Table of Contents

1 Access Management Configuration Guide· 1-1

Configuring Access Management 1-1

Network Diagram·· 1-1

Networking and Configuration Requirements· 1-1

Applicable Product Matrix· 1-2

Configuration Procedure· 1-2

Complete Configuration· 1-2

Precautions· 1-2

Configuring Access Management with Port Isolation· 1-3

Network Diagram·· 1-3

Networking and Configuration Requirements· 1-3

Applicable Product Matrix· 1-3

Configuration Procedure· 1-3

Complete Configuration· 1-4

Precautions· 1-4

 

Configuring Access Management

The access management function is designed to control user accesses on access switches. It allows you to control the access of hosts to external networks.

The idea is to bind a range of IP addresses to a port by configuring an access management IP address pool on the port. A host connected to the port can access external networks only when its IP address is contained in the address pool.

Note that for the hosts connected to a port configured with no access management IP address pool to access external networks normally, you must make sure that the IP addresses of the hosts are not in the access management IP address pool of any other port (if any) on the switch.

Network Diagram

Figure 1-1 Network diagram for access management configuration

 

Networking and Configuration Requirements

Client PCs access the Internet through Switch A. The IP addresses of PCs belonging to organization 1 are in the range of 202.10.20.1/24 to 202.10.20.20/24, the IP address of PC 2 is 202.10.20.100/24, and the IP address of PC 3 is 202.10.20.101/24.

l          Permit all the PCs of organization 1 to access the Internet through Ethernet 1/0/1 on Switch A. Ethernet 1/0/1 carries VLAN 1. The IP address assigned to the interface of VLAN 1 is 202.10.20.200/24.

l          PCs that do not belong to organization 1, such as PC 2 and PC 3, are not allowed to access the Internet through Ethernet 1/0/1 on Switch A.

Applicable Product Matrix

Product series	Software version	Hardware version
S3600-SI/EI series Ethernet switches	Release 1510, Release 1602	All versions
S5600 series Ethernet switches	Release 1510, Release 1602	All versions

 

Configuration Procedure

# Enable access management on Switch A.

[SwitchA] am enable

# Configure the IP address of VLAN-interface 1 as 202.10.20.200/24.

[SwitchA] interface Vlan-interface 1

[SwitchA-Vlan-interface1] ip address 202.10.20.200 24

[SwitchA-Vlan-interface1] quit

# Configure an access management IP address pool for Ethernet 1/0/1.

[SwitchA] interface Ethernet 1/0/1

[SwitchA-Ethernet1/0/1] am ip-pool 202.10.20.1 20

Complete Configuration

#

 am enable

#

interface Vlan-interface1

 ip address 202.10.20.200 255.255.255.0

#

interface Ethernet1/0/1

am ip-pool 202.10.20.1 20

#

Precautions

l          The IP addresses in the access management IP address pool configured for a port must be on the same segment as the VLAN-interface IP address of the VLAN to which the port belongs.

l          If the access management IP address pool to be configured for a port contains an IP address in a static ARP entry of another port, the system will ask you to delete the ARP entry to ensure that the access management IP address pool can take effect.

l          To allow only the hosts bound with a port and with their IP addresses in the access management IP address pool of the port to access external networks, configure static ARP entries only for IP addresses in the address pool.

Configuring Access Management with Port Isolation

Network Diagram

Figure 1-2 Network diagram for access management and port isolation configuration

 

Networking and Configuration Requirements

Client PCs are connected to the Internet through Switch A. The IP address range for organization 1 is 202.10.20.1/24 to 202.10.20.20/24; and the IP address ranges for organization 2 are 202.10.20.25/24 to 202.10.20.50/24 and 202.10.20.55/24 to 202.10.20.65/24.

l          PCs of organization 1 are allowed to access the Internet through Ethernet 1/0/1 of Switch A.

l          PCs of organization 2 are allowed to access the Internet through Ethernet 1/0/2 of Switch A.

l          Both Ethernet 1/0/1 and Ethernet 1/0/2 belong to VLAN 1, and the IP address of VLAN-interface 1 is 202.10.20.200/24.

l          PCs of organization 1 are isolated from those of organization 2 at Layer 2.

Applicable Product Matrix

Product series	Software version	Hardware version
S3600-SI/EI series Ethernet switches	Release 1510, Release 1602	All versions
S5600 series Ethernet switches	Release 1510, Release 1602	All versions

 

Configuration Procedure

# Enable access management on Switch A.

[SwitchA] am enable

# Configure the IP address of VLAN-interface 1 as 202.10.20.200/24.

[SwitchA] interface Vlan-interface 1

[SwitchA-Vlan-interface1] ip address 202.10.20.200 24

[SwitchA-Vlan-interface1] quit

# Configure an access management IP address pool for Ethernet 1/0/1.

[SwitchA] interface Ethernet 1/0/1

[SwitchA-Ethernet1/0/1] am ip-pool 202.10.20.1 20

# Add Ethernet 1/0/1 to the isolation group.

[SwitchA-Ethernet1/0/1] port isolate

[SwitchA-Ethernet1/0/1] quit

# Configure an access management IP address pool for Ethernet 1/0/2.

[SwitchA] interface Ethernet 1/0/2

[SwitchA-Ethernet1/0/2] am ip-pool 202.10.20.25 26 202.10.20.55 11

# Add Ethernet 1/0/2 to the isolation group.

[SwitchA-Ethernet1/0/2] port isolate

[SwitchA-Ethernet1/0/2] quit

Complete Configuration

#

 am enable

#

interface Vlan-interface1

 ip address 202.10.20.200 255.255.255.0

#

interface Ethernet1/0/1

 port isolate

 am ip-pool 202.10.20.1 20

#

interface Ethernet1/0/2

 port isolate

 am ip-pool 202.10.20.25 26 202.10.20.55 11

#

Precautions

Refer to section Precautions for details.