User binds specified address and port

Created: Feb 21, 2020 09:24:00Latest reply: Mar 1, 2020 08:46:08 66 3 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello,

Our customer  has a S5720-SI and has the following needs:

Different departments of the company are bound to specific addresses and interfaces.

For example:

Department1: 10.0.0.1-10.0.0.20   bind GE0/0/1

Department2: 10.0.0.21-10.0.0.40 bind GE0/0/3

Department1: 10.0.0.41-10.0.0.60 bind GE0/0/3

 …

Each department is required to use only the assigned IP addresses. If a user in department 1 uses an IP address other than 1 to 20, he cannot access the Internet.

Please provide a solution. Thank you.

  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Feb 21, 2020 09:30:14 Helpful(2) Helpful(2)

Hello,

You can configure IPSG based on a static binding table to filter IP packets received by untrusted interfaces. 

The configuration is as follows:

sys

#

user-bind static ip-address 10.0.0.1 to 10.0.0.20 interface GigabitEthernet 0/0/1

user-bind static ip-address 10.0.0.21 to 10.0.0.40 interface GigabitEthernet 0/0/2

user-bind static ip-address 10.0.0.41 to 10.0.0.60 interface GigabitEthernet 0/0/3

#

interface GigabitEthernet0/0/1

ip source check user-bind enable

#

interface GigabitEthernet0/0/2

ip source check user-bind enable

#

interface GigabitEthernet0/0/3

ip source check user-bind enable

#

For detail about configuration, see https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101074&id=EN-US_TASK_0177111121&lang=en

Any further questions, let us know.

  • x
  • convention:

lucian2003
lucian2003 Created Feb 21, 2020 18:01:13
Great, thanks  
All Answers
Popeye_Wang
Popeye_Wang Admin Created Feb 21, 2020 09:30:14 Helpful(2) Helpful(2)

Hello,

You can configure IPSG based on a static binding table to filter IP packets received by untrusted interfaces. 

The configuration is as follows:

sys

#

user-bind static ip-address 10.0.0.1 to 10.0.0.20 interface GigabitEthernet 0/0/1

user-bind static ip-address 10.0.0.21 to 10.0.0.40 interface GigabitEthernet 0/0/2

user-bind static ip-address 10.0.0.41 to 10.0.0.60 interface GigabitEthernet 0/0/3

#

interface GigabitEthernet0/0/1

ip source check user-bind enable

#

interface GigabitEthernet0/0/2

ip source check user-bind enable

#

interface GigabitEthernet0/0/3

ip source check user-bind enable

#

For detail about configuration, see https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101074&id=EN-US_TASK_0177111121&lang=en

Any further questions, let us know.

  • x
  • convention:

lucian2003
lucian2003 Created Feb 21, 2020 18:01:13
Great, thanks  
ViktorG
ViktorG Created Mar 1, 2020 08:46:08 Helpful(0) Helpful(0)

Hello @Steelblue !

As mentioned in the question:
- the device should not reach the Internet - it means devices can talk inside the LAN/Campus but not outside location where this devices are connected - so if use IPSG you solve one problem but create the other ONE- break the reachability inside LAN/Campus.
- if devices are assigned to different department - it is also suggested to use different VLANs for each Department.
As a suggestion:
- Assign Different VLANs per each Department ( it means separate /24 or whatever mask you choose per Department)
- Create traffic classifiers with ACL to define the address ranges connected to port
- Create traffic behaviors (Permit to allow all hosts in VLAN to reach the LAN/campus networks and then Deny everything else )
- Combine classifiers and behaviors under traffic policy and apply to the interface inbound direction.

Take care and have a great day!
Viktor

  • x
  • convention:

Take%20care%20and%20have%20a%20great%20day!%3Cbr%2F%3E%3Cbr%2F%3EViktor

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login