09-Security Command Reference

HomeSupportReference GuidesCommand ReferencesH3C S6520X-HI[EI][SI] & S6520-SI & S5560X-HI & S5000-EI & MS4600 Switch Series Command References-R63xx-6W10109-Security Command Reference
17-IP source guard commands
Title Size Download
17-IP source guard commands 151.60 KB

IP source guard commands

display ip source binding

Use display ip source binding to display IPv4SG bindings.

Syntax

display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ arp-snooping-vlan | arp-snooping-vsi | dhcp-relay | dhcp-server | dhcp-snooping | dot1x | remote ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

static: Displays static IPv4SG bindings.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display dynamic IPv4SG bindings for the public network, do not specify a VPN instance.

arp-snooping-vlan: Specifies IPv4SG bindings generated based on ARP snooping for VLANs.

arp-snooping-vsi: Specifies IPv4SG bindings generated based on ARP snooping for VSIs.

dhcp-relay: Specifies IPv4SG bindings generated based on DHCP relay agent.

dhcp-server: Specifies IPv4SG bindings generated based on DHCP server.

dhcp-snooping: Specifies IPv4SG bindings generated based on DHCP snooping.

dot1x: Specifies IPv4SG bindings generated based on 802.1X. To display dynamic IPv4SG bindings generated based on the 802.1X module, you must also specify the slot through which 802.1X users access the network.

remote: Specifies remote IPv4SG bindings synchronized by routing protocols.

ip-address ip-address: Specifies an IPv4 address.

mac-address mac-address: Specifies a MAC address in H-H-H format.

vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4SG bindings for the master device.

Examples

# Display all IPSG bindings on the public network.

<Sysname> display ip source binding

Total entries found: 5

IP Address      MAC Address    Interface                VLAN Type

10.1.0.5        040a-0000-4000 XGE1/0/1                 1    DHCP snooping

10.1.0.6        040a-0000-3000 XGE1/0/1                 1    DHCP snooping

10.1.0.7        040a-0000-2000 XGE1/0/1                 1    DHCP snooping

10.1.0.8        040a-0000-1000 XGE1/0/2                 N/A  DHCP relay

10.1.0.9        040a-0000-2000 XGE1/0/2                 N/A  Static

Table 1 Command output

Field

Description

Total entries found

Total number of IPv4SG bindings.

IP Address

IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A.

MAC Address

MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A.

Interface

Interface of the binding. This field displays N/A for a global IPv4SG binding.

VLAN

VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A.

Type

IPSG binding type:

·     Static—Manually configured by using the ip source binding command. Static bindings are for packet filtering in IPSG or used by other modules to provide security services.

·     ARP snooping vlan—Dynamically generated based on ARP snooping for the VLAN. The binding is for packet filtering in IPSG.

·     ARP snooping vsi—Dynamically generated based on ARP snooping for the VSI. The binding is for packet filtering in IPSG.

·     802.1X—Dynamically generated based on 802.1X. The binding is for packet filtering in IPSG.

·     DHCP relay—Dynamically generated based on DHCP relay agent. The binding is for packet filtering in IPSG.

·     DHCP server—Dynamically generated based on DHCP server. The binding is used by other modules to provide security services.

·     DHCP snooping—Dynamically generated based on DHCP snooping. The binding is for packet filtering in IPSG.

·     Remote—Synchronized by routing protocols from a remote device. The binding is used by ARP attack protection to provide security services.

 

Related commands

ip source binding

ip verify source

display ip source binding statistics

Use display ip source binding statistics to display statistics about local and remote IPv4SG bindings that routing protocols synchronize.

Syntax

display ip source binding statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

You can use this command to monitor the numbers of local and remote IPv4SG bindings that routing protocols synchronize in realtime. Based on the statistics, you can determine whether the maximum number of IPSG bindings is reached and whether attackers exist on the network.

This command displays the statistics only in the most recent hour.

Examples

# Display statistics about local and remote IPv4SG bindings that routing protocols synchronize.

<Sysname> display ip source binding statistics

  Time          Local entry count     Remote entry count

  Current       2000                  5200

  1 min ago     1351                  5135

  2 min ago     711                   5071

  3 min ago     708                   4774

  ...

