Table of contents
01 IP+MAC binding configuration example
01 IP+MAC binding configuration example
Features
IP/MAC address binding means that the router binds and records the MAC address and IP address of the host directly connected to it on the network, and only the specified MAC address can use the corresponding IP address. This mechanism can prevent the IP address of the bound host from being spoofed. There are two prerequisites for applying this mechanism:
1. The MAC address is unique and cannot be counterfeited;
2. Only hosts on the network directly connected to the router can be bound (that is, the gateway of the host is on the router).
In addition, multiple IP addresses can be configured on the interface of a host, so there are cases where multiple IP addresses are bound to the same MAC address, but the reverse is not allowed.
Application Scenario
Enterprises have relatively high requirements for network security. Only computers with specific MAC addresses and specific IP addresses are allowed to access the Internet. Then, the IP+MAC binding function can be enabled on the router.
1. Networking requirements:
A network uses RSR series routers as egress routers. There are 10 computers in the intranet, and IP addresses 192.168.0.2~192.168.0.11 are statically assigned to these 10 computers. At the same time, the following requirements are required:
1. The IP addresses of these 10 computers must be fixed and cannot be changed without permission.
2. New users are not allowed to use addresses other than 192.168.0.2~192.168.0.11 to access privately.
2. Network topology:
3. Configuration points:
1. Complete the static IP address configuration of the intranet computer, and collect the MAC address of each computer.
2. Complete the basic configuration of the router to ensure that intranet users can access the external network normally.
3. Configure IP+MAC binding
(1) Configure IP+MAC binding rule list
(2) Apply the IP+MAC binding rule list to the interface
4. Configuration steps
1. Complete the static IP address configuration of the intranet computer, and collect the MAC address of each computer.
The MAC address of each computer can be collected through show arp on the router after completing the following step 2.
Automatic binding can also be achieved by using ipmacbind auto.
Note: If you use ipmacbind auto to achieve automatic binding, you cannot restrict new user access.
2. Complete the basic configuration of the router to ensure that intranet users can access the external network normally.
3. Configure IP+MAC binding
(1) Configure IP+MAC binding rule list
ipmacbind list 1 //Create a new IP+MAC rule list numbered 1
ipmacbind 192.168.0.2 00d0.f86c.1517 //New IP+MAC binding rule entry
ipmacbind 192.168.0.3 0000.0000.0003
ipmacbind 192.168.0.4 0000.0000.0004
ipmacbind 192.168.0.5 0000.0000.0005
ipmacbind 192.168.0.6 0000.0000.0006
ipmacbind 192.168.0.7 0000.0000.0007
ipmacbind 192.168.0.8 0000.0000.0008
ipmacbind 192.168.0.9 0000.0000.0009
ipmacbind 192.168.0.10 0000.0000.0010
ipmacbind 192.168.0.11 0000.0000.0011
(2) Apply the IP+MAC binding rule list to the interface
interface GigabitEthernet 0/0 //Enter the interface connected to the intranet
ipmacbind list 1 default action deny //Apply the list of binding rules to the interface, and specify that the default behavior outside the default binding rules is to discard.
Notice:
The role of the " deny " keyword is to discard the packets that do not match the IP MAC binding rules, so as to limit the private access of new users. The default is " permit " , that is, packets that do not match the IP MAC binding rules are allowed to pass. Regarding the matching of IP MAC binding rules, the communication of the message combined with " deny " and " permit " is as follows:
When deny is not configured (permit, default rule):
When configuring deny:
5. Configuration Verification
1. You can use the show ipmacbind statistic and show ipmacbind table to view the statistics and binding entries of ipmacbind:
Ruijie#show ipmacbind statistic
IPMAC-Bind global dropped 0 packets //The number of packets dropped by the global binding rule
IPMAC-Bind list 1 dropped 19 packets //list 1 (need to be applied to the interface) the number of packets dropped by the binding rule
Ruijie#show ipmacbind table
Totol number of IPMAC-Bind rule: 10 //The number of currently bound entries
IPMAC-Bind list 1 rule:
No Type IP Address MAC Address Log
1 <static> 192.168.0.2 00d0.f86c.1517 off //Details of binding entries
2 <static> 192.168.0.3 0000.0000.0003 off
3 <static> 192.168.0.4 0000.0000.0004 off
4 <static> 192.168.0.5 0000.0000.0005 off
5 <static> 192.168.0.6 0000.0000.0006 off
6 <static> 192.168.0.7 0000.0000.0007 off
7 <static> 192.168.0.8 0000.0000.0008 off
8 <static> 192.168.0.9 0000.0000.0009 off
9 <static> 192.168.0.10 0000.0000.0010 off
10 <static> 192.168.0.11 0000.0000.0011 off
2. Configure the IP address corresponding to the binding entry on the PC. At this time, the gateway can be pinged normally on the PC:
PC IP address: 192.168.0.2 PC MAC address: 00d0.f86c.1517. At this time, the IP MAC is in the binding entry, and there is a one-to-one correspondence.
