Configuring a policy to guarantee access from a fixed source address to a fixed port


On the web UI, choose Policy > Security Policy, click Add, and configure the source address and service.

Other related questions:
How to assign fixed IP addresses to terminals through the interface address pool on the AR
Reserve fixed IP addresses that will be assigned to terminals and manually assign them to terminals.

Can MAC address bypass authentication be configured on a fixed port on the SRU
No, MAC bypass authentication must be configured on LPUs.

Restricting the administrator to access the USG2000&5000&6000 through a fixed source address
Configure the USG2000&5000&6000 to restrict the administrator to access through a fixed source address as follows: Set the VTY authentication mode to AAA on the USG to allow login of only a certain IP address: system-view [USG6600] [USG6600] acl 3000 [USG6600-acl-adv-3000]rule permit ip source 0 // allowed only. [USG6600-acl-adv-3000]quit [USG6600] user-interface vty 0 4 [USG6600-ui-vty0-4] authentication-mode aaa [USG6600-ui-vty0-4]acl 3000 inbound //The ACL here is deny by default. [USG6600-ui-vty0-4] quit After the preceding configurations, only addresses for which the action is permit in ACL 3000 or specific source addresses can telnet to the firewall.

Static DHCP binding configuration on S series switch
In static DHCP binding mode, fixed IP addresses can be assigned to DHCP clients with specific MAC addresses. For example, you can assign fixed IP address to a client with MAC address dcd2-fc96-e4c0 on an S series switch except an S1700 switch: - For a global address pool: [HUAWEI] ip pool 1 //Enter the view of an IP address pool. [HUAWEI-ip-pool-1] static-bind ip-address mac-address dcd2-fc96-e4c0 - For an interface address pool: [HUAWEI] interface vlanif 10 //Enter the view of the interface for which an IP address has been configured. [HUAWEI-Vlanif10] dhcp server static-bind ip-address mac-address dcd2-fc96-e4c0 Note: The configured IP address cannot be the same as the assigned one. If the configured IP address has been assigned, run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address [ end-ip-address ] | all | conflict | expired | used } command in the user view to manually reclaim the IP address in an address pool.

ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top