Method used to avoid the intranet IP address conflict on USG firewalls

13

You can avoid the intranet IP address conflict on the USG2000, USG5000, and USG6000 as follows:
1. Configure the IP and MAC address binding. In this way, packets of a user even with the same IP address cannot pass through the interface, and therefore avoiding the IP address conflict.
The key configuration is as follows:
[USG] firewall mac-binding 202.38.169.2 0001-0002-0003
[USG] firewall mac-binding enable
2. The DHCP snooping function can prevent other terminals from obtaining addresses from other servers. If addresses are the same, the address conflict occurs. The DHCP snooping is commonly used for anti-attack instead of avoiding intranet IP address conflict.
The key configuration is as follows:
[DHCP-Relay] interface GigabitEthernet 0/0/1
[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping enable
[DHCP-Relay-GigabitEthernet0/0/1] quit
[DHCP-Relay-GigabitEthernet0/0/2] dhcp snooping trusted
[DHCP-Relay-GigabitEthernet0/0/2] quit
For specific configurations, click USG Firewalls Limiting IP Address Conflict.

Other related questions:
Whether USG firewalls can avoid intranet IP address conflict
The USG firewalls can avoid intranet IP address conflict. Generally, a firewall is deployed on the top layer of a network. If the intranet traffic does not pass through the firewall, the traffic cannot be limited. Therefore, it is recommended that the traffic limitation function be configured on a lower-layer switch. By configuring IP and MAC address binding, a user even with the same IP address cannot transmit traffic over the interface, and therefore preventing the IP address conflict.

Method used to check the IP address conflict on the USG2000, USG5000, and USG6000
You can check the IP address conflict on the USG2000, USG5000, and USG6000 as follows: On the CLI, enter the display logbuffer command. For example: [USG5500]display logbuffer Logging buffer configuration and contents:enabled Allowed max buffer size : 1024 Actual buffer size : 1024 Channel number : 4 , Channel name : logbuffer Dropped messages : 0 Overwritten messages : 1200 Current messages : 514 %2015-04-24 10:56:26 USG5500 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 192.168.101.207 from GigabitEthernet0/0/0, source MAC is 3400-a3d9-1897! //The conflicted address is 192.168.101.207.// %2015-04-24 10:56:21 USG5500 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 192.168.101.207 from GigabitEthernet0/0/0, source MAC is 3400-a3d9-1897!

Method used to view the IP address of an interface on USG firewalls
The commands used to view the IP address of an interface on the USG2000, USG5000, and USG6000 are as follows: 1. Run the display ip interface brief command to view configuration information of an interface IP address. 2. Run the following commands to view the interface configuration: [Huawei] interface g0/0/1 [Huawei-GigabitEthernet0/0/1] display this

How to resolve DHCP IP address conflict on S series switch
For S series switches (except S1700 switches), if IP addresses in a DHCP address pool have been configured for clients but have not been excluded from the address pool, the IP addresses may be allocated to other clients, resulting in IP address conflicts. For details about how to locate and rectify the IP address conflict problem, see "The IP Address Obtained by a Client Conflicts with the IP Address of Another Client" in Configuration Guide - IP Service.

Method used to configure the reserved IP address of DHCP on USG firewalls
On the USG2000, USG5000, and USG6000, you can configure the reserved IP address of DHCP as follows: 1. Run the system-view command to enter the system view. 2. Run the dhcp server forbidden-ip start-ip-address [ end-ip-address ] command to configure a reserved IP address. By default, except for the interface IP address of the DHCP server, all IP addresses in the DHCP address pool are used for automatic allocation. To reserve an IP address, set start-ip-address. For example, IP address 10.1.1.3 is used as the DNS server address and needs to be reserved. [USG] dhcp server forbidden-ip 10.1.1.3 To reserve an IP address segment, set start-ip-address and end-ip-address. Ensure that start-ip-address is not equal to or larger than end-ip-address and they are in the same network segment. For example, IP addresses from 10.1.1.4 to 10.1.1.9 are used as fixed IP addresses and need to be reserved. [USG] dhcp server forbidden-ip 10.1.1.4 10.1.1.9

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top