  59 min ago    656                   1365

  60 min ago    607                   1300

Table 2 Command output

Field

Description

Time

Time when the statistics were collected.

Local entry count

Total number of local IPv4SG bindings that can be synchronized by routing protocols.

Remote entry count

Total number of remote IPv4SG bindings that were synchronized by routing protocols.

 

display ip source binding-local

Use display ip source binding-local to display local IPv4SG bindings that can be synchronized by routing protocols.

Syntax

display ip source binding-local [ interface interface-type interface-number ] [ dhcp-relay ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

dhcp-relay: Specifies dynamic IPv4SG bindings generated based on the DHCP relay module.

ip-address ip-address: Specifies an IP address.

mac-address mac-address: Specifies a MAC address, in the H-H-H format.

vlan vlan-id: Specifies a VLAN by its VLAN ID in the range of 1 to 4094.

slot slot-number: Specifies an IRF member device by its member ID or specifies a PEX by its virtual slot number. If you do not specify a member device or PEX, this command displays local IPv4SG bindings that can be synchronized by routing protocols on the master device.

Usage guidelines

If you do not specify any parameters, this command displays all local IPv4SG bindings that can be synchronized by routing protocols.

Examples

# Display local IPv4SG bindings that can be synchronized by routing protocols.

<Sysname> display ip source binding-local

Total entries found: 1

IP address      MAC address    Interface                VLAN  Type

10.1.0.5        040a-0000-4000 Vlan1                    1     DHCP relay

Table 3 Command output

Field

Description

Total entries found

Number of matching local IPv4SG bindings that can be synchronized by routing protocols.

IP address

IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A.

MAC address

MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A.

Interface

Interface in the binding. This field displays N/A for a global IPv4SG binding.

VLAN

VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A.

Type

Type of the IPv4SG binding.

DHCP relay indicates that this binding was dynamically generated based on DHCP relay agent. This binding can be for packet filtering in IPSG.

 

display ip source binding-remote

Use display ip source binding-remote to display remote IPv4SG bindings synchronized by routing protocols.

Syntax

display ip source binding-remote [ router-id router-id ] [ dhcp-relay ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

router-id router-id: Specifies a remote device from which the device synchronizes IPv4SG bindings. The argument represents the router ID of the remote device, in IP address format.

dhcp-relay: Specifies dynamic IPv4SG bindings generated based on the DHCP relay module.

ip-address ip-address: Specifies an IP address.

mac-address mac-address: Specifies a MAC address, in the H-H-H format.

vlan vlan-id: Specifies a VLAN by its VLAN ID in the range of 1 to 4094.

slot slot-number: Specifies an IRF member device by its member ID or specifies a PEX by its virtual slot number. If you do not specify a member device or PEX, this command displays remote IPv4SG bindings synchronized by routing protocols on the master device.

Usage guidelines

If you do not specify any parameters, this command displays all remote IPv4SG bindings synchronized by routing protocols.

Examples

# Display remote IPv4SG bindings synchronized by routing protocols.

<Sysname> display ip source binding-remote

Total entries found: 1

IP address      MAC address    Router ID                VLAN  Type

10.1.0.5        040a-0000-4000 1.1.1.1                  1     DHCP relay

Table 4 Command output

Field

Description

Total entries found

Number of matching remote IPv4SG bindings that were synchronized by routing protocols.

IP address

IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A.

MAC address

MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A.

Router ID

Interface in the binding. This field displays N/A for a global IPv4SG binding.

VLAN

VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A.

Type

Type of the IPv4SG binding.

DHCP relay indicates that this binding was dynamically generated based on DHCP relay agent.

 

display ip verify source excluded

Use display ip verify source excluded to display source items that have been configured to be excluded from IPSG filtering.

Syntax

display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vlan start-vlan-id [ to end-vlan-id ]: Specifies VLANs that have been configured to be excluded from IPSG filtering. Value ranges for both the start-vlan-id and end-vlan-id arguments are 1 to 4094. The value for the end-vlan-id argument must be equal to or greater than the value for the start-vlan-id argument.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices.

