples Example: Configuring IPv4-MAC binding Network configuration As shown in Figure 2, Host A, Host B, and the server are statically assigned IPv4 addresses. Host A and Host B communicate with the server through the gateway (the device). Create the following IPv4-MAC binding entries on the device to permit packets only from Host A, Host B, and the server: 4 • Bind IPv4 address 192.168.0.1 to MAC address 0001-0203-0404 for Host A. • Bind IPv4 address 192.168.0.2 to MAC address