3. Change the IP address of the PC to 192.168.0.3. At this time, the gateway cannot be pinged on the PC:
PC IP address: 192.168.0.3 PC MAC address: 00d0.f86c.1517. At this time, the IP MAC is in the binding entry, but it does not correspond.
4. Change the IP address of the PC to 192.168.0.20. At this time, the gateway cannot be pinged on the PC:
PC IP address: 192.168.0.20 PC MAC address: 00d0.f86c.1517. At this time, the MAC address is in the binding table entry, but the IP address is not in the binding table entry.
5. Take a PC2 whose MAC address is not in the binding entry, and change the IP address of the PC2 to 192.168.0.3. At this time, the gateway cannot be pinged on PC2:
PC IP address: 192.168.0.3 PC2 MAC address: 001a.a938.0e29. At this time, the IP is in the binding table entry, but the MAC address is not in the binding table entry.
6. Take a PC2 whose MAC address is not in the binding entry, and change the IP address of the PC2 to 192.168.0.20. At this time, the gateway cannot be pinged on PC2:
PC IP address: 192.168.0.20 PC2 MAC address: 001a.a938.0e29. At this time, the IP MAC address is not in the binding table entry.
02 FAQ about IP+MAC binding
1. What is the IP+MAC binding function
IP+MAC address binding means that the router binds and records the MAC address and IP address of the host on the network directly connected to it, and only the specified MAC address can use the corresponding IP address. This mechanism can prevent the IP address of the bound host from being spoofed. There are two prerequisites for applying this mechanism:
1) The MAC address is unique and cannot be counterfeited;
2) Only hosts on the network directly connected to the router can be bound (that is, the gateway of the host is on the router).
In addition, multiple IP addresses can be configured on the interface of a host, so there are cases where multiple IP addresses are bound to the same MAC address, but the reverse is not allowed.
2. After the RSR20-14/18/24 router is configured with the ipmacbind function, the interface filtering process
As can be seen from the above, when the MAC and IP of a certain device are not in the binding list, all traffic of this device is allowed to pass. Therefore, if you want to make one-to-one correspondence between user IPs and MACs in the network segment and prevent users from setting other IPs at will, you must configure MAC binding for all IPs in the network segment (you can bind unused IPs to a non-existent IP address). MAC).
3. RSR20-14/18/24 router ipmacbind function configuration example
The configuration steps are as follows:
Configure ip+mac address binding
Ruijie(config)# ipmacbind 192.168.52.69 032a.33ac.3f11 log
If you want to protect the IP address of a certain host from being counterfeited by other hosts, you can use the ipmacbind command to bind the IP address of the host to the MAC address. If the bound IP address already exists, bind it again. The above command binds the ip address 192.168.52.69 to the network card whose mac address is 032a.33ac.3f11, and log means to enable the log function bound by ip+mac. If the log is not needed, the " log parameter " can be omitted .
At the same time, in order to ensure that the remaining addresses are not used arbitrarily, you can bind the unused IP address of the network segment to a non-existing MAC address, such as:
ipmacbind 192.168.52.254 1111.1111.1111.1111
ipmacbind 192.168.52.253 1111.1111.1111.1111
ipmacbind 192.168.52.252 1111.1111.1111.1111
ipmacbind 192.168.52.251 1111.1111.1111.1111
4. After the RSR20-14/18/24 router ipmacbind auto is configured, it cannot be deleted by no ipmacbind auto
Clear all ipmac binding information by clear ipmacbind all. When all ipmac binding information is cleared, ipmacbind auto will be deleted automatically.
5. After the RSR10-02E and RSR20-14E/F have applied the IP+MAC binding policy on the interface, the forwarding behavior of the data packet
ipmacbind has two default behaviors on the interface, permit and deny. The data forwarding rules corresponding to specific behaviors are as follows:
Ruijie(config-if-GigabitEthernet 0/0)#ipmacbind list 1 default action ?
deny Deny not match IPMAC-bind table packets to forward
permit Permit not match IPMAC-bind table packets to forward
The function of the "deny" keyword is to discard the packets that do not match the IP MAC binding rules, so as to restrict the private access of new users. The default is "permit", that is, packets that do not match the IP-MAC binding rules can pass. Regarding the matching of IP-MAC binding rules, the communication of packets combined with "deny" and "permit" is as follows:
When deny is not configured (permit, default rule):
When configuring deny:
6. The difference between RSR20-14/18/24 router and RSR10-02E, RSR20-14E/F IP+MAC binding function
1) The RSR20-14/18/24 router is effective based on the global router. When the MAC and IP of a certain device are not in the binding list, all traffic of this device is allowed to pass.
2) RSR10-02E and RSR20-14E/F routers take effect based on the interface (vlan interface also takes effect). When the MAC and IP of a certain device are not in the binding list, the default forwarding behavior can be configured