Examples

# Display all source items that have been configured to be excluded from IPSG filtering.

<Sysname> display ip verify source excluded

Slot:

  Start VLAN ID        End VLAN ID    Status

  1                    20             Active

  24                   50             Active

  200                  300            Inactive

# Display VLANs (VLAN 3 and VLAN 5 through VLAN 10) that have been configured to be excluded from IPSG filtering.

<Sysname> display ip verify source excluded vlan 3

Slot:

  VLAN ID: 3

  Status: Active

 

<Sysname> display ip verify source excluded vlan 5 to 10

Slot:

  Start VLAN ID        End VLAN ID    Status

  5                    10             Active

Table 5 Command output

Field

Description

Start VLAN ID

Start VLAN ID of the VLAN range that has been configured to be excluded from IPSG filtering.

End VLAN ID

End VLAN ID of the VLAN range that has been configured to be excluded from IPSG filtering.

Status

Whether the excluded VLAN configuration takes effect:

·     Active—The configuration takes effect.

·     Inactive—The configuration does not take effect.

 

Related commands

ip verify source exclude

display ipv6 source binding

Use display ipv6 source binding to display IPv6SG address bindings.

Syntax

display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-relay | dhcpv6-server | dhcpv6-snooping | dot1x | nd-snooping-vlan | nd-snooping-vsi | remote ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

static: Displays static IPv6SG address bindings.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display dynamic IPv6SG address bindings for the public network, do not specify a VPN instance.

dhcpv6-relay: Specifies IPv6SG bindings generated based on DHCPv6 relay agent.

dhcpv6-server: Specifies IPv6SG bindings generated based on DHCPv6 server.

dhcpv6-snooping: Specifies IPv6SG bindings generated based on DHCPv6 snooping.

dot1x: Specifies IPv6SG bindings generated based on 802.1X. To display dynamic IPv6SG address bindings generated based on the 802.1X module, you must also specify the slot through which 802.1X users access the network.

nd-snooping-vlan: Specifies IPv6SG bindings generated based on ND snooping for VLANs.

nd-snooping-vsi: Specifies IPv6SG bindings generated based on ND snooping for VSIs.

remote: Specifies remote IPv6SG bindings synchronized by routing protocols.

ip-address ipv6-address: Specifies an IPv6 address.

mac-address mac-address: Specifies a MAC address in H-H-H format.

vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6SG address bindings for the master device.

Examples

# Display all IPv6SG address bindings on the public network.

<Sysname> display ipv6 source binding

Total entries found: 2

IPv6 Address         MAC Address    Interface               VLAN Type

2012:1222:2012:1222: 000f-2202-0435 XGE1/0/1                1    DHCPv6 snooping

2012:1222:2012:1222

2012:1222:2012:1222: 000f-2202-0436 XGE1/0/1                N/A  Static

2012:1222:2012:1223

Table 6 Command output

Field

Description

Total entries found

Total number of IPv6SG address bindings.

IPv6 Address

IPv6 address in the IPv6SG address binding. If no IPv6 address is bound in the binding, this field displays N/A.

MAC Address

MAC address in the IPv6SG address binding. If no MAC address is bound in the binding, this field displays N/A.

Interface

Interface of the IPv6SG address binding. This field displays N/A for a global IPv6SG binding.

VLAN

VLAN information in the IPv6SG address binding. If the binding contains no VLAN information, this field displays N/A.

Type

Type of the IPv6SG address binding:

·     Static—Manually configured by using the ipv6 source binding command. Static bindings are for packet filtering in IPv6SG or used by other modules to provide security services.

·     DHCPv6 relay—Dynamically generated based on DHCPv6 relay agent. The binding is for packet filtering in IPv6SG.

·     DHCPv6 sever—Dynamically generated based on DHCPv6 server. The binding is reported to the controller for the controller to understand the information about online and offline users. The binding is not for packet filtering.

