No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring LDRA to Detect Client Locations

Example for Configuring LDRA to Detect Client Locations

Networking Requirements

As shown in Figure 9-15, the R&D department and marketing department of a company connect to the Internet through the Switch and obtain IPv6 addresses using DHCPv6. The company requires that the DHCPv6 server assigns different IP addresses, access control policies, and QoS policies to the clients in different departments.

Figure 9-15  Networking diagram for configuring LDRA

Configuration Roadmap

The configuration roadmap is as follows:
  1. Enable DHCP snooping.
  2. Enable LDRA. After LDRA is enabled on the Switch, the Switch can forward the client location information to the DHCPv6 server, and the DHCPv6 server can assign corresponding policies to the clients.

Procedure

  1. Create a VLAN and configure interfaces.

    # Create VLAN 10 on the Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 10
    

    # Add interfaces GE1/0/1, GE1/0/2, and GE2/0/1 to VLAN 10.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type access
    [Switch-GigabitEthernet1/0/1] port default vlan 10
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 1/0/2
    [Switch-GigabitEthernet1/0/2] port link-type access
    [Switch-GigabitEthernet1/0/2] port default vlan 10
    [Switch-GigabitEthernet1/0/2] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] port link-type trunk
    [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
    [Switch-GigabitEthernet2/0/1] quit

  2. Enable DHCP snooping.

    # Enable DHCP snooping globally.

    [Switch] dhcp enable
    [Switch] dhcp snooping enable

    # Enable DHCP snooping on the user-side interfaces.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] dhcp snooping enable
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 1/0/2
    [Switch-GigabitEthernet1/0/2] dhcp snooping enable
    [Switch-GigabitEthernet1/0/2] quit

    # Set the status of the interface connecting to the DHCPv6 server to Trusted.

    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] dhcp snooping trusted
    [Switch-GigabitEthernet2/0/1] quit

  3. Enable the LDRA.

    # Enable the LDRA in VLAN 10.

    [Switch] vlan 10
    [Switch-vlan10] dhcpv6 snooping relay-information enable

    # Disable the interfaces in VLAN 10 from generating DHCP snooping binding entries. After DHCP snooping is enabled, the interfaces will not restrict the number of online users.

    [Switch-vlan10] dhcp snooping enable no-user-binding
    Warning: To execute no-user-binding will delete all dynamic binding table with the same vlan. Continue? [Y/N]y   
    [Switch-vlan10] quit
    

  4. Verify the configuration.

    # Run the display dhcp snooping configuration command to verify the LDRA configuration.

    [Switch] display dhcp snooping configuration
    #                                                                               
    dhcp snooping enable                                                            
    #                                                                               
    vlan 10                                                                         
     dhcp snooping enable no-user-binding
     dhcpv6 snooping relay-information enable
    #                                                                               
    interface GigabitEthernet1/0/1                                                  
     dhcp snooping enable                                                           
    #                                                                               
    interface GigabitEthernet1/0/2                                                  
     dhcp snooping enable                                                           
    #                                                                              
    interface GigabitEthernet2/0/1                
     dhcp snooping trusted                                                          
    #   
    

Configuration Files

Switch configuration file

#                                                                               
sysname Switch   
#
vlan batch 10
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                            
#
vlan 10
 dhcp snooping enable no-user-binding
 dhcpv6 snooping relay-information enable
#
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 10
 dhcp snooping enable  
#
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 10 
 dhcp snooping enable  
#
interface GigabitEthernet2/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10  
 dhcp snooping trusted
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 145150

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next