Table of Contents

Chapter 1 Access Management Configuration Commands. 1-1

1.1 Access Management Configuration Commands. 1-1

1.1.1 am enable. 1-1

1.1.2 am ip-pool 1-1

1.1.3 am trap enable. 1-3

1.1.4 display am.. 1-3

1.1.5 display isolate port 1-4

1.1.6 port isolate. 1-5

 

Chapter 1  Access Management Configuration Commands

1.1  Access Management Configuration Commands

1.1.1  am enable

Syntax

am enable

undo am enable

View

System view

Parameter

None

Description

Using am enable command, you can enable the access management function.

Using undo am enable command, you can disable the function.

By default, Access management function disabled.

When using the access management function, It is recommended to cancel the static ARP configuration to ensure that the binding of IP address and Ethernet switch take effect. If you have configured the static ARP for an IP address in the current port IP address pool from some other port, the system will prompt to cancel the static ARP setting.

Example

# Enable the access management function.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] am enable

1.1.2  am ip-pool

Syntax

am ip-pool address-list

undo am ip-pool { all | address-list }

View

Ethernet port view

Parameter

all: Configures to operate on all the IP addresses (or IP address pools).

ip-pool: Configures IP address pool for access management.

address-list: Specifies IP address list in the start-ip-address [ ip-address-number ] & < 1-10 > format. start-ip-address is the start address of an IP address range in the pool. ip-address-number specifies how many IP addresses following start-ip-address in the range. & < 1-10 > means you can specify ten IP address ranges at most.

Description

Using am ip-pool command, you can configure the IP address pool for access management on a port. The packet whose source IP address is in the specified pool is allowed to be forwarded on Layer 3 via the port of the switch.

Using undo am ip-pool command, you can cancel the access management IP pool of the port.

By default, All the IP address pools for access control on the port are null and all the packets are permitted through.

Note that

l           The access control IP address pool of a port and the IP address of the Layer 3 interface to which the port belongs must be on the same network segment.

l           If the IP address pool to be configured contains the IP addresses configured in the static ARP at other ports, then the system prompts you to delete the static ARP to make the later binding effective.

Example

# Configure the access management IP address pool on Ethernet1/0/1 and permits the addresses from 202.112.66.2 through 202.112.66.20 and the specified 202.112.65.1 to access the port.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] am ip-pool 202.112.66.2 19 202.112.65.1

1.1.3  am trap enable

Syntax

am trap enable

undo am trap enable

View

System view

Parameter

None

Description

Using am trap enable command, you can enable the access management trap function.

Using undo am trap enable command, you can disable the access management trap function.

By default, The access management trap disabled.

Example

# Enable the access management trap.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] am trap enable

1.1.4  display am

Syntax

display am [ interface-list ]

View

Any view

Parameter

interface-list: Specifies a list of ports isolated from the specified port in the { interface-type interface-number [ to interface-type interface-number ] } &<1-10> format. interface-type is port type and interface-number is port number. For details about interface-type, interface-number, refer to the Port Command Manual. &<1-10> indicates the preceding parameter can be input up to 10 times.

Description

Using display am command, you can view the current access management configurations on part or all of the ports.

Example

# Display the access management configurations on Ethernet1/0/1 and Ethernet1/0/2.

<H3C> display am ethernet1/0/1 ethernet1/0/2

Ethernet1/0/1

 Status       : enabled

 IP Pools     : (NULL)

Ethernet1/0/2

 Status       : enabled

 IP Pools     : (NULL)

Table 1-1  Description of information generated by the command display am

Field	Description
Ethernet	Port to be displayed
Status	AM state on the port: enabled or disabled
IP Pools	IP pools. NULL represents no configuration. Each IP address section is represented in X.X.X.X (number), of these, “X.X.X.X” represents the first address, and “number” represents that “number” consecutive IP addresses from the beginning of this address are within the IP pools

 

1.1.5  display isolate port

Syntax

display isolate port

View

Any View

Parameter

None

Description

Use the display isolate port command to display information about the Ethernet ports added to the isolation group.

Example

# Display information about the Ethernet ports added to the isolation group.

<H3C> display isolate port

 Isolated port(s) on UNIT 1:

 Ethernet1/0/1

1.1.6  port isolate

Syntax

port isolate

undo port isolate

View

Ethernet port view

Parameter

None

Description

Use the port isolate command to add an Ethernet port to the isolation group.

Use the undo port isolate command to remove an Ethernet port from the isolation group.

By default, the isolation group contains no port.

Example

# Add Ethernet1/0/1, Ethernet1/0/2 to the isolation group.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet1/0/1

[H3C-Ethernet1/0/1] port isolate

[H3C-Ethernet1/0/1] quit

[H3C] interface ethernet1/0/2

[H3C-Ethernet1/0/2] port isolate