Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Location identification commands
- 30-Server connection detection commands
- 31-Trusted access control commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 23-IP-MAC binding commands | 85.16 KB |
Contents
display ip-mac binding statistics
ip-mac binding no-match action deny
reset ip-mac binding statistics
IP-MAC binding commands
display ip-mac binding ipv4
Use display ip-mac binding ipv4 to display IPv4-MAC binding entries.
Syntax
display ip-mac binding ipv4 [ ipv4-address ] [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be an all 0s, a multicast address, or a loopback address. If you do not specify an IPv4 address, this command displays IPv4-MAC binding entries for all IPv4 addresses.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address. If you do not specify a MAC address, this command displays IPv4-MAC binding entries for all MAC addresses.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays IPv4-MAC binding entries for all VLANs.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, this command displays IPv4-MAC binding entries for the public network.
Examples
# Display IPv4-MAC binding entries.
<Sysname> display ip-mac binding ipv4
Total entries: 1
IP address MAC address VPN instance VLAN ID
1.1.1.1 0000-0000-0001 -- N/A
Table 1 Command output
|
Field |
Description |
|
Total entries |
Total number of IPv4-MAC binding entries. |
|
IP address |
IPv4 address in the IPv4-MAC binding entry. |
|
MAC address |
MAC address in the IPv4-MAC binding entry. |
|
VPN instance |
Name of the VPN instance to which the IPv4-MAC binding entry belongs. If the binding entry belongs to the public network, this field displays hyphens (--). |
|
VLAN ID |
VLAN to which the IPv4-MAC binding entry belongs. |
Related commands
ip-mac binding ipv4
display ip-mac binding ipv6
Use display ip-mac binding ipv6 to display IPv6-MAC binding entries.
Syntax
display ip-mac binding ipv6 [ ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be all 0s, a multicast address, or a loopback address. If you do not specify an IPv6 address, this command displays IPv6-MAC binding entries for all IPv6 addresses.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address. If you do not specify a MAC address, this command displays IPv6-MAC binding entries for all MAC addresses.
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays IPv6-MAC binding entries for all VLANs.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, this command displays IPv6-MAC binding entries for the public network.
Examples
# Display IPv6-MAC binding entries.
<Sysname> display ip-mac binding ipv6
Total entries: 1
IP address MAC address VPN instance VLAN ID
10::10 0000-0000-0001 -- N/A
Table 2 Command output
|
Field |
Description |
|
Total entries |
Total number of IPv6-MAC binding entries. |
|
IP address |
IPv6 address in the IPv6-MAC binding entry. |
|
MAC address |
MAC address in the IPv6-MAC binding entry. |
|
VPN instance |
Name of the VPN instance to which the IPv6-MAC binding entry belongs. If the binding entry belongs to the public network, this field displays hyphens (--). |
|
VLAN ID |
VLAN to which the IPv6-MAC binding entry belongs. |
Related commands
ip-mac binding ipv6
display ip-mac binding statistics
Use display ip-mac binding statistics to display statistics about packets dropped by the IP-MAC binding feature.
Syntax
In standalone mode:
display ip-mac binding statistics [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display ip-mac binding statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about packets dropped by the IP-MAC binding feature for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics about packets dropped by the IP-MAC binding feature for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
When the deny action is set for packets that do not match any IP-MAC binding entries, this command displays statistics about the following packets:
· Packets that do not exactly match any IP-MAC binding entries.
· Packets that do not match any IP-MAC binding entries.
