No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical IPSG Configuration

Typical IPSG Configuration

Example for Configuring IPSG to Prevent Hosts with Static IP Addresses from Changing Their Own IP Addresses

IPSG Overview

As shown in Figure 3-247, a hacker (Host_2) uses the IP and MAC addresses of Host_1, which belongs to an R&D engineer, to construct IP packets to attack the intranet. The network administrator thinks the R&D engineer is the attacker. Such attacks can be prevented by configuring IPSG. On the access switch, after a static binding table is configured and IP packet check is enabled on the interfaces connected to terminals, only the packets matching the static binding entries can access the intranet and the Internet, and the packets not matching the entries are discarded.

Configuration Notes

This example applies to all versions and models except the following:
  • S2700-SI of V100R006C05 does not support IPSG.
  • After hardware-based Layer 3 forwarding for IPv4 packets is enabled in the following versions, the switches do not support IPSG:
    • V200R007C00, V200R008C00, V200R011 and later versions: S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC
    • V200R009C00 and V200R010C00: S2720-EI, S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC

Networking Requirements

As shown in Figure 3-247, the user gateway is configured on the core switch (Core). An ACL is configured on the Core to allow fixed hosts to access the Internet. The hosts connected to the access switch (ACC) use statically configured IP addresses. The administrator requires that the hosts can only use fixed IP addresses to access the Internet. Users are not allowed to change their own IP addresses to access the Internet.

Figure 3-247 Configuring IPSG to prevent hosts with static IP addresses from changing their own IP addresses

Data Plan

To perform the configuration, you need to the following data.

Table 3-184 Data Plan

Item

Data

Description

VLAN
  • ACC:

    VLAN ID: 10, including interfaces GE0/0/1, GE0/0/2, and GE0/0/3

  • Core:

    VLAN ID: 10, including interface GE0/0/1

None

Gateway IP address of hosts

VLANIF10: 10.0.0.1/24

None

IP addresses of the hosts allowed to access the network.

10.0.0.2, 10.0.0.3

None

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an ACL on the user gateway (Core) to allow the hosts with IP addresses 10.0.0.2 and 10.0.0.3 to access the Internet.
  2. Create static binding entries for the hosts on the ACC to fix the mappings between IP addresses and MAC addresses.
  3. Enable IPSG on the ACC's interfaces connected to user hosts so that the hosts can only use the fixed IP addresses to access the network. Host_1 can access the Internet, and Host_2 cannot access the Internet, even if it changes its IP address.

Procedure

  1. Configure an ACL. 

    <HUAWEI> system-view
[HUAWEI] sysname Core
[Core] vlan batch 10
[Core] interface gigabitethernet 0/0/1 
[Core-GigabitEthernet0/0/1] port link-type trunk
[Core-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Core-GigabitEthernet0/0/1] quit
[Core] interface vlanif 10   //Configure the gateway address.
[Core-Vlanif10] ip address 10.0.0.1 255.255.255.0
[Core-Vlanif10] quit
[Core] acl number 3001   //Configure an ACL.
[Core-acl-adv-3001] rule permit ip source 10.0.0.2 0
[Core-acl-adv-3001] rule permit ip source 10.0.0.3 0
[Core-acl-adv-3001] rule deny ip source 10.0.0.0 0.0.0.255
[Core-acl-adv-3001] quit
[Core] traffic classifier c1   //Configure an ACL-based traffic classifier.
[Core-classifier-c1] if-match acl 3001
[Core-classifier-c1] quit
[Core] traffic behavior b1   //Configure a traffic behavior.
[Core-behavior-b1] permit
[Core-behavior-b1] quit
[Core] traffic policy p1   //Configure a traffic policy.
[Core-trafficpolicy-p1] classifier c1 behavior b1
[Core-trafficpolicy-p1] quit
[Core] interface gigabitethernet 0/0/2
[Core-GigabitEthernet0/0/2] traffic-policy p1 outbound   //Apply the traffic policy.
[Core-GigabitEthernet0/0/2] quit

