Ruijie RSR Series Routers_Access Router Switch Module Configuration_IP+MAC Binding

News 2023-08-26 04:35:04 views: null

Table of contents

01 IP+MAC binding configuration example

02 FAQ about IP+MAC binding

 

01 IP+MAC binding configuration example

Features

IP/MAC address binding means that the router binds and records the MAC address and IP address of the host directly connected to it on the network, and only the specified MAC address can use the corresponding IP address. This mechanism can prevent the IP address of the bound host from being spoofed. There are two prerequisites for applying this mechanism:

1. The MAC address is unique and cannot be counterfeited;

2. Only hosts on the network directly connected to the router can be bound (that is, the gateway of the host is on the router). 

In addition, multiple IP addresses can be configured on the interface of a host, so there are cases where multiple IP addresses are bound to the same MAC address, but the reverse is not allowed.

Application Scenario

Enterprises have relatively high requirements for network security. Only computers with specific MAC addresses and specific IP addresses are allowed to access the Internet. Then, the IP+MAC binding function can be enabled on the router.

1. Networking requirements:

A network uses RSR series routers as egress routers. There are 10 computers in the intranet, and IP addresses 192.168.0.2~192.168.0.11 are statically assigned to these 10 computers. At the same time, the following requirements are required:

1. The IP addresses of these 10 computers must be fixed and cannot be changed without permission.

2. New users are not allowed to use addresses other than 192.168.0.2~192.168.0.11 to access privately.

2. Network topology:

 

3. Configuration points:

1. Complete the static IP address configuration of the intranet computer, and collect the MAC address of each computer.

2. Complete the basic configuration of the router to ensure that intranet users can access the external network normally.

3. Configure IP+MAC binding

(1) Configure IP+MAC binding rule list

(2) Apply the IP+MAC binding rule list to the interface

4. Configuration steps

1. Complete the static IP address configuration of the intranet computer, and collect the MAC address of each computer.

The MAC address of each computer can be collected through show arp on the router after completing the following step 2.

Automatic binding can also be achieved by using ipmacbind auto.

Note: If you use ipmacbind auto to achieve automatic binding, you cannot restrict new user access.

2. Complete the basic configuration of the router to ensure that intranet users can access the external network normally.

3. Configure IP+MAC binding

(1) Configure IP+MAC binding rule list

ipmacbind list 1                                             //Create a new IP+MAC rule list numbered 1

     ipmacbind 192.168.0.2 00d0.f86c.1517     //New IP+MAC binding rule entry

     ipmacbind 192.168.0.3 0000.0000.0003

     ipmacbind 192.168.0.4 0000.0000.0004

     ipmacbind 192.168.0.5 0000.0000.0005

     ipmacbind 192.168.0.6 0000.0000.0006

     ipmacbind 192.168.0.7 0000.0000.0007

     ipmacbind 192.168.0.8 0000.0000.0008

     ipmacbind 192.168.0.9 0000.0000.0009

     ipmacbind 192.168.0.10 0000.0000.0010

     ipmacbind 192.168.0.11 0000.0000.0011

(2) Apply the IP+MAC binding rule list to the interface

interface GigabitEthernet 0/0                          //Enter the interface connected to the intranet

    ipmacbind list 1 default action deny               //Apply the list of binding rules to the interface, and specify that the default behavior outside the default binding rules is to discard.

Notice:

The role of the " deny " keyword is to discard the packets that do not match the IP MAC binding rules, so as to limit the private access of new users. The default is " permit " , that is, packets that do not match the IP MAC binding rules are allowed to pass. Regarding the matching of IP MAC binding rules, the communication of the message combined with " deny " and " permit " is as follows:

When deny is not configured (permit, default rule):

 

When configuring deny:

 

5. Configuration Verification

1. You can use the show ipmacbind statistic and show ipmacbind table to view the statistics and binding entries of ipmacbind:

Ruijie#show ipmacbind statistic

IPMAC-Bind global dropped 0 packets         //The number of packets dropped by the global binding rule

IPMAC-Bind list 1 dropped 19 packets         //list 1 (need to be applied to the interface) the number of packets dropped by the binding rule

Ruijie#show ipmacbind table

Totol number of IPMAC-Bind rule: 10         //The number of currently bound entries

IPMAC-Bind list 1 rule:

No       Type         IP Address       MAC Address      Log    

1 <static> 192.168.0.2 00d0.f86c.1517 off            //Details of binding entries

2        <static>     192.168.0.3      0000.0000.0003   off    

3        <static>     192.168.0.4      0000.0000.0004   off    

4        <static>     192.168.0.5      0000.0000.0005   off    

5        <static>     192.168.0.6      0000.0000.0006   off    

6        <static>     192.168.0.7      0000.0000.0007   off    

7        <static>     192.168.0.8      0000.0000.0008   off    

8        <static>     192.168.0.9      0000.0000.0009   off    

9        <static>     192.168.0.10     0000.0000.0010   off    

10       <static>     192.168.0.11     0000.0000.0011   off 

2. Configure the IP address corresponding to the binding entry on the PC. At this time, the gateway can be pinged normally on the PC:

PC IP address: 192.168.0.2 PC MAC address: 00d0.f86c.1517. At this time, the IP MAC is in the binding entry, and there is a one-to-one correspondence.

