Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-Portal commands
- 07-User identification commands
- 08-Password control commands
- 09-Public key management commands
- 10-PKI commands
- 11-SSH commands
- 12-SSL commands
- 13-ASPF commands
- 14-APR commands
- 15-Session management commands
- 16-Connection limit commands
- 17-Attack detection and prevention commands
- 18-IP source guard commands
- 19-ARP attack protection commands
- 20-ND attack defense commands
- 21-uRPF commands
- 22-Crypto engine commands
- 23-IP-MAC binding commands
- 24-IPoE commands
- 25-IP reputation commands
- 26-Keychain commands
- 27-MAC authentication commands
- 28-Server connection detection commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 23-IP-MAC binding commands | 81.27 KB |
Contents
display ip-mac binding statistics
ip-mac binding enable (interface view)
ip-mac binding no-match action deny
reset ip-mac binding statistics
IP-MAC binding commands
display ip-mac binding ipv4
Use display ip-mac binding ipv4 to display IPv4-MAC binding entries.
Syntax
display ip-mac binding ipv4 [ ipv4-address ] [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be an all 0s, a multicast address, or a loopback address. If you do not specify an IPv4 address, this command displays IPv4-MAC binding entries for all IPv4 addresses.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address. If you do not specify a MAC address, this command displays IPv4-MAC binding entries for all MAC addresses.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays IPv4-MAC binding entries for all VLANs.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, this command displays IPv4-MAC binding entries for the public network.
Examples
# Display IPv4-MAC binding entries.
<Sysname> display ip-mac binding ipv4
Total entries: 1
IP address MAC address VPN instance VLAN ID
1.1.1.1 0000-0000-0001 -- N/A
Table 1 Command output
|
Field |
Description |
|
Total entries |
Total number of IPv4-MAC binding entries. |
|
IP address |
IPv4 address in the IPv4-MAC binding entry. |
|
MAC address |
MAC address in the IPv4-MAC binding entry. |
|
VPN instance |
Name of the VPN instance to which the IPv4-MAC binding entry belongs. If the binding entry belongs to the public network, this field displays hyphens (--). |
|
VLAN ID |
VLAN to which the IPv4-MAC binding entry belongs. |
Related commands
ip-mac binding ipv4
display ip-mac binding ipv6
Use display ip-mac binding ipv6 to display IPv6-MAC binding entries.
Syntax
display ip-mac binding ipv6 [ ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be all 0s, a multicast address, or a loopback address. If you do not specify an IPv6 address, this command displays IPv6-MAC binding entries for all IPv6 addresses.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address. If you do not specify a MAC address, this command displays IPv6-MAC binding entries for all MAC addresses.
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays IPv6-MAC binding entries for all VLANs.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, this command displays IPv6-MAC binding entries for the public network.
Examples
# Display IPv6-MAC binding entries.
<Sysname> display ip-mac binding ipv6
Total entries: 1
IP address MAC address VPN instance VLAN ID
10::10 0000-0000-0001 -- N/A
Table 2 Command output
|
Field |
Description |
|
Total entries |
Total number of IPv6-MAC binding entries. |
|
IP address |
IPv6 address in the IPv6-MAC binding entry. |
|
MAC address |
MAC address in the IPv6-MAC binding entry. |
|
VPN instance |
Name of the VPN instance to which the IPv6-MAC binding entry belongs. If the binding entry belongs to the public network, this field displays hyphens (--). |
|
VLAN ID |
VLAN to which the IPv6-MAC binding entry belongs. |
Related commands
ip-mac binding ipv6
display ip-mac binding statistics
Use display ip-mac binding statistics to display statistics about packets dropped by the IP-MAC binding feature.
Syntax
display ip-mac binding statistics [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays statistics about packets dropped by the IP-MAC binding feature for all member devices.
Usage guidelines
When the deny action is set for packets that do not match any IP-MAC binding entries, this command displays statistics about the following packets:
· Packets that do not exactly match any IP-MAC binding entries.
· Packets that do not match any IP-MAC binding entries.