  2. Create static binding entries for the hosts. 

    <HUAWEI> system-view
[HUAWEI] sysname ACC
[ACC] vlan batch 10   //Configure a VLAN to connect to hosts.
[ACC] interface gigabitethernet 0/0/1 
[ACC-GigabitEthernet0/0/1] port link-type access
[ACC-GigabitEthernet0/0/1] port default vlan 10
[ACC-GigabitEthernet0/0/1] quit
[ACC] interface gigabitethernet 0/0/2 
[ACC-GigabitEthernet0/0/2] port link-type access
[ACC-GigabitEthernet0/0/2] port default vlan 10
[ACC-GigabitEthernet0/0/2] quit
[ACC] interface gigabitethernet 0/0/3 
[ACC-GigabitEthernet0/0/3] port link-type trunk
[ACC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[ACC-GigabitEthernet0/0/3] quit
[ACC] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface gigabitethernet 0/0/1   //Create a static binding entry for Host_1.
[ACC] user-bind static ip-address 10.0.0.5 mac-address 0005-0005-0005 interface gigabitethernet 0/0/2   //Create a static binding entry for Host_2.

  3. Enable IPSG.

    # Enable IPSG on GE0/0/1 connected to Host_1.

    [ACC] interface gigabitethernet 0/0/1
[ACC-GigabitEthernet0/0/1] ip source check user-bind enable
[ACC-GigabitEthernet0/0/1] quit

    # Enable IPSG on GE0/0/2 connected to Host_2.

    [ACC] interface gigabitethernet 0/0/2
[ACC-GigabitEthernet0/0/2] ip source check user-bind enable
[ACC-GigabitEthernet0/0/2] quit

  4. Verify the configuration.

    Run the display dhcp static user-bind all command on the ACC to view static binding entries.

    [ACC] display dhcp static user-bind all
DHCP static Bind-table:                                                         
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
--------------------------------------------------------------------------------
10.0.0.2                        0002-0002-0002  --  /--  /--    GE0/0/1
10.0.0.5                        0005-0005-0005  --  /--  /--    GE0/0/2
--------------------------------------------------------------------------------
Print count:           2          Total count:           2

    Run the display dhcp static user-bind all verbose command on the ACC to view IPSG status. If the status is effective, the static entry has taken effect.

    [ACC] display dhcp static user-bind all verbose
DHCP static Bind-table:                                                         
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
--------------------------------------------------------------------------------
 IP Address  : 10.0.0.2                                                         
 MAC Address : 0002-0002-0002                                                   
 VSI         : --                                                               
 VLAN(O/I/P) : --  /--  /--                                                     
 Interface   : GE0/0/1
 IPSG Status : effective   slot: <0>                                            
--------------------------------------------------------------------------------
 IP Address  : 10.0.0.5                                                         
 MAC Address : 0005-0005-0005                                                   
 VSI         : --                                                               
 VLAN(O/I/P) : --  /--  /--                                                     
 Interface   : GE0/0/2
 IPSG Status : effective   slot: <0>                                            
--------------------------------------------------------------------------------
Print count:           2          Total count:           2

    Host_1 can access the Internet, and Host_2 cannot access the Internet. After the IP address of Host_2 is changed to 10.0.0.3, Host_2 cannot access the Internet and the intranet.

Configuration Files

  • Configuration file of the Core

    #
sysname Core
#
vlan batch 10
#
acl number 3001
 rule 5 permit ip source 10.0.0.2 0
 rule 10 permit ip source 10.0.0.3 0
 rule 15 deny ip source 10.0.0.0 0.0.0.255
#
traffic classifier c1 operator or precedence 5
 if-match acl 3001
#
traffic behavior b1
 permit
#
traffic policy p1 match-order config
 classifier c1 behavior b1
#
interface Vlanif10
 ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 traffic-policy p1 outbound
#
return

  • Configuration file of the ACC

    #
sysname ACC
#
vlan batch 10
# 
user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface GigabitEthernet0/0/1
user-bind static ip-address 10.0.0.5 mac-address 0005-0005-0005 interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
 ip source check user-bind enable 
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
 ip source check user-bind enable
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Related Content

Videos

Bind IP and MAC Addresses

Example for Configuring IPSG to Prevent Hosts with Dynamic IP Addresses from Changing Their Own IP Addresses

IPSG Overview

IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It filters IP packets based on the binding table on a switch. An entry in the binding table contains the IP address, MAC address, VLAN ID, and interface. Binding entries include static entries and dynamic entries. A static binding table is manually created, a dynamic binding table is the DHCP snooping binding table. When hosts obtain dynamic IP addresses, the switch automatically generates the dynamic binding entries according to the DHCP Reply packets. After a binding table is built, the switch matches the packets received by IPSG-enabled interfaces against binding entries. If the packets match binding entries, they are forwarded; otherwise, they are discarded. The packet matching options can be a combination of IP address, MAC address, VLAN ID, and interface. For example, the switch matches only IP addresses, both IP addresses and MAC addresses, or a combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the packets.

