Huawei Switch implements binding between an interface and an IP address through the traffic
policy and DHCP snooping. Then the interface allows only the packets with the bound IP
address and packets matching the DHCP snooping binding table to pass through. The Switch like Huawei 48-ports 10GE SFP+ switch S6720-54C-EI-48S-DC does support binding of IP address + MAC address + interface.
For example, to configure GigabitEthernet 0/0/8 to allow packets with the source IP address
being 192.168.130.50 apart from of the packets matching the DHCP snooping binding table,
and discard other packets, do as follows:
# Enable DHCP snooping globally.
[HUAWEI] dhcp snooping enable
# Configure an advanced ACL that matches source IP address 192.168.130.50.
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 5 permit ip source 192.168.130.50 0
[HUAWEI-acl-adv-3000] rule 10 deny ip source any
[HUAWEI-acl-adv-3000] rule 15 deny ip destination any
[HUAWEI-acl-adv-3000] quit
# Create a traffic classifier that matches the advanced ACL.
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 3000
[HUAWEI-classifier-c1] quit
# Create a traffic behavior and a traffic policy.
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] permit
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
# Apply the traffic policy to GigabitEthernet 0/0/8 so that the interface allows only the
packets with the source IP address 192.168.130.50 to pass through apart from of the packets
matching the DHCP snooping binding table.
In V100R005 and later versions, the configuration is as follows:
[HUAWEI] interface GigabitEthernet 0/0/8
[HUAWEI-GigabitEthernet0/0/8] port default vlan 4094
[HUAWEI-GigabitEthernet0/0/8] ip source check user-bind enable
[HUAWEI-GigabitEthernet0/0/8] traffic-policy p1 inbound
No comments:
Post a Comment