Examples
# Display statistics about packets dropped by the IP-MAC binding feature on the specified slot.
<Sysname> display ip-mac binding statistics slot 1
Slot 1:
Statistics about dropped packets:
IPv4 drop statistics:
IPv4 ip-mac binding dropped packets because partial match ip: 3
IPv4 ip-mac binding dropped packets because partial match mac: 0
IPv4 ip-mac binding dropped packets because no match entry: 12
IPv6 drop statistics:
IPv6 ip-mac binding dropped packets because partial match ip: 0
IPv6 ip-mac binding dropped packets because partial match mac: 0
IPv6 ip-mac binding dropped packets because no match entry: 0
Table 3 Command output
|
Field |
Description |
|
IPv4 drop statistics |
Number of IPv4 packets dropped by the IP-MAC binding feature. |
|
IPv4 ip-mac binding dropped packets because partial match ip |
Number of IPv4 packets that were dropped because no matching IPv4-MAC binding entries were found for the source MAC address. |
|
IPv4 ip-mac binding dropped packets because partial match mac |
Number of IPv4 packets that were dropped because no matching IPv4-MAC binding entry was found for the source IP address. |
|
IPv4 ip-mac binding dropped packets because no match entry |
Number of IPv4 packets that were dropped because no matching IPv4-MAC binding entry was found for the source IP address and source MAC address. |
|
IPv6 drop statistics |
Number of IPv6 packets dropped by the IP-MAC binding feature. |
|
IPv6 ip-mac binding dropped packets because partial match ip |
Number of IPv6 packets that were dropped because no matching IPv6-MAC binding entries were found for the source MAC address. |
|
IPv6 ip-mac binding dropped packets because partial match mac |
Number of IPv6 packets that were dropped because no matching IPv6-MAC binding entry was found for the source IP address. |
|
IPv6 ip-mac binding dropped packets because no match entry |
Number of IPv6 packets that were dropped because no matching IPv6-MAC binding entry was found for the source IP address and source MAC address. |
Related commands
reset ip-mac binding statistics
display ip-mac binding status
Use display ip-mac binding status to display the status of the IP-MAC binding feature.
Syntax
display ip-mac binding status
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
This command displays the status of the IP-MAC binding feature and the default action for packets that do not match any IP-MAC binding entries.
Examples
# Display the status of the IP-MAC binding feature.
<Sysname> display ip-mac binding status
ip-mac binding: Disabled
ip-mac binding no-match action: Deny
Table 4 Command output
|
Field |
Description |
|
ip-mac binding |
Status of the IP-MAC binding feature, Enabled or Disabled. |
|
ip-mac binding no-match action |
The default action for packets that do not match any IP-MAC binding entries: · Permit—Forwards packets. · Deny—Drops packets. |
ip-mac binding enable (interface view)
Use ip-mac binding enable to enable the IP-MAC binding feature on an interface.
Use undo ip-mac binding enable to disable the IP-MAC binding feature on an interface.
Syntax
ip-mac binding enable
undo ip-mac binding enable
Default
The IP-MAC binding feature is disabled on an interface.
Views
Layer 3 Ethernet interface
Layer 3 Ethernet subinterface
VLAN interface
Layer 3 aggregate interface
Layer 3 aggregate subinterface
Predefined user roles
network-admin
context-admin
Usage guidelines
The IP-MAC binding feature on an interface takes effect only on incoming packets on the interface.
Examples
# Enable the IP-MAC binding feature on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip-mac binding enable
ip-mac binding interface
Use ip-mac binding interface to generate IP-MAC binding entries based on existing ARP and ND entries on an interface.
Syntax
ip-mac binding interface interface-type interface-number
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
interface-type interface-number: Specifies an interface by its name and type. The interface must be a Layer 3 Ethernet interface or subinterface, Layer 3 aggregate interface or subinterface, Reth interface or subinterface, or VLAN interface.
Usage guidelines
Use this command to generate IP-MAC binding entries based on existing ARP entries and ND entries on an interface. If the newly generated IP-MAC binding entries conflict with the existing IP-MAC binding entries, the device retains the existing entries.
