S5510 Series

H3C S5510 Series, S3610 Series Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C S5510 Series Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
  • What is MAC-IP-Port Binding and how does it enhance security?
    How can I configure MAC-IP-Port Binding on my H3C S5510 Series switch?
    Can I bind a MAC address with multiple IP addresses?
    Can I bind a MAC-IP pair to multiple ports?
    What are some restrictions on MAC-IP-Port Binding configuration?
Operation Manual – MAC-IP-Port Binding
H3C S3610&S5510 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 MAC-IP-Port Binding Configuration ..........................................................................1-1
1.1 MAC-IP-Port Binding Overview .........................................................................................1-1
1.2 Configuring MAC-IP-Port Binding......................................................................................1-1
1.3 Displaying and Maintaining MAC-IP-Port Binding.............................................................1-2
1.4 MAC-IP-Port Binding Configuration Example....................................................................1-2
Operation Manual – MAC-IP-Port Binding
H3C S3610&S5510 Series Ethernet Switches Chapter 1
MAC-IP-Port Binding Configuration
1-1
Chapter 1 MAC-IP-Port Binding Configuration
1.1 MAC-IP-Port Binding Overview
MAC-IP-port binding allows a device to filter packets and thus enhance security. With
MAC-IP-port binding configured, a port checks whether the source MAC and IP
addresses of an inbound packet is identical to the configured MAC-to-IP binding on the
port. If so, it forwards the packet; otherwise, it discards the packet.
1.2 Configuring MAC-IP-Port Binding
Follow these steps to configure MAC-IP-port binding:
To do… Use the command… Remarks
Enter system view
system-view
Bind a MAC-IP
address pair to
multiple ports
user-bind mac-addr mac-address
ip-addr ip-address interface
interface-list
interface interface-type
interface-number
Configu
re
MAC-IP
-port
binding
Bind a MAC-IP
address pair to
the current
port
user-bind mac-addr mac-address
ip-addr ip-address
Required
Use either
approach.
Caution:
z The port in an aggregation group does not support MAC-IP-Port binding
configuration.
z S3610&S5510 Series Ethernet Switches differentiate binding through “MAC
address + IP address + port”. You can bind a MAC address with only one IP address
and vice versa. However, you can bind a MAC-IP pair to multiple ports.
z MAC-IP-port binding is on a per-port basis, that is, a port with MAC-IP-port binding
enabled filters packets independently; it does not affect any other port.
z The MAC address to be bound cannot be all 0s, all Fs, or a multicast address. The
IP address can only be a Class A, Class B, or Class C address and can neither be
127.x.x.x nor 0.0.0.0.
Operation Manual – MAC-IP-Port Binding
H3C S3610&S5510 Series Ethernet Switches Chapter 1
MAC-IP-Port Binding Configuration
1-2
1.3 Displaying and Maintaining MAC-IP-Port Binding
To do… Use the command… Remarks
Display the MAC-IP-port binding
entries configured on all ports
display user-bind
Display the MAC-IP-port binding
entries configured on all ports for a
specified MAC address
display user-bind
mac-addr mac-address
Display the MAC-IP-port binding
entries configured on all ports for a
specified IP address
display user-bind
ip-addr ip-address
Display the MAC-IP-port binding
entries configured on specified ports
display user-bind
interface interface-list
Available in
any view
1.4 MAC-IP-Port Binding Configuration Example
I. Network Requirements
As shown in Figure 1-1, switches LSA and LSB and data terminals DT1, DT2, and DT3
are on an Ethernet. DT1 and DT2 are connected to ports Ethernet 1/0/4 and Ethernet
1/0/5 of LSB respectively, DT3 is connected to port Ethernet 1/0/4 of LSA, while LSB is
connected to port Ethernet 1/0/5 of LSA.
