Whether USG firewalls support IP addresses in the same network segment configured for different interfaces

23

The USG2000, USG5000, and USG6000 do not support IP addresses in the same network segment configured for different interfaces.
However, primary and secondary IP addresses of the same interface can be in the same network segment.

Other related questions:
Whether the firewall supports the VRRP group virtual IP address and interface address that are on different network segments
Can actual interface IP addresses reside on the same network segment as virtual IP addresses in hot standby? 1. You must assign IP addresses to a physical interface before you set the virtual IP address of the VRRP group on the interface. 2. When you configure VRRP groups, ensure that the virtual IP addresses is not the IP address of any physical interface. 3. Invalid address, such as broadcast address, multicast address, or loopback address, cannot be used as the VRRP virtual IP address. 4. If the virtual IP address and the IP address of the physical interface reside on different subnets, you need to specify the subnet mask of the virtual IP address. 5. The VRID of the VRRP group cannot be the same as that configured on any other device in the same VLAN. 6. The VRIDs and virtual IP addresses of VRRP groups configured for the same interfaces on the active and standby USGs shall be the same. Configuration on the USG6000 [USG6600-1]int vlani2 [USG6600-1-Vlanif2]ip add 172.16.1.1 24 [USG6600-1-Vlanif2]vrrp vrid 1 virtual-ip 10.1.1.1 24 active [USG6600-1-Vlanif2]dis thi interface Vlanif2 ip address 172.16.1.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.1.1.1 255.255.255.0 active Configuration on the USG2000&5000 [USG5500]int vlanif10 [USG5500-Vlanif10]ip add 172.16.1.1 24 [USG5500-Vlanif10]vrrp vrid 1 virtual-ip 10.10.1.1 24 master [USG5500-Vlanif10]dis this interface Vlanif10 alias vlanif 10 ip address 172.16.1.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.10.1.1 255.255.255.0 master #

Can addresses on the same network segment be configured on different interfaces of an AR
Addresses on the same network segment cannot be allocated to interfaces on an AR. Interfaces on an AR can be configured with IP addresses on network segments that overlap. For example, an interface is assigned IP address 20.1.1.1/16. When you configure IP address 20.1.1.2/24 for the other interface, the system displays a message. However, the configuration is successful. When you configure IP address 20.1.1.2/16 for the other interface, the system displays a message indicating that the address conflicts. The configuration fails. The primary and secondary addresses of an interface can be on network segments that overlap, but must be different. For example, an interface is configured with the primary IP address 20.1.1.1/24. When you configure the secondary IP address 20.1.1.2/16, the system displays a message. However, the configuration is successful. The primary and secondary addresses of interfaces can be on network segments that overlap, but must be different. For example, an interface is configured with IP address 20.1.1.1/16. When you configure IP address 20.1.1.2/24, the system displays a message. However, the configuration is successful.

Does the AR support difference of network segments between an interface IP address and a virtual IP address of VRRP
The AR does not support difference of network segments between an interface IP address and a virtual IP address of VRRP. The IP addresses must be set to the same network segment.

Method used to configure two network segments on the USG firewall among which one network segment contains IP addresses dynamically allocated by the DHCP server and another network segment contains static IP addresses
You can configure two network segments on the USG firewall among which one network segment contains IP addresses dynamically allocated by the DHCP server and another network segment contains static IP addresses as follows: Two methods are available: 1. If the switch interconnected to the firewall has only one interface, configure two IP addresses for the interface, set the primary IP address as the dynamic IP address and the secondary IP address (sub address) as the static IP address. The key configuration is as follows: [USG] interface GigabitEthernet0/0/1 [USG-GigabitEthernet0/0/1] ip address 192.168.2.1 255.255.255.0 [USG-GigabitEthernet0/0/1] ip address 192.168.1.1 255.255.255.0 sub [USG-GigabitEthernet0/0/1] quit [USG] dhcp server ip-pool 0 [USG-dhcp-0] network 192.168.2.0 mask 255.255.255.0 [USG-dhcp-0] dns-list 192.168.2.3 [USG-dhcp-0] quit IP addresses in network segment 192.168.2.0 can be dynamically allocated. IP addresses in network segment 192.168.1.0 are static IP addresses set on the PC. 2. If the switch is interconnected with the firewall over interfaces in different network segments, the addresses can be configured flexibly. a. Configure the DHCP address pool by configuring the L3 interface. [USG] interface GigabitEthernet0/0/1 [USG-GigabitEthernet0/0/1] ip address 192.168.2.1 255.255.255.0 [USG-GigabitEthernet0/0/1] quit [USG]interface GigabitEthernet0/0/2 [USG-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0 [USG-GigabitEthernet0/0/2] quit [USG] dhcp server ip-pool 0 Configure an address pool for network segment 192.168.2.0 instead of network segment 192.168.1.0, and configure static IP addresses on the PC. [USG-dhcp-0] network 192.168.2.0 mask 255.255.255.0 [USG-dhcp-0] dns-list 192.168.2.2 [USG-dhcp-0] quit b. Configure the DHCP address pool based on interfaces. [USG] interface GigabitEthernet1/0/1 [USG-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0 Configure the interface IP address. [USG-GigabitEthernet1/0/1] dhcp select interface //Configure the interface-based DHCP. [USG-GigabitEthernet1/0/1] dhcp server ip-range 192.168.0.1 192.168.0.254 //Configure the range of IP addresses that can be allocated. [USG-GigabitEthernet1/0/1] dhcp server gateway-list 192.168.0.1 [USG-GigabitEthernet1/0/1] dhcp server dns-list 192.168.0.253 [USG-GigabitEthernet1/0/1] quit [USG] interface GigabitEthernet0/0/2 [USG-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0 Configure the interface IP address and configure static IP addresses in this network segment instead of DHCP.

Whether USG firewalls support the check of a source IP address
The USG firewalls support the check of a source IP address.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top