Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-AAA commands
- 03-802.1X commands
- 04-MAC authentication commands
- 05-Portal commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Keychain commands
- 10-Public key management commands
- 11-PKI commands
- 12-IPsec commands
- 13-Group domain VPN commands
- 14-SSH commands
- 15-SSL commands
- 16-SSL VPN commands
- 17-ASPF commands
- 18-APR commands
- 19-mGRE commands
- 20-Session management commands
- 21-Connection limit commands
- 22-Object group commands
- 23-Object policy commands
- 24-Attack detection and prevention commands
- 25-IP source guard commands
- 26-ARP attack protection commands
- 27-ND attack defense commands
- 28-uRPF commands
- 29-Crypto engine commands
- 30-FIPS commands
- 31-Application account auditing commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 25-IP source guard commands | 95.66 KB |
IP source guard commands
The following matrix shows the compatibility of hardware and static IPv4SG:
|
Hardware |
Remarks |
|
· Fixed Layer 2 Ethernet ports on the following routers: ¡ MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-LMS, MSR810-LUS, MSR810-LMS-EA, MSR810-LME ¡ MSR2600-6-X1, MSR2600-10-X1 ¡ MSR3600-28, MSR3600-51, MSR3600-28-SI, MSR3600-51-SI, MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP ¡ MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR3610-I-IG, MSR3610-IE-IG ¡ MSR810-W-WiNet, MSR810-LM-WiNet ¡ MSR830-4LM-WiNet, MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet, MSR830-6BHI-WiNet, MSR830-10BHI-WiNet ¡ MSR2600-6-WiNet, MSR2600-10-X1-WiNet ¡ MSR3600-28-WiNet, MSR2630-XS, MSR3600-28-XS ¡ MSR3610-I-XS, MSR3610-IE-XS, MSR810-LM-GL ¡ MSR810-W-LM-GL ¡ MSR830-6EI-GL, MSR830-10EI-GL, MSR830-6HI-GL, MSR830-10HI-GL ¡ MSR2600-6-X1-GL, MSR3600-28-SI-GL · The following Layer 2 interface modules installed on routers: ¡ HMIM-24GSW ¡ HMIM-24GSWP ¡ HMIM-8GSW ¡ HMIM-8GSWF ¡ SIC-4GSW ¡ SIC-4GSWF ¡ SIC-4GSWP |
For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide. |
The following matrix shows the compatibility of hardware and static IPv6SG:
|
Hardware |
Remarks |
|
· Fixed Layer 2 Ethernet ports on the following routers: ¡ MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-LMS, MSR810-LUS, MSR810-LMS-EA, MSR810-LME ¡ MSR2600-6-X1, MSR2600-10-X1 ¡ MSR3600-28, MSR3600-51, MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP ¡ MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR3610-I-IG, MSR3610-IE-IG ¡ MSR810-W-WiNet, MSR810-LM-WiNet ¡ MSR830-4LM-WiNet, MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet, MSR830-6BHI-WiNet, MSR830-10BHI-WiNet ¡ MSR2600-6-WiNet, MSR2600-10-X1-WiNet ¡ MSR2630-WiNet, MSR2630-XS ¡ MSR3600-28-WiNet, MSR3600-28-XS ¡ MSR3610-I-XS, MSR3610-IE-XS ¡ MSR810-LM-GL, MSR810-W-LM-GL, MSR830-6EI-GL, MSR830-10EI-GL ¡ MSR830-6HI-GL, MSR830-10HI-GL, MSR2600-6-X1-GL · The following Layer 2 interface modules installed on routers: ¡ HMIM-24GSW ¡ HMIM-24GSWP ¡ HMIM-8GSW ¡ HMIM-8GSWF ¡ SIC-4GSW ¡ SIC-4GSWF ¡ SIC-4GSWP |
For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide. |
The following matrix shows the compatibility of hardware and dynamic IPv4SG:
|
Hardware |
Remarks |
|
· Fixed Layer 2 Ethernet ports on the following routers: ¡ MSR3600-28, MSR3600-51, MSR3600-28-SI, MSR3600-51-SI, MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP, MSR3600-28-WiNet, MSR3600-28-XS, MSR3600-28-SI-GL · The following Layer 2 interface modules installed on routers: ¡ HMIM-24GSW ¡ HMIM-24GSWP ¡ HMIM-8GSW ¡ HMIM-8GSWF |
For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide. |
The following matrix shows the compatibility of hardware and dynamic IPv6SG:
|
Hardware |
Remarks |
|
· Fixed Layer 2 Ethernet ports on the following routers: ¡ MSR3600-28, MSR3600-51, MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP, MSR3600-28-WiNet, MSR3600-28-XS · The following Layer 2 interface modules installed on routers: ¡ HMIM-24GSW ¡ HMIM-24GSWP ¡ HMIM-8GSW ¡ HMIM-8GSWF |
For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide. |
display ip source binding
Use display ip source binding to display IPv4SG bindings.