Therefore, IPSG provides two functions:
  • Prevents malicious hosts from stealing authorized hosts' IP addresses to pose as the authorized hosts.
  • Prevents unauthorized hosts from changing their own IP addresses to static IP addresses to access or attack the network.

For example, on a network where the hosts obtain IP addresses from a DHCP server, the hosts can access the network by using only the dynamic IP addresses, and cannot use static IP addresses to access the network, unless the administrator creates static binding entries for them.

Configuration Notes

This example applies to all versions and models except the following:
  • S2700-SI of V100R006C05 does not support IPSG.
  • After hardware-based Layer 3 forwarding for IPv4 packets is enabled in the following versions, the switches do not support IPSG:
    • V200R007C00, V200R008C00, V200R011 and later versions: S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC
    • V200R009C00 and V200R010C00: S2720-EI, S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC

Networking Requirements

As shown in Figure 3-248, hosts access the intranet through ACC, and the Core functions as a DHCP server to allocate IP addresses to the hosts. The printer uses a static IP address. The gateway is the egress device of the intranet. The administrator does not want the hosts to access the intranet by using the IP addresses statically configured by themselves.

Figure 3-248 Configuring IPSG to prevent hosts with dynamic IP addresses from changing their own IP addresses

Data Plan

To perform the configuration, you need to the following data.

Table 3-185 Data Plan

Item

Data

Description

VLAN
  • ACC:

    VLAN ID: 10, including interfaces GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4

  • Core:

    VLAN ID: 10, including interface GE0/0/1

None

Address pool

10.1.1.0/24

None

Gateway IP address of hosts

VLANIF10: 10.1.1.1/24

None

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the DHCP server on the Core to allocate IP addresses to hosts.
  2. Configure DHCP snooping on the ACC to ensure that the hosts can obtain IP addresses from the valid DHCP server and the DHCP server can generate DHCP snooping dynamic binding entries, which record the bindings of IP addresses, MAC addresses, VLANs, and interfaces of hosts.
  3. Create a static binding entry for the printer on the ACC to ensure secure access of the printer.
  4. Enable IPSG in the VLAN to which the hosts belong to on the ACC to prevent the hosts from accessing the intranet with changed IP addresses.

Procedure

  1. Configure the DHCP server on the Core. 

    <HUAWEI> system-view
[HUAWEI] sysname Core
[Core] vlan batch 10
[Core] interface gigabitethernet 0/0/1
[Core-GigabitEthernet0/0/1] port link-type trunk
[Core-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Core-GigabitEthernet0/0/1] quit
[Core] dhcp enable
[Core] ip pool 10
[Core-ip-pool-10] network 10.1.1.0 mask 24
[Core-ip-pool-10] gateway-list 10.1.1.1
[Core-ip-pool-10] quit
[Core] interface vlanif 10
[Core-Vlanif10] ip address 10.1.1.1 255.255.255.0
[Core-Vlanif10] dhcp select global
[Core-Vlanif10] quit

  2. Configure DHCP snooping on the ACC.

    # Specify the VLAN to which the interfaces belong.

    <HUAWEI> system-view
[HUAWEI] sysname ACC
[ACC] vlan batch 10
[ACC] interface gigabitethernet 0/0/1 
[ACC-GigabitEthernet0/0/1] port link-type access
[ACC-GigabitEthernet0/0/1] port default vlan 10
[ACC-GigabitEthernet0/0/1] quit
[ACC] interface gigabitethernet 0/0/2 
[ACC-GigabitEthernet0/0/2] port link-type access
[ACC-GigabitEthernet0/0/2] port default vlan 10
[ACC-GigabitEthernet0/0/2] quit
[ACC] interface gigabitethernet 0/0/3 
[ACC-GigabitEthernet0/0/3] port link-type access
[ACC-GigabitEthernet0/0/3] port default vlan 10
[ACC-GigabitEthernet0/0/3] quit
[ACC] interface gigabitethernet 0/0/4 
[ACC-GigabitEthernet0/0/4] port link-type trunk
[ACC-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[ACC-GigabitEthernet0/0/4] quit

