IP source guard configuration commands 1

display ip source binding· 1

display ipv6 source binding· 3

ip source binding (interface view) 5

ip verify source· 6

ip verify source max-entries 7

ipv6 source binding (interface view) 8

ipv6 verify source· 9

ipv6 verify source max-entries 9

 

 

NOTE: ·       The switch operates in IRF or standalone (the default) mode. For more information about the IRF mode, see IRF Configuration Guide. ·       You cannot enable IP source guard on a link aggregation member port or a service loopback port. If IP source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group.

 

display ip source binding

Syntax

In standalone mode:

display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

In IRF mode:

display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

static: Displays static IPv4 source guard binding entries, including global static IPv4 binding entries and port-based static IPv4 binding entries. If you do not specify this keyword, the command displays all static and dynamic IPv4 source guard binding entries.

interface interface-type interface-number: Displays IPv4 source guard binding entries of the interface specified by its type and number.

ip-address ip-address: Displays IPv4 source guard binding entries of an IP address.

mac-address mac-address: Displays IPv4 source guard binding entries of an MAC address (in the format H-H-H).

slot slot-number: Displays IPv4 source guard binding entries on a card. The slot-number argument specifies the number of the slot that holds the card. (In standalone mode)

chassis chassis-number slot slot-number: Displays IPv4 source guard binding entries of a card on an IRF member device. The chassis-number argument refers to the ID of the IRF member device and the slot-number argument refers to the number of the slot that holds the card. You can use the display device command to view the IRF member ID and the slot number. (In IRF mode)

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ip source binding command to display IPv4 source guard binding entries.

To use the command without the static keyword, follow these guidelines:

·           If you do not specify any other parameters either, the command displays static and dynamic IPv4 binding entries on all ports and the global static IPv4 binding entries on the MPU.

·           In standalone mode, if you specify neither a port nor an interface card, the command displays static and dynamic IPv4 binding entries on all ports and the global static IPv4 binding entries on the MPU. For IPv4 binding entries generated for a global interface (for example, a VLAN interface), the command displays only those on the MPU.

·           In IRF mode, if you specify neither a port nor an IRF member, the command displays static and dynamic IPv4 binding entries on all ports and the global static IPv4 binding entries on the MPU on the current IRF member device. For IPv4 binding entries dynamically generated for a global interface (for example, a VLAN interface), the command displays only those on the MPU on the current IRF member device.

To use the command with the static keyword, follow these guidelines:

·           If you do not specify any other parameters, the command displays all global and port-based static IPv4 binding entries.

·           In standalone mode, if you specify neither a port nor an interface card, the command displays static IPv4 binding entries on all ports and global static IPv4 binding entries on the MPU.

·           In IRF mode, if you specify neither a port nor an IRF member, the command displays static IPv4 binding entries on all ports and global static IPv4 binding entries on the MPU on the current IRF member device.

Related commands: ip verify source and ip source binding.

Examples

# Display all IPv4 source guard binding entries.

<Sysname> display ip source binding

 Total entries found: 5

 MAC Address         IP Address          VLAN       Interface      Type

 N/A                 10.1.0.9            2          GE3/0/1         Static

 N/A                 10.1.0.8            2          GE3/0/1         DHCP-SNP

 N/A                 10.1.0.7            2          GE3/0/1         DHCP-SNP

 N/A                 10.1.0.6            N/A        GE3/0/2         DHCP-RLY

 N/A                 N/A                 N/A        GE3/0/2         DHCP-RLY

# Display all static IPv4 source guard binding entries.

<Sysname> display ip source binding static

Total entries found: 3

 MAC Address          IP Address         VLAN       Interface      Type

 N/A                  10.1.1.11          N/A        N/A            Static

 N/A                  10.1.0.12          6          GE3/0/3        Static

 N/A                  10.1.0.12          6          GE3/0/3        Static

Table 1 Output description

Field	Description
Total entries found	Total number of found entries.
MAC Address	MAC address of the IP source guard binding entry. N/A means that no MAC address is bound in the entry.
IP Address	IP address of the IP source guard binding entry. N/A means that no IP address is bound in the entry.
VLAN	VLAN bound to the IP source guard binding entry. N/A means that no VLAN information exists in the entry.
Interface	Interface of the IPv4 source guard binding entry.
Type	Type of the IPv4 source guard binding entry, including: ·       Static—Static IPv4 binding entry. ·       DHCP-SNP—Entry generated based on DHCP snooping entry. ·       DHCP-RLY—Entry generated based on DHCP relay entry.