Syntax
In standalone mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping | dot1x | wlan-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ]
In IRF mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping | dot1x | wlan-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv4SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display dynamic IPv4SG bindings for the public network, do not specify a VPN instance.
dhcp-relay: Specifies the DHCP relay agent module.
dhcp-server: Specifies the DHCP server module.
dhcp-snooping: Specifies the DHCP snooping module.
dot1x: Specifies the 802.1X module. To display dynamic IPv4SG bindings generated based on the 802.1X module, you must also specify the slot through which 802.1X users access the network.
wlan-snooping: Specifies the WLAN snooping module.
ip-address ip-address: Specifies an IPv4 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4SG bindings for the master device. (In IRF mode.)
Examples
# Display all IPSG bindings on the public network.
<Sysname> display ip source binding
Total entries found: 5
IP Address MAC Address Interface VLAN Type
10.1.0.5 040a-0000-4000 GE1/0/1 1 DHCP snooping
10.1.0.6 040a-0000-3000 GE1/0/1 1 DHCP snooping
10.1.0.7 040a-0000-2000 GE1/0/1 1 DHCP snooping
10.1.0.8 040a-0000-1000 GE1/0/2 N/A DHCP relay
10.1.0.9 040a-0000-2000 GE1/0/2 N/A Static
Table 1 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv4SG bindings. |
|
IP Address |
IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the binding. This field displays N/A for a global IPv4SG binding. |
|
VLAN |
VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
IPSG binding type: · Static—Manually configured by using the ip source binding command. Static bindings are for packet filtering in IPSG or used by other modules to provide security services. · 802.1X—Dynamically generated based on 802.1X. The binding is for packet filtering in IPSG. · DHCP relay—Dynamically generated based on DHCP relay agent. The binding is for packet filtering in IPSG. · DHCP server—Dynamically generated based on DHCP server. The binding is used by other modules to provide security services. · DHCP snooping—Dynamically generated based on DHCP snooping. The binding is for packet filtering in IPSG. · WLAN snooping—Dynamically generated based on WLAN snooping. The binding is used by other modules to provide security services. |
Related commands
ip source binding
ip verify source
display ipv6 source binding
Use display ipv6 source binding to display IPv6SG bindings.
Syntax
In standalone mode:
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping | wlan-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ]
In IRF mode:
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping | wlan-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv6SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display dynamic IPv6SG bindings for the public network, do not specify a VPN instance.
dhcpv6-snooping: Specifies the DHCPv6 snooping module.
wlan-snooping: Specifies the WLAN snooping module.
ip-address ipv6-address: Specifies an IPv6 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6SG bindings for the master device. (In IRF mode.)
Examples
# Display all IPv6SG bindings on the public network.
<Sysname> display ipv6 source binding
Total entries found: 2
IPv6 Address MAC Address Interface VLAN Type
2012:1222:2012:1222: 000f-2202-0435 GE1/0/1 1 DHCPv6 snooping
2012:1222:2012:1222
2012:1222:2012:1222: 000f-2202-0436 GE1/0/1 N/A Static
2012:1222:2012:1223
Table 2 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv6SG bindings. |
|
IPv6 Address |
IPv6 address in the IPv6SG binding. If no IPv6 address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv6SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the IPv6SG binding. This field displays N/A for a global IPv6SG binding. |
|
VLAN |
VLAN information in the IPv6SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
Type of the IPv6SG binding: · Static—Manually configured by using the ipv6 source binding command. Static bindings are for packet filtering in IPv6SG or used by other modules to provide security services. · DHCPv6 snooping—Dynamically generated based on DHCPv6 snooping. The binding is for packet filtering in IPv6SG. · WLAN snooping—Dynamically generated based on WLAN snooping. The binding is used by other modules to provide security services. |
Related commands
ipv6 source binding
ipv6 verify source
ip source binding (interface view)
Use ip source binding to configure a static IPv4SG binding on an interface.
Use undo ip source binding to delete the static IPv4SG bindings configured on an interface.
Syntax
ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address }
undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address }
Default
No static IPv4SG bindings are configured on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
all: Removes all static IPv4SG bindings on the interface.
ip-address ip-address: Specifies an IPv4 address for the static binding. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x or 0.0.0.0.
