Configure dynamic NAT on S series switches

4

S7700, S9700, and S9300 series modular switches use SPUs to support dynamic NAT.

Other related questions:
Configure NAT on S series switches
S7700, S9700, and S9300 series modular switches use SPUs to support NAT. NAT includes dynamic NAT, static NAT, and NAT server. Dynamic NAT can be configured to dynamically create mappings between intranet IP addresses and external network IP addresses, so that private network users can access external networks. Static NAT implements fixed one-to-one IP address (one private IP address maps to one public IP address) translation. NAT server can be configured to allow external network users to access an intranet server.

Configure NAT server on S series switches
S7700, S9700, and S9300 series modular switches use SPUs to support the NAT server function.

How to configure dynamic ARP inspection (DAI) on S series switches
For S series switches (except S1700 switches): DAI prevents Man in The Middle (MITM) attacks on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, port number, and VLAN ID of the ARP packet with those in a binding table. If the ARP packet matches a binding entry, the device considers that the ARP packet is sent by an authorized user and allows the packet to pass through. If the ARP packet does not match any binding entry, the device considers the ARP packet as an attack packet and discards it. You can enable DAI in the interface view or the VLAN view. When DAI is enabled in the interface view, the device checks all ARP packets received on the interface against the binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces that belong to the VLAN against the binding entries. This function is available only for DHCP snooping scenarios. # Configure DHCP snooping on the device and enable DAI on a user-side interface. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit # Configure DHCP snooping on the device and enable DAI in the VLAN to which users belong. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] vlan 100 [HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN to which users belong. [HUAWEI-vlan100] quit [HUAWEI] vlan 200 [HUAWEI-vlan200] dhcp snooping enable [HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-vlan200] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the VLAN to which users belong. [HUAWEI-vlan100] quit

Does an S series switch support NAT
The fixed switches do not support NAT.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top