Login
- Table of Contents
-
- 09 Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-SSH commands
- 11-SSL commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-MFF commands
- 15-uRPF commands
- 16-Crypto engine commands
- 17-FIPS commands
- 18-Attack detection and prevention commands
- 19-ND attack defense commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 12-IP source guard commands | 89.31 KB |
Contents
ip source binding (interface view)
ip source binding (system view)
ipv6 source binding (interface view)
ipv6 source binding (system view)
display ip source binding
Use display ip source binding to display IPv4SG bindings.
Syntax
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv4SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The VPN instance name is a case-sensitive string of 1 to 31 characters. To display dynamic IPv4SG bindings for the public network, do not specify a VPN instance.
dhcp-relay: Specifies the DHCP relay module.
dhcp-server: Specifies the DHCP server module.
dhcp-snooping: Specifies the DHCP snooping module.
ip-address ip-address: Specifies an IPv4 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays all interface-specific and global IPv4SG bindings.
slot slot-number: Specifies the ID of the IRF member device. If you do not specify this option, the command displays matching bindings on all member devices.
Examples
# Display all interface-specific and global IPSG bindings on the public network.
<Sysname> display ip source binding
Total entries found: 5
IP Address MAC Address Interface VLAN Type
10.1.0.5 040a-0000-4000 FGE1/1/1 1 DHCP snooping
10.1.0.6 040a-0000-3000 FGE1/1/1 1 DHCP snooping
10.1.0.7 040a-0000-2000 FGE1/1/1 1 DHCP snooping
10.1.0.8 040a-0000-1000 FGE1/1/2 N/A DHCP relay
10.1.0.9 040a-0000-2000 FGE1/1/2 N/A Static
Table 1 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv4SG bindings. |
|
IP Address |
IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the binding. This field displays N/A for a global IPv4SG binding. |
|
VLAN |
VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
IPSG binding type: · Static—Manually configured by using the ip source binding command. Static bindings are for packet filtering in IPSG. · DHCP relay—Dynamically generated based on DHCP relay agent. The binding is for packet filtering in IPSG.. · DHCP server—Dynamically generated based on DHCP server. The binding is used by other modules to provide security services. · DHCP snooping—Dynamically generated based on DHCP snooping. The binding is for packet filtering in IPSG. |
Related commands
· ip source binding
· ip verify source
display ipv6 source binding
Use display ipv6 source binding to display IPv6SG bindings.
Syntax
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv6SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The VPN instance name is a case-sensitive string of 1 to 31 characters. To display dynamic IPSG bindings for the public network, do not specify a VPN instance.
dhcpv6-snooping: Specifies the DHCPv6 snooping module.
ip-address ipv6-address: Specifies an IPv6 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays all interface-specific and global IPv6SG bindings.
slot slot-number: Specifies the ID of the IRF member device. If you do not specify this option, the command displays matching bindings on all member devices.
Examples
# Display all interface-specific and global IPv6SG bindings on the public network.
<Sysname> display ipv6 source binding
Total entries found: 2
IPv6 Address MAC Address Interface VLAN Type
2012:1222:2012:1222: 000f-2202-0435 FGE1/1/1 1 DHCPv6 snooping
2012:1222:2012:1222
2012:1222:2012:1222: 000f-2202-0436 FGE1/1/1 N/A Static
2012:1222:2012:1223
Table 2 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv6SG bindings. |
|
IPv6 Address |
IPv6 address in the IPv6SG binding. If no IPv6 address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv6SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the IPv6SG binding. This field displays N/A for a global IPv6SG binding. |
|
VLAN |
VLAN information in the IPv6SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
IPv6SG binding type: · Static—Manually configured by using the ipv6 source binding command. Static bindings are for packet filtering in IPv6SG or used by other modules to provide security services. · DHCPv6 snooping—Dynamically generated based on DHCPv6 snooping. The binding is for packet filtering in IPv6SG. |
Related commands
· ipv6 source binding
· ipv6 verify source
ip source binding (interface view)
Use ip source binding to configure a static IPv4SG binding on an interface.
Use undo ip source binding to delete the static IPv4SG bindings configured on an interface.
Syntax
ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv4SG binding exists on an interface.
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view
Predefined user roles
network-admin
Parameters
all: Removes all static IPv4SG bindings on the interface.
ip-address ip-address: Specifies an IPv4 address for the static binding. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address.
vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view.
Usage guidelines
IPv4SG bindings on an interface implement the following functions:
· Filter incoming IPv4 packets on the interface.
· Check user validity by cooperating with the ARP detection feature.
You cannot configure static IPv4SG bindings on an interface that is in a service loopback group.
Examples
# Configure a static IPv4SG binding on FortyGigE 1/1/1.
<Sysname> system-view
[Sysname] interface fortygige 1/1/1
[Sysname-FortyGigE1/1/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
· display ip source binding
· ip source binding (system view)
ip source binding (system view)
Use ip source binding to configure a global static IPv4SG binding.
Use undo ip source binding to delete one or all global static IPv4SG bindings.