Examples
# (In standalone mode.) Display statistics about packets dropped by the IP-MAC binding feature on the specified slot.
<Sysname> display ip-mac binding statistics slot 1
Slot 1:
Statistics about dropped packets:
IPv4 drop statistics:
IPv4 ip-mac binding dropped packets because partial match ip: 3
IPv4 ip-mac binding dropped packets because partial match mac: 0
IPv4 ip-mac binding dropped packets because no match entry: 12
IPv6 drop statistics:
IPv6 ip-mac binding dropped packets because partial match ip: 0
IPv6 ip-mac binding dropped packets because partial match mac: 0
IPv6 ip-mac binding dropped packets because no match entry: 0
Table 3 Command output
|
Field |
Description |
|
IPv4 drop statistics |
Number of IPv4 packets dropped by the IP-MAC binding feature. |
|
IPv4 ip-mac binding dropped packets because partial match ip |
Number of IPv4 packets that were dropped because no matching IPv4-MAC binding entries were found for the source MAC address. |
|
IPv4 ip-mac binding dropped packets because partial match mac |
Number of IPv4 packets that were dropped because no matching IPv4-MAC binding entry was found for the source IP address. |
|
IPv4 ip-mac binding dropped packets because no match entry |
Number of IPv4 packets that were dropped because no matching IPv4-MAC binding entry was found for the source IP address and source MAC address. |
|
IPv6 drop statistics |
Number of IPv6 packets dropped by the IP-MAC binding feature. |
|
IPv6 ip-mac binding dropped packets because partial match ip |
Number of IPv6 packets that were dropped because no matching IPv6-MAC binding entries were found for the source MAC address. |
|
IPv6 ip-mac binding dropped packets because partial match mac |
Number of IPv6 packets that were dropped because no matching IPv6-MAC binding entry was found for the source IP address. |
|
IPv6 ip-mac binding dropped packets because no match entry |
Number of IPv6 packets that were dropped because no matching IPv6-MAC binding entry was found for the source IP address and source MAC address. |
Related commands
reset ip-mac binding statistics
display ip-mac binding status
Use display ip-mac binding status to display the status of the IP-MAC binding feature.
Syntax
display ip-mac binding status
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
This command displays the status of the IP-MAC binding feature and the default action for packets that do not match any IP-MAC binding entries.
Examples
# Display the status of the IP-MAC binding feature.
<Sysname> display ip-mac binding status
ip-mac binding: Disabled
ip-mac binding no-match action: Deny
Table 4 Command output
|
Field |
Description |
|
ip-mac binding |
Status of the IP-MAC binding feature, Enabled or Disabled. |
|
ip-mac binding no-match action |
The default action for packets that do not match any IP-MAC binding entries: · Permit—Forwards packets. · Deny—Drops packets. |
ip-mac binding enable
Use ip-mac binding enable to enable the IP-MAC binding feature.
Use undo ip-mac binding enable to disable the IP-MAC binding feature.
Syntax
ip-mac binding enable
undo ip-mac binding enable
Default
The IP-MAC binding feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
The IP-MAC binding feature uses IP-MAC binding entries to match the source IP address and source MAC address in incoming packets:
· If both the source IP address and source MAC address match the same binding entry, the feature permits the packet.
· If only the source IP address or source MAC address matches a binding entry, the feature denies the packet.
· If the source IP address and the source MAC address match no binding entries, the feature processes the packet based on the specified action.
The IP-MAC binding entries are static. Therefore, this feature is applicable to only scenario that all users are statically assigned IP addresses. Using this feature in a network where users' IP addresses are dynamically assigned through DHCP might cause communication failure.
Examples
# Enable the IP-MAC binding feature.
<Sysname> system-view
[Sysname] ip-mac binding enable
ip-mac binding interface
Use ip-mac binding interface to generate IP-MAC binding entries based on existing ARP and ND entries on an interface.
Syntax
ip-mac binding interface interface-type interface-number
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
interface-type interface-number: Specifies an interface by its name and type. The interface must be a Layer 3 Ethernet interface or subinterface, Layer 3 aggregate interface or subinterface, Reth interface or subinterface, or VLAN interface.
Usage guidelines
Use this command to generate IP-MAC binding entries based on existing ARP entries and ND entries on an interface. If the newly generated IP-MAC binding entries conflict with the existing IP-MAC binding entries, the device retains the existing entries.
To generate IP-MAC binding entries based on ARP entries and ND entries newly added after the command execution, re-execute this command.
To delete IPv4-MAC binding entries generated by using this command, use the undo ip-mac binding ipv4 command. To delete IPv6-MAC binding entries generated by using this command, use the undo ip-mac binding ipv6 command.
