FAQ:AR2220 如何通过mac限制用户上网?

发布时间:  2016-06-20 浏览次数:  258 下载次数:  0
问题描述

AR2200-S3900-PC

AR2200下挂交换机S3900,S3900下连用户,用户从AR2200上获取地址,需要在AR2200上配置通过mac限制用户上网

由于AR2200需要增加二层板卡才能支持IPSG,和MAC认证,所以采用另外一种限制mac方式

解决方案


举例,AR2200 GigabitEthernet0/0/2接口连接内网,只允许内网0c82-6833-353f 通过,拒绝其他mac通过


配置方法如下:

acl number 4000
rule 1 permit source-mac 0c82-6833-353f 
rule 1000 deny

[GigabitEthernet0/0/2]      (应用acl)

traffic-filter inbound acl 4000 

 

测试结果如下:

displa arp   (通过arp信息查看mac对应的ip,以下找两个进行测试)

172.16.30.11    0c82-6833-353f  20        D-0         GE0/0/2                                          

172.16.30.229   f48e-92e4-29a5  20        D-0         GE0/0/2 

[LuYouQu]ping 172.16.30.11     acl列表中允许的mac,在AR2200上可以ping通
  PING 172.16.30.11: 56  data bytes, press CTRL_C to break
    Reply from 172.16.30.11: bytes=56 Sequence=1 ttl=64 time=3 ms
    Reply from 172.16.30.11: bytes=56 Sequence=2 ttl=64 time=2 ms
    Reply from 172.16.30.11: bytes=56 Sequence=3 ttl=64 time=3 ms
    Reply from 172.16.30.11: bytes=56 Sequence=4 ttl=64 time=3 ms
    Reply from 172.16.30.11: bytes=56 Sequence=5 ttl=64 time=3 ms

  --- 172.16.30.11 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/2/3 ms

 

[LuYouQu-acl-L2-4000] ping 172.16.30.229   acl列表中未允许的mac匹配deny动作,在AR2200测试不能ping通

  PING 172.16.30.229: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 172.16.30.229 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

[LuYouQu-acl-L2-4000]display acl 4000     查看acl匹配结果,有匹配次数,也说明配置是生效的。
L2 ACL 4000, 3 rules
Acl's step is 5
rule 1 permit source-mac 0c82-6833-353f(38 matches)   
rule 1000 deny(2717 matches)                                        

END