·     DHCPv6 snooping—Dynamically generated based on DHCPv6 snooping. The binding is for packet filtering in IPv6SG.

·     802.1X—Dynamically generated based on 802.1X. The binding is for packet filtering in IPv6SG.

·     ND snooping vlan—Dynamically generated based on ND snooping for the VLAN. The binding is for packet filtering in IPv6SG.

·     ND snooping vsi—Dynamically generated based on ND snooping for the VSI. The binding is for packet filtering in IPv6SG.

·     Remote—Synchronized by routing protocols from a remote device. The binding is used by ND attack defense to provide security services.

 

Related commands

ipv6 source binding

ipv6 verify source

display ipv6 source binding pd

Use display ipv6 source binding pd to display IPv6SG prefix bindings.

Syntax

display ipv6 source binding pd [ vpn-instance vpn-instance-name ] [ prefix prefix/prefix-length ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]

Views

Any views

Predefined user roles

network-admin

network-operator

Parameters

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display IPv6SG prefix bindings for the public network, do not specify a VPN instance.

prefix prefix/prefix-length: Specifies an IPv6 prefix. The value range for the prefix-length argument is 1 to 128. If you do not specify an IPv6 prefix, this command displays all IPv6SG prefix bindings.

mac-address mac-address: Specifies a MAC address in H-H-H format. If you do not specify a MAC address, this command displays IPv6SG prefix bindings for all MAC addresses.

vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays IPv6SG prefix bindings for all VLANs.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays IPv6SG prefix bindings for all interfaces.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6SG prefix bindings for the master device.

Usage guidelines

IPv6SG prefix bindings are dynamically obtained from the DHCPv6 snooping module.

Examples

# Display all IPv6SG prefix bindings.

<Sysname> display ipv6 source binding pd

Total entries found: 3

IPv6 prefix          MAC address     Interface      VLAN  Type

2012:1111::/64       000f-2202-0435  XGE1/0/1       1     DHCPv6 snooping

2012:2222::/64       000f-2202-0436  XGE2/0/1       2     DHCPv6 snooping

Table 7 Command output

Field

Description

Total entries found

Total number of IPv6SG prefix bindings.

IPv6 prefix

IPv6 prefix and prefix length in the IPv6SG prefix binding.

MAC address

MAC address in the IPv6SG prefix binding.

This field displays N/A if the MAC address is invalid.

Interface

Interface to which the IPv6SG prefix binding belongs.

This field displays N/A for a global IPv6SG prefix binding.

VLAN

VLAN information in the IPv6SG prefix binding.

This field displays N/A if the IPv6SG prefix binding does not contain the VLAN information.

Type

Type of the IPv6SG prefix binding:

DHCPv6 snooping—The binding is generated based on a DHCPv6 snooping entry.

 

Related commands

ipv6 source binding

ipv6 verify source

display ipv6 source binding statistics

Use display ipv6 source binding statistics to display statistics about local and remote IPv6SG bindings that routing protocols synchronize.

Syntax

display ipv6 source binding statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

You can use this command to monitor the numbers of local and remote IPv6SG bindings that routing protocols synchronize in realtime. Based on these statistics, you can determine whether the maximum number of IPSG bindings is reached and whether attackers exist on the network.

This command displays the statistics only in the most recent hour.

Examples

# Display statistics about local and remote IPv6SG bindings that routing protocols synchronize.

<Sysname> display ipv6 source binding statistics

  Time          Local entry count     Remote entry count

  Current       2000                  5200

  1 min ago     1351                  5135

  2 min ago     711                   5071

  3 min ago     708                   4774

  …

  59 min ago    656                   1365

  60 min ago    607                   1300

Table 8 Command output

Field

Description

Time

Time when the statistics were collected.

Local entry count

Total number of local IPv6SG bindings that can be synchronized by routing protocols.

Remote entry count

Total number of remote IPv6SG bindings that were synchronized by routing protocols.

 

display ipv6 source binding-local

Use ipv6 source binding-local to display local IPv6SG bindings that can be synchronized by routing protocols.