 

display ipv6 source binding

Syntax

In standalone mode:

display ipv6 source binding [ static ] [ interface interface-type interface-number | ipv6-address ipv6-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

In IRF mode:

display ipv6 source binding [ static ] [ interface interface-type interface-number | ipv6-address ipv6-address | mac-address mac-address ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

static: Displays static IPv6 source guard binding entries, including global static IPv6 binding entries and port-based static IPv6 binding entries. If you do not specify this keyword, the command displays all static and dynamic IPv6 source guard binding entries.

interface interface-type interface-number: Displays the IPv6 source guard binding entries of an interface.

ipv6-address ipv6-address: Displays the IPv6 source guard binding entries of an IPv6 address.

mac-address mac-address: Displays the IPv6 source guard binding entries of an MAC address. The MAC address must be in the format H-H-H.

slot slot-number: Displays the IPv6 source guard binding entries on a card. The slot-number argument specifies the number of the slot that holds the card. (In standalone mode)

chassis chassis-number slot slot-number: Displays the IPv6 source guard binding entries of a card on an IRF member device. The chassis-number argument refers to the ID of the IRF member device and the slot-number argument refers to the number of the slot that holds the card. (In IRF mode)

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ipv6 source binding command to display IPv6 source guard binding entries.

To use the command without the static keyword, follow these guidelines:

·           If you do not specify any other parameters either, the command displays static and dynamic IPv6 binding entries on all ports and the global static IPv6 binding entries on the MPU.

·           In standalone mode, if you specify neither a port nor an interface card, the command displays static and dynamic IPv6 binding entries on all ports and the global static IPv6 binding entries on the MPU. For IPv6 binding entries dynamically generated for a global interface (for example, a VLAN interface), the command displays only those on the MPU.

·           In IRF mode, if you specify neither a port nor an IRF member, the command displays static and dynamic IPv6 binding entries on all ports and the global static binding entries on the MPU on the current IRF member device. For IPv6 binding entries dynamically generated for a global interface (for example, a VLAN interface), the command displays only those on the MPU on the current IRF member device.

To use the command with the static keyword, follow these guidelines:

·           If you do not specify any other parameters, the command displays all global and port-based static IPv6 binding entries.

·           In standalone mode, if you specify neither a port nor an interface card, the command displays static IPv6 binding entries on all ports and global static IPv6 binding entries on the MPU.

·           In IRF mode, if you specify neither a port nor an IRF member, the command displays static IPv6 binding entries on all ports and global static IPv6 binding entries on the MPU on the current IRF member device.

Related commands: ipv6 verify source and ipv6 source binding.

Examples

# Display all IPv6 source guard binding entries.

<Sysname> display ipv6 source binding

Total entries found: 3

 MAC Address          IP Address         VLAN       Interface       Type

 N/A                  2001::1            2          GE3/0/1         Static-IPv6

 N/A                  2001::3            2          GE3/0/1         DHCPv6-SNP

 N/A                  2001::4            6          GE3/0/2         ND-SNP

# Display all static IPv6 source guard binding entries.

<Sysname> display ipv6 source binding static

Total entries found: 2

 MAC Address          IP Address         VLAN       Interface      Type

 N/A                  2001::4            6          GE3/0/3        Static-IPv6

 N/A                  2001::4            6          GE3/0/3        Static-IPv6

Table 2 Output description

Field	Description
Total entries found	Total number of found entries.
MAC Address	MAC address bound in the entry. N/A means that no MAC address is bound in the entry.
IPv6 Address	IPv6 address bound in the entry. N/A means that no IP address is bound in the entry.
VLAN	VLAN bound in the entry. N/A means that no VLAN information exists in the entry.
Interface	Interface of the binding entry. N/A means that the entry is a global static binding entry.
Type	Type of the binding entry, including: ·       Static-IPv6—Static IPv6 binding entry. ·       DHCPv6-SNP—Entry generated based on DHCPv6 snooping entry. ·       ND-SNP—Entry generated based on ND snooping entry.

