- Table of Contents
-
- H3C Low-End Ethernet Switches Configuration Guide(V1.01)
- 01-Login Configuration Guide
- 02-VLAN Configuration Guide
- 03-IP Address Configuration Guide
- 04-Voice VLAN Configuration Guide
- 05-GVRP Configuration Guide
- 06-Ethernet Interface Basic Configuration Guide
- 07-Link Aggregation Configuration Guide
- 08-Port Isolation Configuration Guide
- 09-Port Security Configuration Guide
- 10-Port Binding Configuration Guide
- 11-MAC Address Table Management Configuration Guide
- 12-DLDP Configuration Guide
- 13-Auto Detect Configuration Guide
- 14-MSTP Configuration Guide
- 15-Routing Configuration Guide
- 16-Multicast Configuration Guide
- 17-802.1x Configuration Guide
- 18-AAA Configuration Guide
- 19-MAC Authentication Configuration Guide
- 20-VRRP Configuration Guide
- 21-ARP Configuration Guide
- 22-DHCP Configuration Guide
- 23-ACL Configuration Guide
- 24-QoS-QoS Profile Configuration Guide
- 25-Web Cache Redirection Configuration Guide
- 26-Mirroring Configuration Guide
- 27-IRF Configuration Guide
- 28-Cluster Configuration Guide
- 29-PoE-PoE Profile Configuration Guide
- 30-UDP Helper Configuration Guide
- 31-SNMP-RMON Configuration Guide
- 32-NTP Configuration Guide
- 33-SSH Configuration Guide
- 34-FTP and TFTP Configuration Guide
- 35-Information Center Configuration Guide
- 36-VLAN-VPN Configuration Guide
- 37-HWPing Configuration Guide
- 38-DNS Configuration Guide
- 39-Access Management Configuration Guide
- 40-Web Authentication Configuration Guide
- 41-IPv6 Management Configuration Guide
- 42-Smart link - Monitor Link Configuration Guide
- 43-VLAN Mapping Configuration Guide
- Related Documents
-
Title | Size | Download |
---|---|---|
39-Access Management Configuration Guide | 106.79 KB |
1 Access Management Configuration Guide
Networking and Configuration Requirements
Configuring Access Management with Port Isolation
Networking and Configuration Requirements
Configuring Access Management
The access management function is designed to control user accesses on access switches. It allows you to control the access of hosts to external networks.
The idea is to bind a range of IP addresses to a port by configuring an access management IP address pool on the port. A host connected to the port can access external networks only when its IP address is contained in the address pool.
Note that for the hosts connected to a port configured with no access management IP address pool to access external networks normally, you must make sure that the IP addresses of the hosts are not in the access management IP address pool of any other port (if any) on the switch.
Network Diagram
Figure 1-1 Network diagram for access management configuration
Networking and Configuration Requirements
Client PCs access the Internet through Switch A. The IP addresses of PCs belonging to organization 1 are in the range of 202.10.20.1/24 to 202.10.20.20/24, the IP address of PC 2 is 202.10.20.100/24, and the IP address of PC 3 is 202.10.20.101/24.
l Permit all the PCs of organization 1 to access the Internet through Ethernet 1/0/1 on Switch A. Ethernet 1/0/1 carries VLAN 1. The IP address assigned to the interface of VLAN 1 is 202.10.20.200/24.
Applicable Product Matrix
Product series |
Software version |
Hardware version |
S3600-SI/EI series Ethernet switches |
Release 1510, Release 1602 |
All versions |
S5600 series Ethernet switches |
Release 1510, Release 1602 |
All versions |
Configuration Procedure
# Enable access management on Switch A.
[SwitchA] am enable
# Configure the IP address of VLAN-interface 1 as 202.10.20.200/24.
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] ip address 202.10.20.200 24
[SwitchA-Vlan-interface1] quit
# Configure an access management IP address pool for Ethernet 1/0/1.
[SwitchA] interface Ethernet 1/0/1
[SwitchA-Ethernet1/0/1] am ip-pool 202.10.20.1 20
Complete Configuration
#
am enable
#
interface Vlan-interface1
ip address 202.10.20.200 255.255.255.0
#
interface Ethernet1/0/1
am ip-pool 202.10.20.1 20
#
Precautions
l The IP addresses in the access management IP address pool configured for a port must be on the same segment as the VLAN-interface IP address of the VLAN to which the port belongs.
l If the access management IP address pool to be configured for a port contains an IP address in a static ARP entry of another port, the system will ask you to delete the ARP entry to ensure that the access management IP address pool can take effect.
l To allow only the hosts bound with a port and with their IP addresses in the access management IP address pool of the port to access external networks, configure static ARP entries only for IP addresses in the address pool.
Configuring Access Management with Port Isolation
Network Diagram
Figure 1-2 Network diagram for access management and port isolation configuration
Networking and Configuration Requirements
Client PCs are connected to the Internet through Switch A. The IP address range for organization 1 is 202.10.20.1/24 to 202.10.20.20/24; and the IP address ranges for organization 2 are 202.10.20.25/24 to 202.10.20.50/24 and 202.10.20.55/24 to 202.10.20.65/24.
l PCs of organization 1 are allowed to access the Internet through Ethernet 1/0/1 of Switch A.
l PCs of organization 2 are allowed to access the Internet through Ethernet 1/0/2 of Switch A.
l Both Ethernet 1/0/1 and Ethernet 1/0/2 belong to VLAN 1, and the IP address of VLAN-interface 1 is 202.10.20.200/24.
l PCs of organization 1 are isolated from those of organization 2 at Layer 2.
Applicable Product Matrix
Product series |
Software version |
Hardware version |
S3600-SI/EI series Ethernet switches |
Release 1510, Release 1602 |
All versions |
S5600 series Ethernet switches |
Release 1510, Release 1602 |
All versions |
Configuration Procedure
# Enable access management on Switch A.
[SwitchA] am enable
# Configure the IP address of VLAN-interface 1 as 202.10.20.200/24.
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] ip address 202.10.20.200 24
[SwitchA-Vlan-interface1] quit
# Configure an access management IP address pool for Ethernet 1/0/1.
[SwitchA] interface Ethernet 1/0/1
[SwitchA-Ethernet1/0/1] am ip-pool 202.10.20.1 20
# Add Ethernet 1/0/1 to the isolation group.
[SwitchA-Ethernet1/0/1] port isolate
[SwitchA-Ethernet1/0/1] quit
# Configure an access management IP address pool for Ethernet 1/0/2.
[SwitchA] interface Ethernet 1/0/2
[SwitchA-Ethernet1/0/2] am ip-pool 202.10.20.25 26 202.10.20.55 11
# Add Ethernet 1/0/2 to the isolation group.
[SwitchA-Ethernet1/0/2] port isolate
[SwitchA-Ethernet1/0/2] quit
Complete Configuration
#
am enable
#
interface Vlan-interface1
ip address 202.10.20.200 255.255.255.0
#
interface Ethernet1/0/1
port isolate
am ip-pool 202.10.20.1 20
#
interface Ethernet1/0/2
port isolate
am ip-pool 202.10.20.25 26 202.10.20.55 11
#
Precautions
Refer to section Precautions for details.