Syntax

display ipv6 source binding-local [ interface interface-type interface-number ] [ dhcpv6-relay | nd-snooping-vlan ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

dhcpv6-relay: Specifies dynamic IPv6SG bindings generated based on the DHCPv6 relay module.

nd-snooping-vlan: Specifies dynamic IPv6SG bindings generated based on the ND snooping module for VLANs.

ip-address ipv6-address: Specifies an IPv6 address.

mac-address mac-address: Specifies a MAC address, in the H-H-H format.

vlan vlan-id: Specifies a VLAN by its VLAN ID in the range of 1 to 4094.

slot slot-number: Specifies an IRF member device by its member ID or specifies a PEX by its virtual slot number. If you do not specify a member device or PEX, this command displays local IPv6SG bindings that can be synchronized by routing protocols on the master device.

Usage guidelines

If you do not specify any parameters, this command displays all local IPv6SG bindings that can be synchronized by routing protocols.

Examples

# Display local IPv6SG bindings that can be synchronized by routing protocols.

<Sysname> display ipv6 source binding-local

Total entries found: 2

IPv6 address      MAC address    Interface                VLAN  Type

10::1             040a-0000-1000 GE1/0/1                  2     ND snooping vlan

100::1            04ef-7010-1000 Vlan10                   10    DHCPv6 relay

Table 9 Command output

Field

Description

Total entries found

Number of matching local IPv6SG bindings that can be synchronized by routing protocols.

IPv6 address

IPv6 address in the IPv6SG binding. If no IP address is bound in the binding, this field displays N/A.

MAC address

MAC address in the IPv6SG binding. If no MAC address is bound in the binding, this field displays N/A.

Interface

Interface in the binding. This field displays N/A for a global IPv6SG binding.

VLAN

VLAN information in the IPv6SG binding. If the binding contains no VLAN information, this field displays N/A.

Type

Type of the IPv6SG binding.

·     ND snooping vlan—Dynamically generated based on the ND snooping module for the VLAN. This binding is for packet filtering in IPSG.

·     DHCP relay—Dynamically generated based on DHCP relay agent. This binding is for packet filtering in IPSG.

 

display ipv6 source binding-remote

Use display ipv6 source binding-remote to display remote IPv6SG bindings synchronized by routing protocols.

Syntax

display ipv6 source binding-remote [ router-id router-id ] [ dhcpv6-relay | nd-snooping-vlan] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

router-id router-id: Specifies a remote device from which the device synchronizes IPv6SG bindings. The router-id argument represents the router ID of the remote device, in IP address format.

dhcpv6-relay: Specifies dynamic IPv6SG bindings generated based on the DHCPv6 relay module.

nd-snooping-vlan: Specifies dynamic IPv6SG bindings generated based on the ND snooping module for VLANs.

ip-address ipv6-address: Specifies an IPv6 address.

mac-address mac-address: Specifies a MAC address, in the H-H-H format.

vlan vlan-id: Specifies a VLAN by its VLAN ID in the range of 1 to 4094.

slot slot-number: Specifies an IRF member device by its member ID or specifies a PEX by its virtual slot number. If you do not specify a member device or PEX, this command displays remote IPv6SG bindings synchronized by routing protocols on the master device.

Usage guidelines

If you do not specify any parameters, this command displays all remote IPv6SG bindings synchronized by routing protocols.

Examples

# Display remote IPv6SG bindings synchronized by routing protocols.

<Sysname> display ipv6 source binding-remote

Total entries found: 2

IPv6 address    MAC address    Router ID                VLAN  Type

10::1           040a-0000-1000 4.4.4.4                  2     ND snooping vlan

100::1          04ef-7010-1000 5.5.5.5                  10    DHCPv6 relay

Table 10 Command output

Field

Description

Total entries found

Number of matching remote IPv6SG bindings that were synchronized by routing protocols.

IPv6 address

IPv6 address in the IPv6SG binding. If no IP address is bound in the binding, this field displays N/A.

MAC address

MAC address in the IPv6SG binding. If no MAC address is bound in the binding, this field displays N/A.

Router ID

Interface in the binding. This field displays N/A for a global IPv6SG binding.

