Contents

IP source guard commands· 1

display ip source binding· 1

display ipv6 source binding· 2

ip verify source· 3

ipv6 verify source· 4

 

IP source guard commands

display ip source binding

Use display ip source binding to display IPv4SG bindings.

Syntax

In standalone mode:

display ip source binding [ wlan-snooping ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ]

In IRF mode:

display ip source binding [ wlan-snooping ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

wlan-snooping: Specifies the WLAN snooping module.

ip-address ip-address: Specifies an IPv4 address.

mac-address mac-address: Specifies a MAC address in H-H-H format.

vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4SG bindings for the master device. (In IRF mode.)

Examples

# Display all IPSG bindings on the public network.

<Sysname> display ip source binding

Total entries found: 2

IP Address      MAC Address    Interface                VLAN Type

10.1.0.5        040a-0000-4000 WLAN-BSS1/0/1            1    WLAN snooping

10.1.0.6        040a-0000-3000 WLAN-BSS1/0/2            1    WLAN snooping

Table 1 Command output

Field	Description
Total entries found	Total number of IPv4SG bindings.
IP Address	IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A.
MAC Address	MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A.
Interface	Interface of the binding. This field displays N/A for a global IPv4SG binding.
VLAN	VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A.
Type	Type of the IPv4SG binding. WLAN snooping indicates that the IPv4SG binding is dynamically generated based on WLAN snooping. The binding is used by other modules to provide security services.

 

Related commands

ip verify source

display ipv6 source binding

Use display ipv6 source binding to display IPv6SG bindings.

Syntax

In standalone mode:

display ipv6 source binding [ wlan-snooping ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ]

In IRF mode:

display ipv6 source binding [ wlan-snooping ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

wlan-snooping: Specifies the WLAN snooping module.

ip-address ipv6-address: Specifies an IPv6 address.

mac-address mac-address: Specifies a MAC address in H-H-H format.

vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6SG bindings for the master device. (In IRF mode.)

Examples

# Display all IPv6SG bindings on the public network.

<Sysname> display ipv6 source binding

Total entries found: 1

IPv6 Address         MAC Address    Interface               VLAN Type

2012:1222:2012:1222: 000f-2202-0435 WLAN-BSS1/0/1           1    DHCPv6 snooping

2012:1222:2012:1222

Table 2 Command output

Field	Description
Total entries found	Total number of IPv6SG bindings.
IPv6 Address	IPv6 address in the IPv6SG binding. If no IPv6 address is bound in the binding, this field displays N/A.
MAC Address	MAC address in the IPv6SG binding. If no MAC address is bound in the binding, this field displays N/A.
Interface	Interface of the IPv6SG binding. This field displays N/A for a global IPv6SG binding.
VLAN	VLAN information in the IPv6SG binding. If the binding contains no VLAN information, this field displays N/A.
Type	Type of the IPv6SG binding. WLAN snooping indicates that the IPv6SG binding is dynamically generated based on WLAN snooping. The binding is used by other modules to provide security services.

 

Related commands

ipv6 verify source

ip verify source

Use ip verify source to enable the IPSG feature for IPv4.

Use undo ip verify source to disable the IPSG feature for IPv4.

Syntax

ip verify source [ alarm-only ]

undo ip verify source

Default

The IPSG feature is disabled for IPv4.

Views

Service template view

Predefined user roles

network-admin

Parameters

alarm-only: Represents that the IPSG feature for IPv4 only generates alarms but does not block traffic.

Usage guidelines

This feature uses WLAN snooping entries to filter IPv4 packets received by an AP. It drops packets that do not match the entries. A WLAN snooping entry is an IP-MAC binding.

In an IPv4 network, IPSG uses only the WLAN snooping entries obtained through DHCP packets.

Examples

# Enable the IPSG feature for IPv4.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ip verify source

ipv6 verify source

Use ipv6 verify source to enable the IPSG feature for IPv6.

Use undo ipv6 verify source to disable the IPSG feature for IPv6.

Syntax

ipv6 verify source [ alarm-only ]

undo ipv6 verify source

Default

The IPSG feature is disabled for IPv6.

Views

Service template view

Predefined user roles

network-admin

Parameters

alarm-only: Represents that the IPSG feature for IPv6 only generates alarms but does not block traffic.

Usage guidelines

This feature uses WLAN snooping entries to filter IPv6 packets received by an AP. It drops packets that do not match the entries. A WLAN snooping entry is an IP-MAC binding.

Examples

# Enable the IPSG feature for IPv6.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ipv6 verify source