Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-IP source guard commands | 94.72 KB |
Contents
display ip source binding
Use display ip source binding to display IPv4 source guard entries.
Syntax
In standalone mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping | dot1x ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping | dot1x ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
static: Displays static IPv4 source guard entries.
vpn-instance vpn-instance-name: Displays dynamic IPv4 source guard entries for a VPN. The vpn-instance-name argument is the VPN instance name of an MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN, the command displays dynamic IPv4 source guard entries for the public network.
dhcp-relay: Displays dynamic IPv4 source guard entries created by DHCP relay.
dhcp-server: Displays dynamic IPv4 source guard entries created by DHCP server. This keyword is not supported in the current software version. This keyword is reserved for future support.
dhcp-snooping: Displays dynamic IPv4 source guard entries created by DHCP snooping. This keyword is not supported in the current software version. This keyword is reserved for future support.
dot1x: Displays dynamic IPv4 source guard entries created by 802.1X.
ip-address ip-address: Displays IP source guard entries for an IPv4 address.
mac-address mac-address: Displays IP source guard entries for a MAC address. The MAC address must be specified in H-H-H format.
vlan vlan-id: Display IPv4 source guard entries for a VLAN. The vlan-id argument represents the bound VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Displays IPv4 source guard entries on an interface. The interface-type interface-number argument is the interface type and the interface number.
slot slot-number: Displays IPv4 source guard entries on a card. The slot-number argument is the number of the slot that holds the card. (In standalone mode.)
chassis chassis-number slot slot-number: Displays IPv4 source guard entries of a card on an IRF member device. The chassis-number argument refers to the ID of the IRF member device and the slot-number argument refers to the number of the slot that holds the card. (In IRF mode.)
Usage guidelines
· If you do not specify any parameter, the command displays IPv4 source guard entries on all interfaces on the public network.
· In standalone mode, if you specify neither an interface nor a card, the command displays IPv4 source guard entries that the MPU obtained from all interfaces.
· In IRF mode, if you specify neither an interface nor an IRF member, the command displays IPv4 source guard entries that the MPU obtained from all interfaces on the current IRF member device.
Examples
# Display IPv4 source guard entries on all interfaces on the public network.
<Sysname> display ip source binding
Total entries found: 5
IP Address MAC Address Interface VLAN Type
10.1.0.5 N/A GE3/0/1 N/A DHCP relay
10.1.0.6 N/A GE3/0/1 N/A DHCP relay
10.1.0.7 N/A GE3/0/1 N/A DHCP relay
10.1.0.8 N/A Vlan3 N/A DHCP relay
10.1.0.9 N/A Vlan3 N/A Static
Table 1 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv4 source guard entries. |
|
IP Address |
IPv4 address in the IPv4 source guard entry. |
|
MAC Address |
MAC address in the IPv4 source guard entry. N/A means that no MAC address is bound in the entry. |
|
Interface |
Interface of the binding entry. |
|
VLAN |
VLAN information in the IPv4 source guard entry. N/A means that the entry contains no VLAN information. |
|
Type |
Type of the IPv4 source guard entry: · Static—Manually configured entry. · DHCP relay—Entry dynamically created by DHCP relay. · DHCP server—Entry dynamically created by DHCP server. · DHCP snooping—Entry dynamically created by DHCP snooping. |
Related commands
· ip source binding
· ip verify source
display ipv6 source binding
Use display ipv6 source binding to display IPv6 source guard entries.
Syntax
In standalone mode:
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
static: Displays static IPv6 source guard entries.
vpn-instance vpn-instance-name: Displays dynamic IPv6 source guard entries for a VPN. The vpn-instance-name argument is the VPN instance name of an MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN, the command displays dynamic IPv6 source guard entries for the public network.
dhcpv6-snooping: Displays dynamic IPv6 source guard entries created by DHCPv6 snooping. This keyword is not supported in the current software version. This keyword is reserved for future support.
ip-address ipv6-address: Displays IPv6 source guard entries for an IPv6 address.
mac-address mac-address: Displays IPv6 source guard entries for a MAC address. The MAC address must be specified in H-H-H format.
vlan vlan-id: Displays IPv6 source guard entries for a VLAN. The vlan-id argument is the bound VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Displays IPv6 source guard entries on an interface. The interface-type interface-number argument is the interface type and the interface number.
slot slot-number: Displays IPv6 source guard entries on a card. The slot-number argument is the slot number of the slot that holds the card. (In standalone mode.)
chassis chassis-number slot slot-number: Displays IPv6 source guard entries of a card on an IRF member device. The chassis-number argument refers to the ID of the IRF member device and the slot-number argument refers to the number of the slot that holds the card. (In IRF mode.)
Usage guidelines
· If you do not specify any parameter, the command displays IPv6 source guard entries on all interfaces on the public network.
· In standalone mode, if you specify neither an interface nor a card, the command displays IPv6 source guard entries that the MPU obtained from all interfaces.
· In IRF mode, if you specify neither an interface nor an IRF member, the command displays IPv6 source guard entries that the MPU obtained from all interfaces on the current IRF member device.
Examples
# Display IPv6 source guard entries on all interfaces on the public network.
<Sysname> display ipv6 source binding
Total entries found: 1
IPv6 Address MAC Address Interface VLAN Type
2012:1222:2012:1222: N/A GE3/0/1 2 Static
Table 2 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv6 source guard entries. |
|
IPv6 Address |
IPv6 address in the IPv6 source guard entry. |
|
MAC Address |
MAC address in the IPv6 source guard entry. N/A means that no MAC address is bound in the entry. |
|
Interface |
Interface of the IPv6 source guard entry. |
|
VLAN |
VLAN information in the IPv6 source guard entry. N/A means that the entry contains no VLAN information. |
|
Type |
Type of the IPv6 source guard entry: Static—Manually configured entry. |
Related commands
· ipv6 source binding
· ipv6 verify source
ip source binding
Use ip source binding to configure a static IPv4 source binding entry.
