Whether USG firewalls can avoid intranet IP address conflict

16

The USG firewalls can avoid intranet IP address conflict. Generally, a firewall is deployed on the top layer of a network. If the intranet traffic does not pass through the firewall, the traffic cannot be limited. Therefore, it is recommended that the traffic limitation function be configured on a lower-layer switch. By configuring IP and MAC address binding, a user even with the same IP address cannot transmit traffic over the interface, and therefore preventing the IP address conflict.

Other related questions:
Method used to avoid the intranet IP address conflict on USG firewalls
You can avoid the intranet IP address conflict on the USG2000, USG5000, and USG6000 as follows: 1. Configure the IP and MAC address binding. In this way, packets of a user even with the same IP address cannot pass through the interface, and therefore avoiding the IP address conflict. The key configuration is as follows: [USG] firewall mac-binding 202.38.169.2 0001-0002-0003 [USG] firewall mac-binding enable 2. The DHCP snooping function can prevent other terminals from obtaining addresses from other servers. If addresses are the same, the address conflict occurs. The DHCP snooping is commonly used for anti-attack instead of avoiding intranet IP address conflict. The key configuration is as follows: [DHCP-Relay] interface GigabitEthernet 0/0/1 [DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping enable [DHCP-Relay-GigabitEthernet0/0/1] quit [DHCP-Relay-GigabitEthernet0/0/2] dhcp snooping trusted [DHCP-Relay-GigabitEthernet0/0/2] quit For specific configurations, click USG Firewalls Limiting IP Address Conflict.

How to resolve DHCP IP address conflict on S series switch
For S series switches (except S1700 switches), if IP addresses in a DHCP address pool have been configured for clients but have not been excluded from the address pool, the IP addresses may be allocated to other clients, resulting in IP address conflicts. For details about how to locate and rectify the IP address conflict problem, see "The IP Address Obtained by a Client Conflicts with the IP Address of Another Client" in Configuration Guide - IP Service.

Method used to check the IP address conflict on the USG2000, USG5000, and USG6000
You can check the IP address conflict on the USG2000, USG5000, and USG6000 as follows: On the CLI, enter the display logbuffer command. For example: [USG5500]display logbuffer Logging buffer configuration and contents:enabled Allowed max buffer size : 1024 Actual buffer size : 1024 Channel number : 4 , Channel name : logbuffer Dropped messages : 0 Overwritten messages : 1200 Current messages : 514 %2015-04-24 10:56:26 USG5500 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 192.168.101.207 from GigabitEthernet0/0/0, source MAC is 3400-a3d9-1897! //The conflicted address is 192.168.101.207.// %2015-04-24 10:56:21 USG5500 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 192.168.101.207 from GigabitEthernet0/0/0, source MAC is 3400-a3d9-1897!

Whether USG firewalls support the check of a source IP address
The USG firewalls support the check of a source IP address.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top