H3C S5600 Series Operation Manual page 726

Hide thumbs Also See for S5600 Series:

Operation manual (1278 pages)

Configuration (313 pages)

Operation manual (11 pages)

Table of Contents

Enter system view

Enter Ethernet port view

Create a static binding

Enable IP filtering based

on the DHCP-snooping

table and the IP static

binding table

Enable IP filtering based

on authenticated 802.1x

For details about 802.1x authentication, refer to 802.1x and System Guard Operation.

You are not recommended to configure IP filtering on the ports of an aggregation group.

Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering based

on the DHCP-snooping table.

To implement IP filtering based on IP-to-MAC bindings of authenticated 802.1x clients, the device

assigns an ACL to each of such bindings. If an ACL fails to be assigned to a binding, the

corresponding authenticated 802.1x client is forced to go offline.

IP filtering based on IP-to-MAC bindings of authenticated 802.1x clients requires to be associated

with 802.1x based on MAC address authentication, and requires 802.1x clients to provide IP

addresses; otherwise, the IP addresses of 802.1x clients cannot be obtained. To ensure IP

addresses of DHCP clients can be updated for corresponding IP-to-MAC entries, you are

recommended to enable 802.1x authentication handshake function; otherwise, you need to disable

802.1x authentication triggered by DHCP, ensuring normal receiving and forwarding of multicast

authentication packets.

To create a static binding after IP filtering is enabled with the mac-address keyword specified on a

port, the mac-address argument must be specified; otherwise, the packets sent from this IP

address cannot pass the IP filtering.

A static entry has a higher priority than the dynamic DHCP snooping entry that has the same IP

address as the static one. That is, if the static entry is configured after the dynamic entry is

recorded, the static entry overwrites the dynamic entry; if the static entry is configured before

DHCP snooping is enabled, no DHCP client can obtain the IP address of the static entry, that is, the

dynamic DHCP snooping entry cannot be generated.

The VLAN ID of the IP static binding configured on a port is the VLAN ID of the port.

Use the command...

interface interface-type

interface-number

ip source static binding ip-address

ip-address [ mac-address

mac-address ]

ip check source ip-address

[ mac-address ]

ip check dot1x enable

By default, no IP static

binding entry is

Either command is

By default, this

function is disabled.

Show Quick Links

Quick Links:
Audience

Chapters

Table of Contents

Troubleshooting

H3C S5600 Series Operation Manual page 726

Hide quick links:

Chapters

Troubleshooting

Related Manuals for H3C S5600 Series

Related Products for H3C S5600 Series

This manual is also suitable for:

Table of Contents