The following matrix shows the compatibility of hardware and this option:
|
Hardware |
Remarks |
|
· Fixed Layer 2 Ethernet ports on the following routers: ¡ MSR3600-28, MSR3600-28-SI, MSR3600-28-SI-GL, MSR3600-28-XS, MSR3600-28-WiNet, MSR3600-28-X1, MSR3600-28-X1-DP ¡ MSR3600-51, MSR3600-51-SI, MSR3600-51-X1, MSR3600-51-X1-DP · The following Layer 2 interface modules installed on routers: ¡ HMIM-24GSW ¡ HMIM-24GSWP ¡ HMIM-8GSW ¡ HMIM-8GSWF |
For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide. |
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.
Usage guidelines
Static IPv4SG bindings on an interface implement the following functions:
· Filter incoming IPv4 packets on the interface.
· Check user validity by cooperating with the ARP attack detection feature.
Examples
# Configure a static IPv4SG binding on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
display ip source binding
ip source binding (system view)
ip verify source
Use ip verify source to enable IPv4SG on an interface.
Use undo ip verify source to disable IPv4SG on an interface.
Syntax
ip verify source { ip-address | ip-address mac-address | mac-address }
undo ip verify source
Default
The IPv4SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv4 addresses.
ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
After you enable IPv4SG on an interface, this feature uses static and dynamic IPv4SG bindings to match incoming packets on the interface. Packets that match an IPv4SG binding are forwarded and packets that do not match any IPv4SG binding are discarded.
The matching criterion specified by this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using the ip source binding command.
Examples
# Enable IPv4SG on Layer 2 Ethernet interface GigabitEthernet 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip verify source ip-address mac-address
Related commands
display ip source binding
ipv6 source binding (interface view)
Use ipv6 source binding to configure a static IPv6SG binding.
Use undo ipv6 source binding to delete the static IPv6SG bindings configured on an interface.
Syntax
ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address }
undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address }
Default
No static IPv6SG bindings exist on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
all: Removes all the static IPv6SG bindings on the interface.
ip-address ipv6-address: Specifies an IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.
The following matrix shows the compatibility of hardware and this option:
|
Hardware |
Remarks |
|
· Fixed Layer 2 Ethernet ports on the following routers: ¡ MSR3600-28, MSR3600-51, MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP, MSR3600-28-SI, MSR3600-51-SI, MSR3600-28-WiNet, MSR3600-28-XS, MSR3600-28-SI-GL · The following Layer 2 interface modules installed on routers: ¡ HMIM-24GSW ¡ HMIM-24GSWP ¡ HMIM-8GSW ¡ HMIM-8GSWF |
For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide. |
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.
The following matrix shows the compatibility of hardware and this option:
|
Hardware |
Remarks |
|
· Fixed Layer 2 Ethernet ports on the following routers: ¡ MSR810810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-LMS, MSR810-LUS, MSR810-LMS-EA, MSR810-LME ¡ MSR2600-6-X1, MSR2600-10-X1 ¡ MSR3600-28, MSR3600-51, MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP ¡ MSR810-W-WiNet, MSR810-LM-WiNet, MSR830-4LM-WiNet, MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet, MSR830-6BHI-WiNet, MSR830-10BHI-WiNet, MSR3600-28-WiNet, MSR2600-6-WiNet, MSR2600-10-X1-WiNet ¡ MSR2630-XS, MSR3600-28-XS ¡ MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR3610-I-XS, MSR3610-IE-XS ¡ MSR810-LM-GL, MSR810-W-LM-GL ¡ MSR830-6EI-GL, MSR830-10EI-GL, MSR830-6HI-GL, MSR830-10HI-GL, MSR2600-6-X1-GL · The following Layer 2 interface modules installed on routers: ¡ SIC-4GSW ¡ 4GSWF ¡ 4GSWP |
For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide. |
Usage guidelines
Static IPv6SG bindings on an interface filter incoming IPv6 packets, and check user validity by cooperating with the ND attack detection feature.
Examples
# Configure a static IPv6SG binding on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0002-0002-0002
Related commands
display ipv6 source binding
ipv6 source binding (system view)
ipv6 verify source
Use ipv6 verify source to enable IPv6SG on an interface.
Use undo ipv6 verify source to disable IPv6SG on an interface.
Syntax
ipv6 verify source { ip-address | ip-address mac-address | mac-address }
undo ipv6 verify source
Default
The IPv6SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv6 addresses.
ip-address mac-addr ess: Filters incoming packets by source IPv6 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
After you enable IPv6SG on an interface, this feature uses static and dynamic IPv6SG bindings to match incoming packets on the interface. Packets that match an IPv6SG binding are forwarded and packets that do not match any IPv6SG binding are discarded.
The matching criterion specified by this command applies only to dynamic IPv6SG. Static IPv6SG uses static bindings configured by using the ipv6 source binding command.
Examples
# Enable IPv6SG on Layer 2 Ethernet interface GigabitEthernet 1/0/1 and verify the source IPv6 address and MAC address for dynamic IPv6SG.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address
Related commands
display ipv6 source binding