 

ip source binding (interface view)

Syntax

ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

undo ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

View

Layer 2 Ethernet port view

Default level

2: System level

Parameters

ip-address ip-address: Specifies the IPv4 address for the static binding entry. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.

mac-address mac-address: Specifies the MAC address for the static binding in the format H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast address), or a multicast address. This option is not available on EB cards (cards whose silkscreen suffix is EB).

vlan vlan-id: Specifies the VLAN for the static binding. vlan-id is the ID of the VLAN to be bound, in the range of 1 to 4094.

Description

Use the ip source binding command to configure a static IPv4 source guard binding entry on a port.

Use the undo ip source binding command to delete a static IPv4 source guard binding entry from a port.

By default, no static IPv4 binding entry exists on a port.

You cannot configure the same static binding entry repeatedly on one port, but you can configure the same static entry on different ports.

You cannot configure a static binding entry on a port that is in an aggregation group or a service loopback group.

Related commands: display ip source binding static.

Examples

# Configure a static IPv4 binding entry (IP binding) on port GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.1

ip verify source

Syntax

ip verify source { ip-address | ip-address mac-address | mac-address }

undo ip verify source

View

Ethernet interface view, VLAN interface view, port group view

Default level

2: System level

Parameters

ip-address: Binds source IPv4 addresses to the port.

ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port. This option is not available on EB cards (cards whose silkscreen suffix is EB).

mac-address: Binds source MAC addresses to the port. This option is not available on EB cards (cards whose silkscreen suffix is EB).

Description

Use the ip verify source command to enable the IPv4 source guard function on a port and specify the elements to be included in the port’s dynamic binding entries.

Use the undo ip verify source command to restore the default.

By default, the IPv4 source guard binding function is disabled on a port.

After you configure the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard binding entries based on the DHCP snooping entries (on a Layer 2 Ethernet port) or the DHCP-relay entries (on a Layer 3 Ethernet port), and all static IPv4 source guard binding entries on the port become effective.

You cannot configure the IPv4 source guard binding function on a port that is in an aggregation group or a service loopback group.

Related commands: display ip source binding.

Examples

# Configure IPv4 source guard binding on Layer 2 Ethernet port GigabitEthernet 3/0/1 to filter packets based on the source IPv4 address.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ip verify source ip-address

# Configure IPv4 source guard binding on VLAN-interface 100 to filter packets based on the source IPv4 address.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ip verify source ip-address

# Configure IPv4 source binding on Layer 3 Ethernet port GigabitEthernet 3/0/2 to filter packets based on the source IPv4 address.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/2

[Sysname-GigabitEthernet3/0/2] ip verify source ip-address

ip verify source max-entries

Syntax

ip verify source max-entries number

undo ip verify source max-entries

View

Layer 2 Ethernet port view

Default level

2: System level

Parameters

number: Maximum number of IPv4 source guard binding entries allowed on a port, in the range of 0 to the maximum number of entries allowed by the system.

Description

Use the ip verify source max-entries command to set the maximum number of static and dynamic IPv4 source guard binding entries on a port. When the number of IPv4 binding entries on a port reaches the maximum, the port does not allowed new IPv4 binding entries any more.

Use the undo ip verify source max-entries command to restore the default.

By default, the maximum number of IPv4 source guard binding entries allowed on a port is that allowed by the system. The system-allowed maximum number of entries varies by system working mode. For more information about system working modes, see Fundamentals Configuration Guide.

If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected. New IPv4 binding entries, however, cannot be added any more unless the number of IPv4 binding entries on the port drops below the configured maximum.