 

3. Change the IP address of the PC to 192.168.0.3. At this time, the gateway cannot be pinged on the PC:

PC IP address: 192.168.0.3 PC MAC address: 00d0.f86c.1517. At this time, the IP MAC is in the binding entry, but it does not correspond.

 

4. Change the IP address of the PC to 192.168.0.20. At this time, the gateway cannot be pinged on the PC:

PC IP address: 192.168.0.20 PC MAC address: 00d0.f86c.1517. At this time, the MAC address is in the binding table entry, but the IP address is not in the binding table entry.

 

5. Take a PC2 whose MAC address is not in the binding entry, and change the IP address of the PC2 to 192.168.0.3. At this time, the gateway cannot be pinged on PC2:

PC IP address: 192.168.0.3 PC2 MAC address: 001a.a938.0e29. At this time, the IP is in the binding table entry, but the MAC address is not in the binding table entry.

 

6. Take a PC2 whose MAC address is not in the binding entry, and change the IP address of the PC2 to 192.168.0.20. At this time, the gateway cannot be pinged on PC2:

PC IP address: 192.168.0.20 PC2 MAC address: 001a.a938.0e29. At this time, the IP MAC address is not in the binding table entry.

02 FAQ about IP+MAC binding

 

1. What is the IP+MAC binding function

IP+MAC address binding means that the router binds and records the MAC address and IP address of the host on the network directly connected to it, and only the specified MAC address can use the corresponding IP address. This mechanism can prevent the IP address of the bound host from being spoofed. There are two prerequisites for applying this mechanism:

1) The MAC address is unique and cannot be counterfeited;

2) Only hosts on the network directly connected to the router can be bound (that is, the gateway of the host is on the router). 

In addition, multiple IP addresses can be configured on the interface of a host, so there are cases where multiple IP addresses are bound to the same MAC address, but the reverse is not allowed.

2. After the RSR20-14/18/24 router is configured with the ipmacbind function, the interface filtering process

 

As can be seen from the above, when the MAC and IP of a certain device are not in the binding list, all traffic of this device is allowed to pass. Therefore, if you want to make one-to-one correspondence between user IPs and MACs in the network segment and prevent users from setting other IPs at will, you must configure MAC binding for all IPs in the network segment (you can bind unused IPs to a non-existent IP address). MAC).

3. RSR20-14/18/24 router ipmacbind function configuration example

The configuration steps are as follows:

Configure ip+mac address binding

Ruijie(config)# ipmacbind 192.168.52.69 032a.33ac.3f11 log

If you want to protect the IP address of a certain host from being counterfeited by other hosts, you can use the ipmacbind command to bind the IP address of the host to the MAC address. If the bound IP address already exists, bind it again. The above command binds the ip address 192.168.52.69 to the network card whose mac address is 032a.33ac.3f11, and log means to enable the log function bound by ip+mac. If the log is not needed, the " log parameter " can be omitted .

At the same time, in order to ensure that the remaining addresses are not used arbitrarily, you can bind the unused IP address of the network segment to a non-existing MAC address, such as:

ipmacbind 192.168.52.254 1111.1111.1111.1111

ipmacbind 192.168.52.253 1111.1111.1111.1111

ipmacbind 192.168.52.252 1111.1111.1111.1111

ipmacbind 192.168.52.251 1111.1111.1111.1111

4. After the RSR20-14/18/24 router ipmacbind auto is configured, it cannot be deleted by no ipmacbind auto

Clear all ipmac binding information by clear ipmacbind all. When all ipmac binding information is cleared, ipmacbind auto will be deleted automatically.

5. After the RSR10-02E and RSR20-14E/F have applied the IP+MAC binding policy on the interface, the forwarding behavior of the data packet

ipmacbind has two default behaviors on the interface, permit and deny. The data forwarding rules corresponding to specific behaviors are as follows:

Ruijie(config-if-GigabitEthernet 0/0)#ipmacbind list 1 default action ?

  deny    Deny not match IPMAC-bind table packets to forward

  permit  Permit not match IPMAC-bind table packets to forward

The function of the "deny" keyword is to discard the packets that do not match the IP MAC binding rules, so as to restrict the private access of new users. The default is "permit", that is, packets that do not match the IP-MAC binding rules can pass. Regarding the matching of IP-MAC binding rules, the communication of packets combined with "deny" and "permit" is as follows:

When deny is not configured (permit, default rule):

 

When configuring deny:

 

6. The difference between RSR20-14/18/24 router and RSR10-02E, RSR20-14E/F IP+MAC binding function

1) The RSR20-14/18/24 router is effective based on the global router. When the MAC and IP of a certain device are not in the binding list, all traffic of this device is allowed to pass.

2) RSR10-02E and RSR20-14E/F routers take effect based on the interface (vlan interface also takes effect). When the MAC and IP of a certain device are not in the binding list, the default forwarding behavior can be configured

Guess you like

Origin blog.csdn.net/weixin_57099902/article/details/132454711
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com