VLAN

VLAN information in the IPv6SG binding. If the binding contains no VLAN information, this field displays N/A.

Type

Type of the IPv6SG binding.

·     ND snooping vlan—Dynamically generated based on the ND snooping module for the VLAN.

·     DHCP relay—Dynamically generated based on DHCP relay agent.

 

ip source binding (interface view)

Use ip source binding to configure a static IPv4SG binding on an interface.

Use undo ip source binding to delete the static IPv4SG bindings configured on an interface.

Syntax

ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

Default

No static IPv4SG bindings exist on an interface.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

all: Removes all static IPv4SG bindings on the interface.

ip-address ip-address: Specifies an IPv4 address for the static binding. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x or 0.0.0.0.

mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.

vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view.

Usage guidelines

Static IPv4SG bindings on an interface implement the following functions:

·     Filter incoming IPv4 packets on the interface.

·     Check user validity by cooperating with the ARP attack detection feature.

Examples

# Configure a static IPv4SG binding on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001

Related commands

display ip source binding

ip source binding (system view)

ip source binding (system view)

Use ip source binding to configure a global static IPv4SG binding.

Use undo ip source binding to delete one or all global static IPv4SG bindings.

Syntax

ip source binding ip-address ip-address mac-address mac-address

undo ip source binding { all | ip-address ip-address mac-address mac-address }

Default

No global static IPv4SG bindings exist.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address ip-address: Specifies the IPv4 address for the static binding. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x or 0.0.0.0.

mac-address mac-address: Specifies the MAC address for the static binding. The MAC address is in the format H-H-H but cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.

all: Removes all global static IPv4SG bindings.

Usage guidelines

A global static IPv4SG binding takes effect on all interfaces.

Examples

# Configure a global static IPv4SG binding.

<Sysname> system-view

[Sysname] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001

Related commands

display ip source binding

ip source binding (interface view)

ip verify source

Use ip verify source to enable IPv4SG on an interface.

Use undo ip verify source to disable IPv4SG on an interface.

Syntax

ip verify source { ip-address | ip-address mac-address | mac-address }

undo ip verify source

Default

The IPv4SG feature is disabled on an interface.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

VLAN view

Predefined user roles

network-admin

Parameters

ip-address: Filters incoming packets by source IPv4 addresses.

ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses.

mac-address: Filters incoming packets by source MAC addresses.

Usage guidelines

After you enable IPv4SG on an interface, this feature uses static and dynamic IPv4SG bindings to match incoming packets on the interface. Packets that match an IPv4SG binding are forwarded and packets that do not match any IPv4SG binding are discarded.

The matching criterion specified by this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using the ip source binding command.

If you enable IPv4SG in a VLAN, IPv4SG is enabled on all Layer 2 Ethernet interfaces that belong to the VLAN.

Do not configure IPv4SG both in a VLAN and on an Ethernet interface that belongs to the VLAN. Before you perform one of the configurations, make sure the other configuration does not exist.

If you re-execute this command to modify the matching criterion, the new criterion applies only to packets of the access users that come online after the command execution.

You can configure IPv4SG on an interface or in a VLAN multiple times, the most recent configuration takes effect.

Examples

# Enable IPv4SG on Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address

# Enable IPv4SG on VLAN-interface 100 and verify the source IPv4 address and MAC address for dynamic IPSG.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ip verify source ip-address mac-address

# Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/2

[Sysname-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address

# Enable IPv4SG on Layer 3 Ethernet interface Ten-GigabitEthernet 1/0/2 and verify the source MAC address for dynamic IPSG.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/2

[Sysname-Ten-GigabitEthernet1/0/2] ip verify source mac-address

# Enable IPv4SG in VLAN 10 and verify the source IPv4 address and MAC address for dynamic IPv4SG.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] ip verify source ip-address mac-address

Related commands

display ip source binding

ip verify source alarm

Use ip verify source alarm to enable IPv4SG alarming on an interface.

Use undo ipv6 verify source alarm to disable IPv4SG alarming on an interface.