Examples

# Set the maximum number of IPv4 source guard binding entries to 100 on port GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ip verify source max-entries 100

ipv6 source binding (interface view)

Syntax

ipv6 source binding { ipv6-address ipv6-address | ipv6-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

undo ipv6 source binding { ipv6-address ipv6-address | ipv6-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

View

Layer 2 Ethernet port view

Default level

2: System level

Parameters

Ipv6-address ipv6-address: Specifies the IPv6 address for the static binding entry. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.

mac-address mac-address: Specifies the MAC address for the static binding in the format H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address. This option is not available on EB cards (cards whose silkscreen suffix is EB).

vlan vlan-id: Specifies the VLAN for the static binding. vlan-id is the ID of the VLAN to be bound, in the range of 1 to 4094.

Description

Use the ipv6 source binding command to configure a static IPv6 source guard binding entry on a port.

Use the undo ipv6 source binding command to delete a static IPv6 source guard binding entry from a port.

By default, no static IPv6 binding entry exists on a port.

You cannot configure the same static binding entry repeatedly on one port, but you can configure the same static entry on different ports.

You cannot configure a static binding entry on a port that is in an aggregation group or a service loopback group.

Related commands: display ipv6 source binding static.

Examples

# Configure a static IPv6 binding entry (IP binding) on port GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ipv6 source binding ipv6-address 2001::1

ipv6 verify source

Syntax

ipv6 verify source { ipv6-address | ipv6-address mac-address | mac-address }

undo ipv6 verify source

View

Ethernet interface view, port group view

Default level

2: System level

Parameters

ipv6-address: Binds source IPv6 addresses to the port.

ipv6-address mac-address: Binds source IPv6 addresses and MAC addresses to the port. This option is not available on EB cards (cards whose silkscreen suffix is EB).

mac-address: Binds source MAC addresses to the port. This option is not available on EB cards (cards whose silkscreen suffix is EB).

Description

Use the ipv6 verify source command to enable the IPv6 source guard function on a port and specify the elements to be included in the port’s dynamic binding entries.

Use the undo ipv6 verify source command to restore the default.

By default, the IPv6 source guard binding function is disabled on a port.

After you configure the IPv6 source guard function on a port, the IPv6 source guard function dynamically generates IPv6 source guard entries based on the DHCPv6 snooping entries or ND snooping entries, and all static IPv6 source guard binding entries become effective.

You cannot configure the IPv6 source guard binding function on a port that is in an aggregation group or a service loopback group.

Related commands: display ipv6 source binding.

Examples

# Configure IPv6 source guard binding on Layer 2 Ethernet port GigabitEthernet 3/0/1 to filter IPv6 packets based on the source IPv6 address.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ipv6 verify source ipv6-address

ipv6 verify source max-entries

Syntax

ipv6 verify source max-entries number

undo ipv6 verify source max-entries

View

Layer 2 Ethernet port view

Default level

2: System level

Parameters

number: Maximum number of IPv6 source guard binding entries allowed on a port, in the range of 0 to the maximum number of entries allowed by the system.

Description

Use the ipv6 verify source max-entries command to set the maximum number of static and dynamic IPv6 source guard binding entries on a port. When the number of IPv6 binding entries on a port reaches the maximum, the port does not allowed new IPv6 binding entries any more.

Use the undo ipv6 verify source max-entries command to restore the default.

By default, the maximum number of IPv6 source guard binding entries allowed on a port is that allowed by the system. The system-allowed maximum number of entries varies by system working mode. For more information about system working modes, see Fundamentals Configuration Guide.

If the maximum number of IPv6 binding entries to be configured is smaller than the number of existing IPv6 binding entries on the port, the maximum number can be configured successfully and the existing entries will not be affected. New IPv6 binding entries, however, cannot be added any more unless the number of IPv6 binding entries on the port drops below the configured maximum.

Examples

# Set the maximum number of IPv6 source guard binding entries to 100 on port GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] ipv6 verify source max-entries 100