    # Enable DHCP snooping and configure GE0/0/4 connected to the DHCP server as a trusted interface.

    [ACC] dhcp enable  //Enable DHCP
[ACC] dhcp snooping enable  //Enable DHCP Snooping globally
[ACC] vlan 10
[ACC-vlan10] dhcp snooping enable  //Enable DHCP Snooping in VLAN 10
[ACC-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/4  //Configure a trusted interface
[ACC-vlan10] quit

  3. Create a static binding entry for the printer. 

    [ACC] user-bind static ip-address 10.1.1.2 mac-address 0003-0003-0003 interface gigabitethernet 0/0/3 vlan 10

  4. Enable IPSG in VLAN 10 on the ACC. 

    [ACC] vlan 10
[ACC-vlan10] ip source check user-bind enable  //Enable IPSG
[ACC-vlan10] quit

  5. Verify the configuration.

    After the hosts go online, run the display dhcp snooping user-bind all command on the ACC to view dynamic binding entries of the hosts.

    [ACC] display dhcp snooping user-bind all
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address       MAC Address     VSI/VLAN(O/I/P) Interface      Lease           
--------------------------------------------------------------------------------
10.1.1.254       0001-0001-0001  10  /--  /--    GE0/0/1        2014.08.17-07:31
10.1.1.253       0002-0002-0002  10  /--  /--    GE0/0/2        2014.08.17-07:34
--------------------------------------------------------------------------------
Print count:      2     Total count:      2

    Run the display dhcp static user-bind all command on the ACC to view the static binding entry of the printer.

    [ACC] display dhcp static user-bind all
DHCP static Bind-table:                                                         
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
--------------------------------------------------------------------------------
10.1.1.2                        0003-0003-0003  10  /--  /--    GE0/0/3
--------------------------------------------------------------------------------
Print count:           1          Total count:           1

    The hosts can access the intranet using the IP addresses dynamically allocated by the DHCP server. After the dynamic IP addresses of the hosts are changed to statically configured IP addresses that are different from the dynamic ones, the hosts cannot access the intranet.

Configuration Files

  • Configuration file of the Core

    #
sysname Core
#
vlan batch 10
#
dhcp enable
#
ip pool 10
 gateway-list 10.1.1.1
 network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
 dhcp select global
# 
interface GigabitEthernet0/0/1
 port link-type trunk 
 port trunk allow-pass vlan 10
#
return

  • Configuration file of the ACC

    #
sysname ACC
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable
user-bind static ip-address 10.1.1.2 mac-address 0003-0003-0003 interface GigabitEthernet0/0/3 vlan 10
#
vlan 10
 dhcp snooping enable 
 dhcp snooping trusted interface GigabitEthernet0/0/4
 ip source check user-bind enable
#
interface GigabitEthernet0/0/1
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/2
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/3
 port link-type access  
 port default vlan 10
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Related Content

Videos

Bind IP and MAC Addresses

Example for Configuring IPSG Based on the Static Binding Table to Prevent Unauthorized Hosts from Accessing the Intranet

IPSG Overview

IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It filters IP packets based on the binding table on a switch. An entry in the binding table contains the IP address, MAC address, VLAN ID, and interface. Binding entries include static entries and dynamic entries. A static binding table is manually created, a dynamic binding table is the DHCP snooping binding table. When hosts obtain dynamic IP addresses, the switch automatically generates the dynamic binding entries according to the DHCP Reply packets. After a binding table is built, the switch matches the packets received by IPSG-enabled interfaces against binding entries. If the packets match binding entries, they are forwarded; otherwise, they are discarded. The packet matching options can be a combination of IP address, MAC address, VLAN ID, and interface. For example, the switch matches only IP addresses, both IP addresses and MAC addresses, or a combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the packets.

Therefore, IPSG provides two functions:
  • Prevents malicious hosts from stealing authorized hosts' IP addresses to pose as the authorized hosts.
  • Prevents unauthorized hosts from changing their own IP addresses to static IP addresses to access or attack the network.

For example, when all the hosts on an intranet use static IP addresses, they must use the fixed IP addresses allocated by the network administrator and access the intranet through fixed interfaces. To ensure intranet security, external hosts cannot access the intranet without permission.

