10-IP Source Guard Commands
Chapters Download (35.08 KB)
Syntax
display ip check source [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ]
View
Any view
Default Level
1: Monitor level
Parameters
interface interface-type interface-number: Displays the dynamic binding entries of the interface specified by its type and number.
ip-address ip-address: Displays the dynamic binding entries of an IP address.
mac-address mac-address: Displays the dynamic binding entries of an MAC address (in the format of H-H-H).
slot slot-number: Displays the dynamic binding entries of the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the display ip check source command to display dynamic IP source guard binding entries.
Note that:
l For non-IRF devices, with no parameters specified, the command displays the dynamic IP source guard binding entries of all interfaces.
l For IRF virtual devices, with no interface number or slot number specified, the command displays the dynamic IP source guard binding entries of all interfaces on all IRF virtual devices (including Layer 2 Ethernet ports and VLAN interfaces).
Related commands: ip check source.
Examples
# Display all dynamic IP source guard binding entries.
<Sysname> display ip check source
Total entries found: 2
MAC IP Vlan Port Status
040a-0000-4000 10.1.0.9 2 GigabitEthernet1/0/1 DHCP-SNP
040a-0000-2000 10.1.0.7 2 GigabitEthernet1/0/1 DHCP-SNP
Table 1-1 display ip check source command output description
|
Field |
Description |
|
Total entries found |
Total number of found entries |
|
MAC |
MAC address of the dynamic binding entry. N/A means that no MAC address is bound in the entry. |
|
IP |
IP address of the dynamic binding entry. N/A means that no IP address is bound in the entry. |
|
Vlan |
VLAN to which the obtained binding entry belongs. N/A means that no VLAN is bound in the entry. |
|
Port |
Port to which the dynamic binding entry is applied |
|
Status |
Type of dynamically obtaining the binding entry |
Syntax
display user-bind [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ]
View
Any view
Default Level
1: Monitor level
Parameters
interface interface-type interface-number: Displays the static binding entries of the interface specified by its type and number.
ip-address ip-address: Displays the static binding entries of an IP address.
mac-address mac-address: Displays the static binding entries of an MAC address (in the format of H-H-H).
Description
Use the display user-bind command to display static IP source guard binding entries.
With no options specified, the command displays static IP source guard binding entries of all interfaces.
Related commands: user-bind.
Examples
# Display all static IP source guard binding entries.
<Sysname> display user-bind
Total entries found: 4
MAC IP Vlan Port Status
N/A 1.1.1.1 N/A GigabitEthernet1/0/1 Static
0001-0001-0001 2.2.2.2 200 GigabitEthernet1/0/1 Static
0003-0003-0003 N/A N/A GigabitEthernet1/0/1 Static
0004-0004-0004 4.4.4.4 N/A GigabitEthernet1/0/1 Static
Table 1-2 display user-bind command output description
|
Field |
Description |
|
Total entries found |
Total number of found entries |
|
MAC |
MAC address of the binding entry. N/A means that no MAC address is bound in the entry. |
|
IP |
IP address of the binding entry. N/A means that no IP address is bound in the entry. |
|
Vlan |
VLAN of the binding entry. N/A means that no VLAN is bound in the entry. |
|
Port |
Port of the binding entry |
|
Status |
Type of the binding entry. Static means that the binding entry is manually configured. |
Syntax
ip check source { ip-address | ip-address mac-address | mac-address }
undo ip check source
View
Ethernet interface view, VLAN interface view
Default Level
2: System level
Parameters
ip-address: Specifies to bind the source IP address to the port.
ip-address mac-address: Specifies to bind the source IP address and MAC address to the port.
mac-address: Specifies to bind the source MAC address to the port.
Description
Use the ip check source command to configure the dynamic IP source guard binding function on a port.
Use the undo ip check source command to restore the default.
By default, the dynamic IP source guard binding function is disabled.
Note that you cannot configure the dynamic binding function on a port that is in an aggregation group.
Related commands: display ip check source.
Examples
# Configure dynamic IP source guard binding of packet source IP address and MAC address on Layer 2 Ethernet port GigabitEthernet 1/0/1 to filter packets based on the dynamically generated DHCP snooping entries.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip check source ip-address mac-address
# Configure dynamic IP source guard binding of packet source IP address and MAC address on VLAN-interface 100 to filter packets based on the dynamically generated DHCP relay entries.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] ip check source ip-address mac-address
Syntax
user-bind { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo user-bind { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
View
Layer-2 Ethernet interface view
Default Level
2: System level
Parameters
ip-address ip-address: Specifies the IP address for the static binding entry. The IP address can only be a Class A, Class B, or Class C address and can be neither 127.x.x.x nor 0.0.0.0.
mac-address mac-address: Specifies the MAC address for the static binding entry in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast address), or a multicast address.
vlan vlan-id: Specifies the VLAN for the static binding entry. vlan-id is the ID of the VLAN to be bound, in the range 1 to 4094.
Description
Use the user-bind command to configure a static IP source guard binding entry.
Use the undo user-bind command to delete a static IP source guard binding entry.
By default, no static IP source guard binding entry exists on a port.
Note that:
l You cannot configure the same static binding entry on a port for multiple times, but you can configure the same static entry on different ports.
l You cannot configure a static binding entry on a port that is in an aggregation group or a service loopback group.
Related commands: display user-bind.
Examples
# Configure a static IP source guard binding entry on port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0001-0001
