IPSG (IP and MAC Address Binding)
Application Scenario & Implementation
IPSG refers to IP source guard. It prevents malicious hosts from using the IP
address of an authorized host to access or attack a network.
IPSG matches the packets from hosts against configured binding table, and
discards the packets from unauthorized hosts to protect the network.
Binding tables are classified into static binding tables
and DHCP snooping binding tables.
Static binding table: manually configured by running the
user-bind command. The static binding table is applicable
to a local area network where a small number of hosts
reside and the hosts use static IP addresses.
DHCP snooping binding table: dynamically generated by
the switch. When DHCP clients request IP addresses from
the DHCP server, the switch with the DHCP snooping
function configured generates DHCP snooping binding
entries according to the DHCP reply packets returned by
the DHCP server. The DHCP snooping binding table is
applicable to the local area network where a large number
of hosts reside and the hosts obtain IP addresses through
DHCP.
Configuring IPSec Static Binding Table
Networking Requirements
The hosts of an enterprise access the enterprise intranet through a switch. Host_1 with IP
address 10.0.0.1 belongs to an R&D engineer, and host_2 with IP address 10.0.0.11 belongs
to a human resource employee. An ACL rule is configured on the switch to allow only human
resource employees to access the Internet.
The R&D engineer is not allowed to change the host's IP address to 10.0.0.11 to access the
Internet when the human resource employee powers off her own host. Ive powered
off my
Configuration Roadmap computer
1. Create binding entries for the R&D engineer and human resource employee on the switch.
2. Enable IPSG on GE0/0/1 and GE0/0/2 of the switch.

Procedure
<HUAWEI> system-view //Enter the system view.
[HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //Create a binding entry for the R&D engineer.
[HUAWEI] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002 //Create a binding entry for the human resource employee.
[HUAWEI] interface gigabitethernet 0/0/1 //Enter the GE0/0/1 interface view.
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable //Enable IPSG on GE0/0/1.
[HUAWEI-GigabitEthernet0/0/1] quit //Quit from the GE0/0/1 interface view.
[HUAWEI] interface gigabitethernet 0/0/2 //Enter the GE0/0/2 interface view.
[HUAWEI-GigabitEthernet0/0/2] ip source check user-bind enable //Enable IPSG on GE0/0/2.
[HUAWEI-GigabitEthernet0/0/2] quit //Quit from the GE0/0/2 interface view.
Configuring DHCP Snooping Binding Table
Networking Requirements
All hosts in an enterprise obtain IP addresses through DHCP. Employees can use only
the IP addresses allocated by the DHCP server to access the network, but cannot
change their IP addresses into statistically configured ones.

Configuration Roadmap
1. Configure DHCP snooping on switch_1 so that switch 1 can generate DHCP snooping
binding entries.
2. Enable IPSG in VLAN 10 of switch_1 connected to employees' hosts.
Note: The DHCP-related configurations are not provided here. It is required that DHCP
configurations have been complete and hosts have obtained IP addresses through DHCP.

Procedure
<HUAWEI> system-view //Enter the system view.
[HUAWEI] dhcp enable //Enable DHCP globally.
[HUAWEI] dhcp snooping enable //Enable DHCP Snooping globally.
[HUAWEI] vlan 10 //Enter the VLAN10 view.
[HUAWEI-vlan10] dhcp snooping enable //Enable DHCP snooping in the VLAN view.
[HUAWEI-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/3 //Configure GE0/0/3
connected to the DHCP server as a trusted interface.
[HUAWEI-vlan10] ip source check user-bind enable //Enable IPSG based on VLAN.
[HUAWEI-vlan10] quit //Quit from the VLAN view.