When configuring access management, go to
these sections for information you are interested in:
l
Access
Management Overview
l
Configuring
Access Management
l
Access
Management Configuration Examples
Normally, client PCs in a network are connected to switches
operating on the network access layer (also referred to as access switches) through
Layer 2 switches; and the access switches provide external network accesses for
the client PCs through their upstream links. In the network shown in Figure 1-1, Switch
A is an access switch; Switch B is a Layer 2 switch.
Figure 1-1 Typical Ethernet access
networking scenario
The access management function aims to
manage user access rights on access switches. It enables you to manage the external
network access rights of the hosts connected to ports of an access switch.
To implement the access management function,
you need to configure an IP address pool on a port of an access switch, that
is, bind a specified range of IP addresses to the port.
l
A port with an access management IP address pool
configured only allows the hosts with their IP addresses in the access
management IP address pool to access external networks.
l
A port without an access management IP address
pool configured allows the hosts to access external networks only if their IP
addresses are not in the access management IP address pools of other ports of
the switch.
Note that the IP addresses in the access
management IP address pool configured on a port must be in the same network
segment as the IP address of the VLAN (where the port belongs to) interface.
Follow these steps to configure access
management:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enable
access management function
|
am
enable
|
Required
By
default, the system disables the access management function.
|
|
Enable
access management trap
|
am trap
enable
|
Required
By default, access management trap is
disabled
|
|
Enter
Ethernet port view
|
interface
interface-type interface-number
|
—
|
|
Configure
the access management IP address pool of the port
|
am
ip-pool address-list
|
Required
By
default, no access management IP address pool is configured.
|
|
Display
current configuration of access management
|
display
am [ interface-list ]
|
Execute this
command in any view.
|
l
Before configuring the access management IP
address pool of a port, you need to configure the interface IP address of the
VLAN to which the port belongs, and the IP addresses in the access management
IP address pool of a port must be in the same network segment as the interface
IP address of the VLAN which the port belongs to.
l
If an access management address pool configured
contains IP addresses that belong to the static ARP entries of other ports, the
system prompts you to delete the corresponding static ARP entries to ensure the
access management IP address pool can take effect.
l
To allow only the hosts with their IP addresses
in the access management address pool of a port to access external networks, do
not configure static ARP entries for IP addresses not in the IP address pool.
1.3 Access
Management Configuration Examples
I. Network requirements
Client PCs are connected to the external
network through Switch A (an Ethernet switch). The IP addresses of the PCs of
Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24. The IP
address of PC 2 is 202.10.20.100/24, and that of PC 3 is 202.10.20.101/24.
l
Allow the PCs of Organization 1 to access the
external network through GigabitEthernet 1/0/1 on Switch A. The port belongs to
VLAN 1, and the IP address of VLAN-interface 1 is 202.10.20.200/24.
l
Disable the PCs that are not of Organization 1
(PC 2 and PC 3) from accessing the external network through GigabitEthernet 1/0/1
of Switch A.
II. Network diagram
Figure
1-2 Network diagram for access management configuration
III. Configuration procedure
Perform the following configuration on
Switch A.
# Enable access management.
<Sysname> system-view
[Sysname] am enable
# Set the IP address of VLAN-interface 1 to
202.10.20.200/24.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address
202.10.20.200 24
[Sysname-Vlan-interface1] quit
# Configure the access management IP
address pool on GigabitEthernet 1/0/1.
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1] am
ip-pool 202.10.20.1 20
I. Network requirements
Client PCs are connected to the external
network through Switch A (an Ethernet switch). The IP addresses of the PCs of
Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24, and those of
the PCs in Organization 2 are in the range 202.10.20.25/24 to 202.10.20.50/24
and the range 202.10.20.55 to 202.10.20.65/24.
l
Allow the PCs of Organization 1 to access the
external network through GigabitEthernet 1/0/1 of Switch A.
l
Allow the PCs of Organization 2 to access the
external network through GigabitEthernet 1/0/2 of Switch A.
l
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
belong to VLAN 1. The IP address of VLAN-interface 1 is 202.10.20.200/24.
l
PCs of Organization 1 are isolated from those of
Organization 2 on Layer 2.
II. Network diagram
Figure 1-3 Network diagram for combining access management and port isolation
III. Configuration procedure
Perform the following configuration on
Switch A.
For information about port isolation and
the corresponding configuration, refer to the Port Isolation Operation.
# Enable access management.
<Sysname> system-view
[Sysname] am enable
# Set the IP address of VLAN-interface 1 to
202.10.20.200/24.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address
202.10.20.200 24
[Sysname-Vlan-interface1] quit
# Configure the access management IP
address pool on GigabitEthernet 1/0/1.
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1] am
ip-pool 202.10.20.1 20
# Add GigabitEthernet 1/0/1 to the port
isolation group.
[Sysname-GigabitEthernet1/0/1] port
isolate
[Sysname-GigabitEthernet1/0/1] quit
# Configure the access management IP
address pool on GigabitEthernet 1/0/2.
[Sysname] interface GigabitEthernet
1/0/2
[Sysname-GigabitEthernet1/0/2] am
ip-pool 202.10.20.25 26 202.10.20.55 11
# Add GigabitEthernet 1/0/2 to the port
isolation group.
[Sysname-GigabitEthernet1/0/2] port
isolate
[Sysname-GigabitEthernet1/0/2] quit