Syntax
ip source binding ip-address ip-address mac-address mac-address
undo ip source binding { all | ip-address ip-address mac-address mac-address }
Default
No global static IPv4SG binding exists.
Views
System view
Predefined user roles
network-admin
Parameters
ip-address ip-address: Specifies the IPv4 address for the static binding. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
mac-address mac-address: Specifies the MAC address for the static binding. The MAC address is in the format H-H-H but cannot be all 0s, all Fs (a broadcast address), or a multicast address.
all: Removes all global static IPv4SG bindings.
Usage guidelines
A global static IPv4SG binding takes effect on all interfaces.
Examples
# Configure a global static IPv4SG binding.
<Sysname> system-view
[Sysname] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
· display ip source binding
· ip source binding (interface view)
ip verify source
Use ip verify source to enable both the static and dynamic IPv4SG on an interface.
Use undo ip verify source to restore the default.
Syntax
ip verify source { ip-address | ip-address mac-address | mac-address }
undo ip verify source
Default
The IPv4SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view, Layer 3 aggregate interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv4 addresses.
ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
The matching criterion in this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using ip source binding command.
Dynamic bindings generated from different source modules (DHCP relay agent, DHCP snooping, and DHCP server) are for different security services. For more information, see Security Configuration Guide.
You cannot configure dynamic IPv4SG on a service loopback interface.
Examples
# Enable IPv4SG on Layer 2 Ethernet port FortyGigE 1/1/1 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface fortygige 1/1/1
[Sysname-FortyGigE1/1/1] ip verify source ip-address mac-address
# Enable IPv4SG on VLAN-interface 100 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] ip verify source ip-address mac-address
# Enable IPv4SG on Layer 3 Ethernet interface FortyGigE 1/1/2 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface fortygige 1/1/2
[Sysname-FortyGigE1/1/2] port link-mode route
[Sysname-FortyGigE1/1/2] ip verify source ip-address mac-address
# Enable IPv4SG on Layer 3 Ethernet interface FortyGigE 1/1/2 and verify the source MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface fortygige 1/1/2
[Sysname-FortyGigE1/1/2] port link-mode route
[Sysname-FortyGigE1/1/2] ip verify source mac-address
Related commands
display ip source binding
ipv6 source binding (interface view)
Use ipv6 source binding to configure a static IPv6SG binding.
Use undo ipv6 source binding to delete the static IPv6SG bindings configured on the interface.
Syntax
ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv6SG binding is configured on an interface.
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view
Predefined user roles
network-admin
Parameters
all: Removes all the static IPv6SG bindings on the interface.
ip-address ipv6-address: Specifies an IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address.
vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view.
Usage guidelines
IP source guard can use static IPv6 source guard binding entries on an interface to filter incoming IPv6 packets on the interface.
You cannot configure static IPv6SG bindings on an interface that is in a service loopback group.
Examples
# Configure a static IPv6SG binding on FortyGigE 1/1/1.
<Sysname> system-view
[Sysname] interface fortygige 1/1/1
[Sysname-FortyGigE1/1/1] ipv6 source binding ip-address 2001::1 mac-address 0002-0002-0002
Related commands
· display ipv6 source binding
· ipv6 source binding (system view)
ipv6 source binding (system view)
Use ipv6 source binding to configure a global static IPv6SG binding.
Use undo ipv6 source binding to delete one or all global static IPv6SG bindings.
Syntax
ipv6 source binding ip-address ipv6-address mac-address mac-address
undo ipv6 source binding { all | ip-address ipv6-address mac-address mac-address }
Default
No global static IPv6SG binding exists.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-address ipv6-address: Specifies the IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.
mac-address mac-address: Specifies the MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.
all: Removes all global static IPv6SG bindings.
Usage guidelines
A global static IPv6SG binding takes effect on all interfaces.
Examples
# Configure a global static IPv6SG binding.
<Sysname> system-view
[Sysname] ipv6 source binding ipv6-address 2001::1 mac-address 0002-0002-0002
Related commands
· display ipv6 source binding
· ipv6 source binding (interface view)
ipv6 verify source
Use ipv6 verify source to enable both the static and dynamic IPv6SG feature on an interface.
Use undo ipv6 verify source to restore the default.
Syntax
ipv6 verify source { ip-address | ip-address mac-address | mac-address }
undo ipv6 verify source
Default
The IPv6SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view, Layer 3 aggregate interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv6 addresses.
ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
The matching criterion in this command applies only to dynamic IPv6SG. Static IPv6SG uses static bindings configured by using the ipv6 source binding command.
You cannot enable dynamic IPv6SG on a service loopback interface.
Examples
# Enable IPv6SG on Layer 2 Ethernet port FortyGigE 1/1/1 and verify the source IPv6 address and MAC address for dynamic IPv6SG.
<Sysname> system-view
[Sysname] interface fortygige 1/1/1
[Sysname-FortyGigE1/1/1] ipv6 verify source ip-address mac-address
Related commands
display ipv6 source binding