IP-MAC binding entries are static. Therefore, the binding entries generated by using this command are not updated when the relevant ARP or ND entries change.
Examples
# Generate IP-MAC binding entries based on existing ARP and ND entries on GigabitEthernet 0/0/1.
<Sysname> system-view
[Sysname] ip-mac binding interface gigabitethernet 0/0/1
ip-mac binding ipv4
Use ip-mac binding ipv4 to create an IPv4-MAC binding entry.
Use undo ip-mac binding ipv4 to delete IPv4-MAC binding entries.
Syntax
ip-mac binding ipv4 ipv4-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ]
undo ip-mac binding ipv4 { all | ipv4-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] }
Default
No IPv4-MAC binding entries are configured.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be all 0s, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address), or a multicast address.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, the IPv4-MAC binding entry belongs to the public network.
all: Specifies all IPv4-MAC binding entries.
Usage guidelines
A MAC address can be bound to multiple IPv4 addresses. However, an IPv4 address can be bound to only one MAC address. To bind an IPv4 address in a binding entry to another MAC address, you must delete the existing binding entry, and then create the new binding entry.
IPv4-MAC binding entries created by using this command are globally effective.
The device supports a maximum of 1024 IPv4-MAC binding entries.
Examples
# Create an IPv4-MAC binding entry to permit packets with source IPv4 address 192.168.0.1 and source MAC address 0001-0001-0001.
<Sysname> system-view
[Sysname] ip-mac binding ipv4 192.168.0.1 mac-address 0001-0001-0001
Related commands
display ip-mac binding ipv4
ip-mac binding ipv6
Use ip-mac binding ipv6 to create an IPv6-MAC binding entry.
Use undo ip-mac binding ipv6 to delete IPv6-MAC binding entries.
Syntax
ip-mac binding ipv6 ipv6-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ]
undo ip-mac binding ipv6 { all | ipv6-address mac-address mac-address [ vlan vlan-id | vpn-instance vpn-instance-name ] }
Default
No IPv6-MAC binding entries are configured.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be all 0s, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address in the format of H-H-H. The MAC address cannot be all 0s, all Fs (a broadcast MAC address ), or a multicast address.
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. The specified VPN must already exist. If you do not specify a VPN instance, the IPv6-MAC binding entry belongs to the public network.
all: Specifies all IPv6-MAC binding entries.
Usage guidelines
A MAC address can be bound to multiple IPv6 addresses. However, an IPv6 address can be bound to only one MAC address. To bind an IPv6 address in a binding entry to another MAC address, you must delete the existing binding entry and then create the new binding entry.
IPv6-MAC binding entries created by using this command are globally effective.
The device supports a maximum of 1024 IPv6-MAC binding entries.
Examples
# Create an IPv6-MAC binding entry to permit packets with source IPv6 address 2012::12:25 and source MAC address 0001-0001-0001.
<Sysname> system-view
[Sysname] ip-mac binding ipv6 2012::12:25 mac-address 0001-0001-0001
Related commands
display ip-mac binding ipv6
ip-mac binding no-match action deny
Use ip-mac binding no-match action deny to set the default action to deny for packets that do not match any IP-MAC binding entries.
Use undo ip-mac binding no-match action deny to restore the default.
Syntax
ip-mac binding no-match action deny
undo ip-mac binding no-match action deny
Default
The default action for packets that do not match any IP-MAC binding entries is permit.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to permit only packets with both source IP address and source MAC address matching the same binding entry.
Examples
# Set the default action to deny for packets that do not match any IP-MAC binding entries.
<Sysname> system-view
[Sysname] ip-mac binding no-match action deny
reset ip-mac binding statistics
Use reset ip-mac binding statistics to clear statistics about packets dropped by the IP-MAC binding feature.
Syntax
In standalone mode:
reset ip-mac binding statistics [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
reset ip-mac binding statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics about packets dropped by the IP-MAC binding feature on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics about packets dropped by the IP-MAC binding feature on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Clear statistics about packets dropped by the IP-MAC binding feature on the specified slot.
<Sysname> reset ip-mac binding statistics slot 1
Related commands
display ip-mac binding statistics