Syntax

ip verify source alarm [ alarm-threshold ]

undo ip verify source alarm

Default

IPv4SG alarming is disabled on an interface.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

alarm-threshold: Specifies the IPv4SG alarm threshold in pps. The value range for this argument is 1 to 1000, and the default is 50.

Usage guidelines

This feature monitors the number of packets dropped by IPv4SG per second. When the packet dropping rate reaches or exceeds the alarm threshold, the device generates an alarm log. When the packet dropping rate drops below the alarm threshold, the device generates an alarm-cleared log.

Examples

# Enable IPv4SG alarming on Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/1 and set the alarm threshold to 100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ip verify source alarm 100

# Enable IPv4SG alarming on VLAN-interface 10 and set the alarm threshold to 100.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ip verify source alarm 100

Related commands

ip verify source

ip verify source trust

ip verify source exclude

Use ip verify source exclude to exclude IPv4 packets with the specified source items from IPSG filtering.

Use undo ip verify source exclude to remove the specified excluded source items.

Syntax

ip verify source exclude vlan start-vlan-id [ to end-vlan-id ]

undo ip verify source exclude vlan start-vlan-id [ to end-vlan-id ]

Default

No excluded source items are configured.

Views

System view

Predefined user roles

network-admin

Parameters

vlan start-vlan-id [ to end-vlan-id ]: Specifies excluded VLANs. Value ranges for both the start-vlan-id and end-vlan-id arguments are 1 to 4094. The value for the end-vlan-id argument must be equal to or greater than the value for the start-vlan-id argument. A single excluded VLAN is specified if you specify only the start-vlan-id argument or specify the same VLAN ID for the start-vlan-id and end-vlan-id arguments.

Usage guidelines

This command allows all IPv4 packets with the specified source items to be forwarded without being processed by IPSG.

You can execute this command multiple times to specify multiple excluded VLANs. The specified excluded VLANs cannot overlap.

To successfully delete excluded VLANs, make sure the VLANs specified in the undo form of this command are the same as the VLANs specified when you configure excluded VLANs.

Examples

# Exclude IPv4 packets from VLAN 3 and VLAN 5 through VLAN 10 from IPSG filtering.

<Sysname> system-view

[Sysname] ip verify source exclude vlan 3

[Sysname] ip verify source exclude vlan 5 to 10

Related commands

display ip verify source excluded

ip verify source trust

Use ip verify source trust to configure an IPv4SG trusted port.

Use undo ip verify source trust to delete an IPv4SG trusted port.

Syntax

ip verify source trust

undo ip verify source trust

Default

No IPv4SG trusted ports are configured.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

IPv4SG does not take effect on an IPv4SG trusted port, and all incoming packets on the port are allowed to pass through.

If a Layer 2 Ethernet interface in a VLAN is configured as an IPv4SG trusted port, IPv4SG does not take effect on the interface even though this VLAN is enabled with IPv4SG.

Examples

# Configure Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/1 as an IPv4SG trusted port.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ip verify source trust

Related commands

ip verify source

ipv6 source binding (interface view)

Use ipv6 source binding to configure a static IPv6SG binding.

Use undo ipv6 source binding to delete the static IPv6SG bindings configured on an interface.

Syntax

ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]

Default

No static IPv6SG bindings exist on an interface.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

all: Removes all the static IPv6SG bindings on the interface.

ip-address ipv6-address: Specifies an IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.

mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.

vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view.

Usage guidelines

Static IPv6SG bindings on an interface filter incoming IPv6 packets, and check user validity by cooperating with the ND attack detection feature.

Examples

# Configure a static IPv6SG binding on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0002-0002-0002

Related commands

display ipv6 source binding

display ipv6 source binding pd

ipv6 source binding (system view)

ipv6 source binding (system view)

Use ipv6 source binding to configure a global static IPv6SG binding.

Use undo ipv6 source binding to delete one or all global static IPv6SG bindings.

Syntax

ipv6 source binding ip-address ipv6-address mac-address mac-address

undo ipv6 source binding { all | ip-address ipv6-address mac-address mac-address }

Default

No global static IPv6SG bindings exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address ipv6-address: Specifies the IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.

mac-address mac-address: Specifies the MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.

all: Removes all global static IPv6SG bindings.

