Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches

2

Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches excluding the S1700. The configuration procedure is as follows:
1. Configure a switch as the DHCP server.
For details
2. Configure DHCP snooping.
See the following DHCP snooping configuration.
[HUAWEI] dhcp snooping enable
[HUAWEI] interface GigabitEthernet2/0/0 //Enable the Layer 3 interface that is automatically assigned an IP address.
[HUAWEI-GigabitEthernet2/0/0] dhcp snooping trusted //Configure the interface as the trusted interface.
[HUAWEI-GigabitEthernet2/0/0] dhcp snooping enable //Enable DHCP snooping.
[HUAWEI-GigabitEthernet2/0/0] ip source check user-bind enable //To prevent IP packets of unauthorized users from entering the external network through the switch, you can enable the IP packet check function on an interface or in a VLAN. After the IP packet check function is enabled, only the IP packets matching entries in the binding table are forwarded. After DHCP snooping is enabled, a dynamic binding table is generated.
[HUAWEI-GigabitEthernet2/0/0] arp anti-attack check user-bind enable //After ARP packet check is enabled, the switch checks all the ARP packets passing through an interface or a VLAN against the binding table. Only the ARP packets matching the binding table are forwarded.
[HUAWEI-GigabitEthernet2/0/0] quit
[HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //If users want to configure static IP addresses for Internet access, a static binding table must be configured.

Other related questions:
Types of packets checked by S series switches with IPSG enabled
For S series switches (except S1700 switches), IPSG takes effect only for IP packets (except DHCP packets) but not for packets of other types such as ARP or PPPoE. With IPSG enabled, an S series switch checks only IPv4 packets in versions earlier than V200R001 and checks all IPv4 and IPv6 packets in V200R001 and later versions.

Can clients connected to S series switch obtain IP addresses through DHCP
DHCP-enabled terminals that are connected to S series switches except S1700 switches can obtain IP addresses from DHCP servers when either of the following conditions is met: - The DHCP server function has been enabled on the switches. (By default, the DHCP server function is disabled on a switch.) - A DHCP server is available on the network and reachable to the terminals.

Whether the USG2000 and USG5000 can restrict that only certain IP addresses on the intranet can access the Internet
On the web UI, choose Policy > Security Policy > Policy Matching Analysis to check the policy matching information.

Can terminals connected to S series switches obtain IP addresses through DHCP
For S series switches excluding the S1700, terminals connected to switches (enabled to obtain IP addresses through DHCP) can obtain IP addresses through DHCP when either of the following conditions is met: - The switch is configured with the DHCP server function. (By default, a switch is not configured with the DHCP server function.) - Another DHCP server is deployed on the network and there is a reachable route from the terminal to the DHCP server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top