Allow specified IP addresses to access the Internet through an interface on an S series switch

16

You can configure an ACL-based traffic policy and apply the traffic policy to an interface on an S series switch to allow specified IP addresses to access the Internet through the interface. For example, configure GE0/0/1 to allow only the user with the IP address of 1.1.1.2 and prevent all other users to access the Internet.
[HUAWEI] acl number 3030
[HUAWEI-acl-adv-3030] rule permit ip source 1.1.1.2 0
[HUAWEI-acl-adv-3030] quit
[HUAWEI] acl number 3031
[HUAWEI-acl-adv-3031] rule permit ip
[HUAWEI] traffic classifier test1
[HUAWEI-classifier-test1] if-match acl 3030
[HUAWEI] traffic classifier test2
[HUAWEI-classifier-test2] if-match acl 3031
[HUAWEI] traffic behavior test1
[HUAWEI-behavior-test1] permit
[HUAWEI] traffic behavior test2
[HUAWEI-behavior-test2] deny
[HUAWEI] traffic policy test
[HUAWEI-trafficpolicy-test] classifier test1 behavior test1
[HUAWEI-trafficpolicy-test] classifier test2 behavior test2
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy test inbound

Other related questions:
Differences between IPSG and port security of S series switches
For S series switches (except S1700 switches), both IPSG and port security support bindings between MAC addresses and interfaces. Their differences are as follows: �?IPSG: Binds MAC addresses to interfaces in a binding table so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the binding table cannot go online through the switch. IPSG prevents IP address spoofing attacks. For example, it prevents a malicious host from stealing an authorized host's IP address to access or attack the network. �?Port security: Converts limited number of dynamic MAC entries learned by interfaces into secure MAC entries, so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the MAC address table cannot go online through the switch. Port security prevents access of unauthorized hosts and limits the number of access hosts. It is applicable to networks with a large number of hosts. If you just want to prevent hosts with unauthorized MAC addresses from communicating with each other and a large number of hosts reside on the network, port security is recommended.

Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches
Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches excluding the S1700. The configuration procedure is as follows: 1. Configure a switch as the DHCP server. For details 2. Configure DHCP snooping. See the following DHCP snooping configuration. [HUAWEI] dhcp snooping enable [HUAWEI] interface GigabitEthernet2/0/0 //Enable the Layer 3 interface that is automatically assigned an IP address. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping trusted //Configure the interface as the trusted interface. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping enable //Enable DHCP snooping. [HUAWEI-GigabitEthernet2/0/0] ip source check user-bind enable //To prevent IP packets of unauthorized users from entering the external network through the switch, you can enable the IP packet check function on an interface or in a VLAN. After the IP packet check function is enabled, only the IP packets matching entries in the binding table are forwarded. After DHCP snooping is enabled, a dynamic binding table is generated. [HUAWEI-GigabitEthernet2/0/0] arp anti-attack check user-bind enable //After ARP packet check is enabled, the switch checks all the ARP packets passing through an interface or a VLAN against the binding table. Only the ARP packets matching the binding table are forwarded. [HUAWEI-GigabitEthernet2/0/0] quit [HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //If users want to configure static IP addresses for Internet access, a static binding table must be configured.

Configuring the USG6000 to access the Internet through a static IP address
Perform as follows to enable the USG6000 to access the Internet through a static IP address: Search for CLI: Example for Accessing the Internet Using a Static IPv4 Address in USG6000 Product Documentation.

Configuring a policy to allow port access through the CLI of the USG2000&5000
On the CLI of the USG2000&5000 series, configure a security policy, set the condition to source port and the action to permit.

Configuring a policy to allow port access through the CLI of the USG6000
On the CLI of the USG6000 series, configure a security policy, set the condition to source port and the action to permit.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top