To generate IP-MAC binding entries based on ARP entries and ND entries newly added after the command execution, re-execute this command.
To delete IPv4-MAC binding entries generated by using this command, use the undo ip-mac binding ipv4 command. To delete IPv6-MAC binding entries generated by using this command, use the undo ip-mac binding ipv6 command.
IP-MAC binding entries are static. Therefore, the binding entries generated by using this command are not updated when the relevant ARP or ND entries change.
Examples
# Generate IP-MAC binding entries based on existing ARP and ND entries on GigabitEthernet 0/0/1.
<Sysname> system-view
[Sysname] ip-mac binding interface gigabitethernet 1/0/1
ip-mac binding ipv4
Use ip-mac binding ipv4 to create an IPv4-MAC binding entry.
Use undo ip-mac binding ipv4 to delete IPv4-MAC binding entries.
Syntax
ip-mac binding ipv4 ipv4-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ]
undo ip-mac binding ipv4 { all | ipv4-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] }
Default
No IPv4-MAC binding entries are configured.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be all 0s, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, the IPv4-MAC binding entry belongs to the public network.
all: Specifies all IPv4-MAC binding entries.
Usage guidelines
A MAC address can be bound to multiple IPv4 addresses. However, an IPv4 address can be bound to only one MAC address. To bind an IPv4 address in a binding entry to another MAC address, you must delete the existing binding entry, and then create the new binding entry.
IPv4-MAC binding entries created by using this command are globally effective.
The device supports a maximum of 1024 IPv4-MAC binding entries.
Examples
# Create an IPv4-MAC binding entry to permit packets with source IPv4 address 192.168.0.1 and source MAC address 0001-0001-0001.
<Sysname> system-view
[Sysname] ip-mac binding ipv4 192.168.0.1 mac-address 0001-0001-0001
Related commands
display ip-mac binding ipv4
ip-mac binding ipv6
Use ip-mac binding ipv6 to create an IPv6-MAC binding entry.
Use undo ip-mac binding ipv6 to delete IPv6-MAC binding entries.
Syntax
ip-mac binding ipv6 ipv6-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ]
undo ip-mac binding ipv6 { all | ipv6-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] }
Default
No IPv6-MAC binding entries are configured.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be all 0s, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address ), or a multicast address.
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, the IPv6-MAC binding entry belongs to the public network.
all: Specifies all IPv6-MAC binding entries.
Usage guidelines
A MAC address can be bound to multiple IPv6 addresses. However, an IPv6 address can be bound to only one MAC address. To bind an IPv6 address in a binding entry to another MAC address, you must delete the existing binding entry and then create the new binding entry.
IPv6-MAC binding entries created by using this command are globally effective.
The device supports a maximum of 1024 IPv6-MAC binding entries.
Examples
# Create an IPv6-MAC binding entry to permit packets with source IPv6 address 2012::12:25 and source MAC address 0001-0001-0001.
<Sysname> system-view
[Sysname] ip-mac binding ipv6 2012::12:25 mac-address 0001-0001-0001
Related commands
display ip-mac binding ipv6
ip-mac binding no-match action deny
Use ip-mac binding no-match action deny to set the default action to deny for packets that do not match any IP-MAC binding entries.
Use undo ip-mac binding no-match action deny to restore the default.
Syntax
ip-mac binding no-match action deny
undo ip-mac binding no-match action deny
Default
The default action for packets that do not match any IP-MAC binding entries is permit.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to permit only packets with both source IP address and source MAC address matching the same binding entry.
Examples
# Set the default action to deny for packets that do not match any IP-MAC binding entries.
<Sysname> system-view
[Sysname] ip-mac binding no-match action deny
reset ip-mac binding statistics
Use reset ip-mac binding statistics to clear statistics about packets dropped by the IP-MAC binding feature.
Syntax
reset ip-mac binding statistics [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears statistics about packets dropped by the IP-MAC binding feature on all member devices.
Examples
# Clear statistics about packets dropped by the IP-MAC binding feature.
<Sysname> reset ip-mac binding statistics
Related commands
display ip-mac binding statistics