Usage guidelines

A global static IPv6SG binding takes effect on all interfaces.

Examples

# Configure a global static IPv6SG binding.

<Sysname> system-view

[Sysname] ipv6 source binding ipv6-address 2001::1 mac-address 0002-0002-0002

Related commands

display ipv6 source binding

display ipv6 source binding pd

ipv6 source binding (interface view)

ipv6 verify source

Use ipv6 verify source to enable IPv6SG on an interface.

Use undo ipv6 verify source to disable IPv6SG on an interface.

Syntax

ipv6 verify source { ip-address | ip-address mac-address | mac-address }

undo ipv6 verify source

Default

The IPv6SG feature is disabled on an interface.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

VLAN view

Predefined user roles

network-admin

Parameters

ip-address: Filters incoming packets by source IPv6 addresses.

ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.

mac-address: Filters incoming packets by source MAC addresses.

Usage guidelines

After you enable IPv6SG on an interface, this feature uses static and dynamic IPv6SG bindings to match incoming packets on the interface. Packets that match an IPv6SG binding are forwarded and packets that do not match any IPv6SG binding are discarded.

The matching criterion specified by this command applies only to dynamic IPv6SG. Static IPv6SG uses static bindings configured by using the ipv6 source binding command.

If you enable IPv6SG in a VLAN, IPv6SG is enabled on all Layer 2 Ethernet interfaces that belong to the VLAN.

Do not configure IPv6SG both in a VLAN and on an Ethernet interface that belongs to the VLAN. Before you perform one of the configurations, make sure the other configuration does not exist.

If you re-execute this command to modify the matching criterion, the new criterion applies only to packets of the access users that come online after the command execution.

You can configure IPv6SG on an interface or in a VLAN multiple times, the most recent configuration takes effect.

Examples

# Enable IPv6SG on Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/1 and verify the source IPv6 address and MAC address for dynamic IPv6SG.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address

# Enable IPv6SG in VLAN 10 and verify the source IPv6 address and MAC address for dynamic IPv6SG.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] ipv6 verify source ip-address mac-address

Related commands

display ipv6 source binding

display ipv6 source binding pd

ipv6 verify source alarm

Use ipv6 verify source alarm to enable IPv6SG alarming on an interface.

Use undo ipv6 verify source alarm to disable IPv6SG alarming on an interface.

Syntax

ipv6 verify source alarm [ alarm-threshold ]

undo ipv6 verify source alarm

Default

IPv6SG alarming is disabled on an interface.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

VLAN interface view

Predefined user roles

network-admin

Parameters

alarm-threshold: Specifies the IPv6SG alarm threshold, in pps. The value range for this argument is 1 to 1000, and the default is 50.

Usage guidelines

This feature monitors the number of packets dropped by IPv6SG per second. When the packet dropping rate reaches or exceeds the alarm threshold, the device generates an alarm log. When the packet dropping rate drops below the alarm threshold, the device generates an alarm-cleared log.

Examples

# Enable IPv6SG alarming on Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/1 and set the alarm threshold to 100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ipv6 verify source alarm 100

# Enable IPv6SG alarming on VLAN-interface 10 and set the alarm threshold to 100.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 verify source alarm 100

Related commands

ipv6 verify source

ipv6 verify source trust

Use ipv6 verify source trust to configure an IPv6SG trusted port.

Use undo ipv6 verify source trust to delete an IPv6SG trusted port.

Syntax

ipv6 verify source trust

undo ipv6 verify source trust

Default

No IPv6SG trusted ports are configured.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

IPv6SG does not take effect on an IPv6SG trusted port, and all incoming packets on the port are allowed to pass through.

If a Layer 2 Ethernet interface in a VLAN is configured as an IPv6SG trusted port, IPv6SG does not take effect on the interface even though this VLAN is enabled with IPv6SG.

Examples

# Configure Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/1 as an IPv6SG trusted port.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ipv6 verify source trust

Related commands

ipv6 verify source

 

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网