How to prevent users from configuring static IP addresses without permission

Created: Aug 26, 2019 12:18:22Latest reply: Aug 26, 2019 12:22:16 79 1 0 0
  Rewarded Hi-coins: 0 (problem resolved)

If I do not use NAC, allocate IP addresses using DHCP, how to prevent users from configuring static IP addresses without permission?


  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Aug 26, 2019 12:22:16 Helpful(1) Helpful(1)

Hi Hobbit,
The DHCP Snooping function can generate dynamic binding entries. For users with static IP addresses, you can manually configure static binding entries. By checking the matching of the IP+MAC+ port in the binding table, the switch can prevent the user from setting the IP address without permission.
For example, all static IP users on the port Ethernet0/0/1 except the user with the static IP address of 10.10.10.2 and the MAC address of 0010-0010-0010 are not allowed to access the Internet. The configuration is as follows:

1.    Enable the DHCP Snooping function in the user VLAN.
[huawei]dhcp snooping enable
[huawei]vlan 100
[huawei-vlan10]dhcp snooping enable

2. Configure Static Binding Entries
[huawei]user-bind static ip-address 10.10.10. mac-address 0010-0010-0010 interface ethernet 0/0/1

3. Configure the packet check on the user-side interface.
[huawei]interface ethernet 0/0/1
[huawei-ethernet 0/0/1port link-type access
[huawei-ethernet 0/0/1port default vlan 100
[huawei-ethernet 0/0/1arp anti-attack check user-bind enable // Enable ARP check to prevent IP address conflicts caused by incorrect IP address configuration.
[huawei-ethernet 0/0/1ip source check user-bind enable  // Enable IP packet check to prevent unauthorized users from accessing the network.
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created Aug 26, 2019 12:22:16 Helpful(1) Helpful(1)

Hi Hobbit,
The DHCP Snooping function can generate dynamic binding entries. For users with static IP addresses, you can manually configure static binding entries. By checking the matching of the IP+MAC+ port in the binding table, the switch can prevent the user from setting the IP address without permission.
For example, all static IP users on the port Ethernet0/0/1 except the user with the static IP address of 10.10.10.2 and the MAC address of 0010-0010-0010 are not allowed to access the Internet. The configuration is as follows:

1.    Enable the DHCP Snooping function in the user VLAN.
[huawei]dhcp snooping enable
[huawei]vlan 100
[huawei-vlan10]dhcp snooping enable

2. Configure Static Binding Entries
[huawei]user-bind static ip-address 10.10.10. mac-address 0010-0010-0010 interface ethernet 0/0/1

3. Configure the packet check on the user-side interface.
[huawei]interface ethernet 0/0/1
[huawei-ethernet 0/0/1port link-type access
[huawei-ethernet 0/0/1port default vlan 100
[huawei-ethernet 0/0/1arp anti-attack check user-bind enable // Enable ARP check to prevent IP address conflicts caused by incorrect IP address configuration.
[huawei-ethernet 0/0/1ip source check user-bind enable  // Enable IP packet check to prevent unauthorized users from accessing the network.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login