Configuration Notes

This example applies to all versions and models except the following:
  • S2700-SI of V100R006C05 does not support IPSG.
  • After hardware-based Layer 3 forwarding for IPv4 packets is enabled in the following versions, the switches do not support IPSG:
    • V200R007C00, V200R008C00, V200R011 and later versions: S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC
    • V200R009C00 and V200R010C00: S2720-EI, S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC

Networking Requirements

As shown in Figure 3-249, hosts access the enterprise intranet through the switch. The gateway is the egress device of the enterprise intranet. The hosts use static IP addresses. The administrator has configured interface rate limiting on the switch, and requires that the hosts use fixed IP addresses to access the intranet through fixed ports. To ensure network security, the administrator does not allow external hosts to access the intranet without permission.

Figure 3-249 Configuring IPSG based on the static binding table to prevent unauthorized hosts from accessing the intranet

Data Plan

To perform the configuration, you need to the following data.

Table 3-186 Data Plan

Item

Data

Description

VLAN
  • Switch:

    VLAN ID: 10, including interfaces GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4

  • Gateway:

    VLAN ID: 10

None

IP addresses of the hosts allowed to access the network.

10.0.0.1, 10.0.0.2

None

Configuration Roadmap

The requirement of the administrator can be met by configuring IPSG on the Switch. The configuration roadmap is as follows:

  1. Specify the VLAN to which the interfaces belong.
  2. Configure static binding entries for Host_1 and Host_2 to fix the bindings between IP addresses, MAC addresses, and interfaces.
  3. Configure GE0/0/4 as a trusted interface. The Switch does not perform an IPSG check on the packets received by this trusted interface, so the packets returned by the gateway will not be discarded.
  4. Enable IPSG in the VLAN connected to user hosts so that Host_1 and Host_2 access the intranet using fixed IP addresses through fixed ports. In addition, external host Host_3 cannot access the intranet.

Procedure

  1. Specify the VLAN to which the interfaces belong. 

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
[Switch] interface gigabitethernet 0/0/1 
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2 
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3 
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 10
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4 
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/4] quit

  2. Create static binding entries for Host_1 and Host_2. 

    [Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 0/0/1  //Create a static binding entry for Host_1.
[Switch] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface gigabitethernet 0/0/2  //Create a static binding entry for Host_2.

  3. Configure the upstream interface GE0/0/4 as a trusted interface. 

    [Switch] dhcp enable  //Enable DHCP
[Switch] dhcp snooping enable  //Enable DHCP Snooping globally
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] dhcp snooping trusted  //Configure a trusted interface
[Switch-GigabitEthernet0/0/4] quit

  4. Enable IPSG in VLAN 10 connected to hosts. 

    [Switch] vlan 10
[Switch-vlan10] ip source check user-bind enable
[Switch-vlan10] quit

  5. Verify the configuration.

    Run the display dhcp static user-bind all command on the Switch to view binding entries of Host_1 and Host_2.

    [Switch] display dhcp static user-bind all
DHCP static Bind-table:                                                         
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
--------------------------------------------------------------------------------
10.0.0.1                        0001-0001-0001  --  /--  /--    GE0/0/1
10.0.0.2                        0002-0002-0002  --  /--  /--    GE0/0/2
--------------------------------------------------------------------------------
Print count:           2          Total count:           2

    Host_1 and Host_2 can access the intranet. After the IP addresses of the hosts are changed or the hosts connect to other interfaces, they cannot access the intranet.

    When Host_3 with IP address 10.0.0.3 connects to GE0/0/3, Host_3 cannot access the intranet, indicating that external hosts cannot access the intranet without permission. If Host_3 needs to access the intranet, add the entry of Host_3 to the static binding table.

Configuration Files

Configuration file of the switch

#
sysname Switch
#
vlan batch 10
#
dhcp enable 
#
dhcp snooping enable
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet0/0/1
user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface GigabitEthernet0/0/2
#
vlan 10
 ip source check user-bind enable
#
interface GigabitEthernet0/0/1
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/2
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/3
 port link-type access  
 port default vlan 10 
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10
 dhcp snooping trusted
#
return

Related Content

Videos

Bind IP and MAC Addresses

Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-10-27

Document ID: EDOC1000069520

Views: 1929953

Downloads: 41887

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :