Login
- Table of Contents
-
- 17-Security Command Reference
- 00-Preface
- 01-Keychain commands
- 02-Public key management commands
- 03-PKI commands
- 04-Crypto engine commands
- 05-SSH commands
- 06-SSL commands
- 07-Packet filter commands
- 08-Session management commands
- 09-DHCP snooping commands
- 10-DHCPv6 snooping commands
- 11-ARP attack protection commands
- 12-ND attack defense commands
- 13-Attack detection and prevention commands
- 14-Connection limit commands
- 15-IP-based attack prevention commands
- 16-IP source guard commands
- 17-uRPF commands
- 18-mGRE commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-IP source guard commands | 81.43 KB |
Contents
display ipv6 source binding pd
ip source binding (interface view)
ipv6 source binding (interface view)
IP source guard commands
display ip source binding
Use display ip source binding to display IPv4SG bindings.
Syntax
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ arp-snooping | dhcp-snooping | dot1x ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv4SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display dynamic IPv4SG bindings for the public network, do not specify a VPN instance.
arp-snooping: Specifies IPv4SG bindings generated based on ARP snooping.
dhcp-snooping: Specifies IPv4SG bindings generated based on DHCP snooping.
dot1x: Specifies IPv4SG bindings generated based on 802.1X. To display dynamic IPv4SG bindings generated based on the 802.1X module, you must also specify the slot through which 802.1X users access the network.
ip-address ip-address: Specifies an IPv4 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4SG bindings for the active MPU.
Examples
# Display all IPSG bindings on the public network.
<Sysname> display ip source binding
Total entries found: 5
IP Address MAC Address Interface VLAN Type
10.1.0.5 040a-0000-4000 XGE0/0/6 1 DHCP snooping
10.1.0.6 040a-0000-3000 XGE0/0/6 1 DHCP snooping
10.1.0.7 040a-0000-2000 XGE0/0/6 1 DHCP snooping
10.1.0.9 040a-0000-2000 XGE0/0/7 N/A Static
Table 1 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv4SG bindings. |
|
IP Address |
IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the binding. This field displays N/A for a global IPv4SG binding. |
|
VLAN |
VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
IPSG binding type: · Static—Manually configured by using the ip source binding command. Static bindings are for packet filtering in IPSG or used by other modules to provide security services. · ARP snooping—Dynamically generated based on ARP snooping. The binding is for packet filtering in IPSG. · 802.1X—Dynamically generated based on 802.1X. The binding is for packet filtering in IPSG. · DHCP snooping—Dynamically generated based on DHCP snooping. The binding is for packet filtering in IPSG. |
Related commands
ip source binding
ip verify source
display ipv6 source binding
Use display ipv6 source binding to display IPv6SG address bindings.
Syntax
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping | dot1x | nd-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv6SG address bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display dynamic IPv6SG address bindings for the public network, do not specify a VPN instance.
dhcpv6-snooping: Specifies IPv6SG bindings generated based on DHCPv6 snooping.
dot1x: Specifies IPv6SG bindings generated based on 802.1X. To display dynamic IPv6SG address bindings generated based on the 802.1X module, you must also specify the slot through which 802.1X users access the network.
nd-snooping: Specifies IPv6SG bindings generated based on ND snooping.
ip-address ipv6-address: Specifies an IPv6 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6SG address bindings for the active MPU.
Examples
# Display all IPv6SG address bindings on the public network.
<Sysname> display ipv6 source binding
Total entries found: 2
IPv6 Address MAC Address Interface VLAN Type
2012:1222:2012:1222: 000f-2202-0435 XGE1/0/1 1 DHCPv6 snooping
2012:1222:2012:1222
2012:1222:2012:1222: 000f-2202-0436 XGE1/0/1 N/A Static
2012:1222:2012:1223
Table 2 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv6SG address bindings. |
|
IPv6 Address |
IPv6 address in the IPv6SG address binding. If no IPv6 address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv6SG address binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the IPv6SG address binding. This field displays N/A for a global IPv6SG binding. |
|
VLAN |
VLAN information in the IPv6SG address binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
Type of the IPv6SG address binding: · Static—Manually configured by using the ipv6 source binding command. Static bindings are for packet filtering in IPv6SG or used by other modules to provide security services. · DHCPv6 snooping—Dynamically generated based on DHCPv6 snooping. The binding is for packet filtering in IPv6SG. · 802.1X—Dynamically generated based on 802.1X. The binding is for packet filtering in IPv6SG. · ND snooping—Dynamically generated based on ND snooping. The binding is for packet filtering in IPv6SG. |
Related commands
ipv6 source binding
ipv6 verify source
display ipv6 source binding pd
Use display ipv6 source binding pd to display IPv6SG prefix bindings.
Syntax
display ipv6 source binding pd [ vpn-instance vpn-instance-name ] [ prefix prefix/prefix-length ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Views
Any views
Predefined user roles
network-admin
network-operator
Parameters
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To display IPv6SG prefix bindings for the public network, do not specify a VPN instance.
prefix prefix/prefix-length: Specifies an IPv6 prefix. The value range for the prefix-length argument is 1 to 128. If you do not specify an IPv6 prefix, this command displays all IPv6SG prefix bindings.
mac-address mac-address: Specifies a MAC address in H-H-H format. If you do not specify a MAC address, this command displays IPv6SG prefix bindings for all MAC addresses.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays IPv6SG prefix bindings for all VLANs.
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays IPv6SG prefix bindings for all interfaces.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6SG prefix bindings for the active MPU.
Usage guidelines
IPv6SG prefix bindings are dynamically obtained from the DHCPv6 snooping module.
Examples
# Display all IPv6SG prefix bindings.
<Sysname> display ipv6 source binding pd
Total entries found: 3
IPv6 prefix MAC address Interface VLAN Type
2012:1111::/64 000f-2202-0435 XGE1/0/1 1 DHCPv6 snooping
2012:2222::/64 000f-2202-0436 XGE2/0/1 2 DHCPv6 snooping
Table 3 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv6SG prefix bindings. |
|
IPv6 prefix |
IPv6 prefix and prefix length in the IPv6SG prefix binding. |
|
MAC address |
MAC address in the IPv6SG prefix binding. This field displays N/A if the MAC address is invalid. |
|
Interface |
Interface to which the IPv6SG prefix binding belongs. This field displays N/A for a global IPv6SG prefix binding. |
|
VLAN |
VLAN information in the IPv6SG prefix binding. This field displays N/A if the IPv6SG prefix binding does not contain the VLAN information. |
|
Type |
Type of the IPv6SG prefix binding: DHCPv6 snooping—The binding is generated based on a DHCPv6 snooping entry. |
Related commands
ipv6 source binding
ipv6 verify source
ip source binding (interface view)
Use ip source binding to configure a static IPv4SG binding on an interface.
Use undo ip source binding to delete the static IPv4SG bindings configured on an interface.
Syntax
ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv4SG bindings exist on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
all: Removes all static IPv4SG bindings on the interface.
ip-address ip-address: Specifies an IPv4 address for the static binding. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x or 0.0.0.0.
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.
vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view.
Usage guidelines
Static IPv4SG bindings on an interface implement the following functions:
· Filter incoming IPv4 packets on the interface.
· Check user validity by cooperating with the ARP attack detection feature.
Examples
# Configure a static IPv4SG binding on Ten-GigabitEthernet 0/0/6.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 0/0/6
[Sysname-Ten-GigabitEthernet0/0/6] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
display ip source binding
ip verify source
Use ip verify source to enable IPv4SG on an interface.
Use undo ip verify source to disable IPv4SG on an interface.
Syntax
ip verify source { ip-address | ip-address mac-address | mac-address }
undo ip verify source
Default
The IPv4SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv4 addresses.
ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
After you enable IPv4SG on an interface, this feature uses static and dynamic IPv4SG bindings to match incoming packets on the interface. Packets that match an IPv4SG binding are forwarded and packets that do not match any IPv4SG binding are discarded.
The matching criterion specified by this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using the ip source binding command.
Examples
# Enable IPv4SG on Layer 2 Ethernet interface Ten-GigabitEthernet 0/0/6 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 0/0/6
[Sysname-Ten-GigabitEthernet0/0/6] ip verify source ip-address mac-address
Related commands
display ip source binding
ipv6 source binding (interface view)
Use ipv6 source binding to configure a static IPv6SG binding.
Use undo ipv6 source binding to delete the static IPv6SG bindings configured on an interface.
Syntax
ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv6SG bindings exist on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
all: Removes all the static IPv6SG bindings on the interface.
ip-address ipv6-address: Specifies an IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.
vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view.
Usage guidelines
Static IPv6SG bindings on an interface filter incoming IPv6 packets, and check user validity by cooperating with the ND attack detection feature.
Examples
# Configure a static IPv6SG binding on Ten-GigabitEthernet 0/0/6.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 0/0/6
[Sysname-Ten-GigabitEthernet0/0/6] ipv6 source binding ip-address 2001::1 mac-address 0002-0002-0002
Related commands
display ipv6 source binding
display ipv6 source binding pd
ipv6 verify source
Use ipv6 verify source to enable IPv6SG on an interface.
Use undo ipv6 verify source to disable IPv6SG on an interface.
Syntax
ipv6 verify source { ip-address | ip-address mac-address | mac-address }
undo ipv6 verify source
Default
The IPv6SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv6 addresses.
ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
After you enable IPv6SG on an interface, this feature uses static and dynamic IPv6SG bindings to match incoming packets on the interface. Packets that match an IPv6SG binding are forwarded and packets that do not match any IPv6SG binding are discarded.
The matching criterion specified by this command applies only to dynamic IPv6SG. Static IPv6SG uses static bindings configured by using the ipv6 source binding command.
Examples
# Enable IPv6SG on Layer 2 Ethernet interface Ten-GigabitEthernet 0/0/6 and verify the source IPv6 address and MAC address for dynamic IPv6SG.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 0/0/6
[Sysname-Ten-GigabitEthernet0/0/6] ipv6 verify source ip-address mac-address
Related commands
display ipv6 source binding
display ipv6 source binding pd