Detailed requirements are as follows:
z On port Ethernet 1/0/4 of LSA, only IP packets with the source MAC address of
00-01-02-03-04-05 and the source IP address of 192.168.0.3 can pass.
z On port Ethernet 1/0/5 of LSA, only IP packets with the source MAC address of
00-01-02-03-04-06 and the source IP address of 192.168.0.1 can pass.
z On port Ethernet 1/0/4 of LSB, only IP packets with the source MAC address of
00-01-02-03-04-06 and the source IP address of 192.168.0.1 can pass.
z On port Ethernet 1/0/5 of LSB, only IP packets with the source MAC address of
00-01-02-03-04-07 and the source IP address of 192.168.0.2 can pass.
Operation Manual – MAC-IP-Port Binding
H3C S3610&S5510 Series Ethernet Switches Chapter 1
MAC-IP-Port Binding Configuration
1-3
II. Network Diagram
PC
PC
PC
LSA
LSB
DT3
MAC 0
IP 192
to inte
DT2
MAC 00-01-02- 03-04-
IP 192.168.0.2
to interface Ethernet
DT1
MAC 00-01-02-03-04-06
IP 192.168.0.1
to interface Ethernet1/0/4
Ethernet1/0/4
Ethernet1/0/5
Ethernet1/0/5 Ethernet1/0/4
0-01-0 2-03-04-0 5
.168.0.3
rface Ethernet1/0/4
0 7
1/0/5
PC
PC
PC
LSA
LSB
DT3
MAC 0
IP 192
to inte
DT2
MAC 00-01-02-03-04-
IP 192.168.0.2
to interface Ethernet
DT1
MAC 00-01-02-03-04-06
IP 192.168.0.1
to interface Ethernet1/0/4
Ethernet1/0/4
Ethernet1/0/5
Ethernet1/0/5 Ethernet1/0/4
0-01-0 2-03-04-0 5
.168.0.3
rface Ethernet1/0/4
0 7
1/0/5
PC
PC
PC
LSA
LSB
DT3
MAC 0
IP 192
to inte
DT2
MAC 00-01-02-03-04-
IP 192.168.0.2
to interface Ethernet
DT1
MAC 00-01-02-03-04-06
IP 192.168.0.1
to interface Ethernet1/0/4
Ethernet1/0/4
Ethernet1/0/5
Ethernet1/0/5 Ethernet1/0/4
0-01-0 2-03-04-0 5
.168.0.3
rface Ethernet1/0/4
0 7
1/0/5
g
Figure 1-1
Network diagram for MAC-IP-port bindin
III. Configuration Procedure
1) Configure LSA
# Configure port Ethernet 1/0/4 of LSA to allow only IP packets with the source MAC
address of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 to pass.
<Sysname> system-view
[Sysname] interface ethernet 1/0/4
[Sysname-Ethernet1/0/4] user-bind mac-addr 0001-0203-0405 ip-addr
192.168.0.3
[Sysname-Ethernet1/0/4] quit
# Configure port Ethernet 1/0/5 of LSA to allow only IP packets with the source MAC
address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass.
[Sysname] interface ethernet 1/0/5
[Sysname-Ethernet1/0/5] user-bind mac-addr 0001-0203-0406 ip-addr
192.168.0.1
2) Configure LSB
# Configure port Ethernet 1/0/4 of LSB to allow only IP packets with the source MAC
address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass.
<Sysname> system-view
[Sysname] user-bind mac-addr 0001-0203-0406 ip-addr 192.168.0.1 interface
ethernet 1/0/4
# Configure port Ethernet1/0/5 of LSB to allow only IP packets with the source MAC
address of 00-01-02-03-04-07 and the source IP address of 192.168.0.2 to pass.
Operation Manual – MAC-IP-Port Binding
H3C S3610&S5510 Series Ethernet Switches Chapter 1
MAC-IP-Port Binding Configuration
1-4
[Sysname] user-bind mac-addr 0001-0203-0407 ip-addr 192.168.0.2 interface
ethernet 1/0/5
/