Use undo ip source binding to delete the static IPv4 source guard entries configured on the interface.
Syntax
ip source binding ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ]
undo ip source binding ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ]
Default
No static IPv4 source binding entry is configured on an interface.
Views
Layer 2 Ethernet port view, Layer 3 Ethernet interface view, VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address ip-address: Specifies an IPv4 address for the static binding entry. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
mac-address mac-address: Specifies a MAC address for the static binding entry. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address.
vlan vlan-id: Specifies a VLAN ID for the static binding entry, in the range of 1 to 4094. This option is supported on only Layer 2 Ethernet ports.
Usage guidelines
Static IPv4 source guard entries on an interface filter IPv4 packets received by the interface or check user validity by cooperating with the ARP detection feature.
Examples
# On interface GigabitEthernet 3/0/1, configure a static IPv4 source binding entry to allow only the packets whose source IP address is 192.168.0.1 and source MAC address is 0001-0001-0001 to pass.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
display ip source binding
ip verify source
Use ip verify source to enable the IPv4 source guard function.
Use undo ip verify source to restore the default.
Syntax
ip verify source ip-address [ mac-address ]
undo ip verify source
Default
The IPv4 source guard function is disabled on an interface.
Views
Layer 2 Ethernet port view, Layer 3 Ethernet interface view, VLAN interface view, Layer 3 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Binds source IPv4 addresses to the interface. With this keyword specified, IP source guard filters packets received on the interface according to the source IPv4 addresses of the packets.
mac-address: Binds source MAC addresses to the interface. With this keyword specified, IP source guard also checks the source MAC address of each packet received on the interface, and permits the packet only when both the source IPv4 and MAC addresses of the packet match a dynamic binding entry.
Usage guidelines
After you enable IPv4 source guard on an interface, IP source guard can dynamically obtain IPv4 binding entries from other modules and use static and dynamic IPv4 source guard entries to filter IPv4 packets on the interface. If a packet matches a binding entry, IP source guard forwards the packet. Otherwise, it drops the packet.
The modules that provide dynamic binding information for IP source guard include DHCP relay, DHCP snooping, and DHCP server. IP source guard uses the dynamic binding entries created by DHCP relay and DHCP snooping to filter packets. The dynamic binding entries that IP source guard learns from the DHCP server module are not used to filter packets, and they are used by other modules to provide security services.
The keywords specified in the ip verify source command take effect only on dynamic IPv4 source guard entries. They determine the information according to which the interface uses the dynamic IPv4 source guard entries to filter packets. For static IPv4 source guard entries, this command only enables packet filtering on an interface. The interface filters packets according to the static IPv4 source guard entries configured by the user-bind command, instead of the keywords specified in the ip verify source command.
Examples
# Enable IPv4 source guard on Layer 2 Ethernet port GigabitEthernet 3/0/1 to filter packets received on the port based on the source IPv4 and MAC addresses.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] ip verify source ip-address mac-address
# Enable IPv4 source guard on VLAN-interface 100 to filter packets received on the interface based on the source IPv4 and MAC addresses.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] ip verify source ip-address mac-address
# Enable IPv4 source guard on Layer 3 Ethernet interface GigabitEthernet 3/0/2 to filter packets received on the interface based on the source IPv4 and MAC addresses.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/2
[Sysname-GigabitEthernet3/0/2] port link-mode route
[Sysname-GigabitEthernet3/0/2] ip verify source ip-address mac-address
Related commands
display ip source binding
ipv6 source binding
Use ipv6 source binding to configure a static IPv6 source binding entry.
Use undo ipv6 source binding to delete the static IPv6 source guard entries configured on the interface.
Syntax
ipv6 source binding ip-address ipv6-address [ mac-address mac-address ] [ vlan vlan-id ]
undo ipv6 source binding ip-address ipv6-address [ mac-address mac-address ] [ vlan vlan-id ]
Default
No static IPv6 source binding entry is configured on an interface.
Views
Layer 2 Ethernet port view, Layer 3 Ethernet interface view, VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address ipv6-address: Specifies an IPv6 address for the static binding entry. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address for the static binding entry.
vlan vlan-id: Specifies a VLAN ID for the static binding entry, in the range of 1 to 4094. This option is supported only on Layer 2 Ethernet ports.
Usage guidelines
Static IPv6 source guard entries on an interface filter IPv6 packets received by the interface or check user validity by cooperating with the ND detection feature.
Examples
# On interface GigabitEthernet 3/0/1, configure a static IPv6 source binding entry to allow only the packets whose source IPv6 address is 2001::1 and source MAC address is 0002-0002-0002 to pass.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] ipv6 source binding ip-address 2001::1
Related commands
display ipv6 source binding
ipv6 verify source
Use ipv6 verify source to enable the IPv6 source guard function.
Use undo ipv6 verify source to restore the default.
Syntax
ipv6 verify source ip-address [ mac-address ]
undo ipv6 verify source
Default
The IPv6 source guard function is disabled on an interface.
Views
Layer 2 Ethernet port view, Layer 3 Ethernet interface view, VLAN interface view, Layer 3 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Binds source IPv6 addresses to the interface. With this keyword specified, IP source guard filters packets received on the interface according to the source IPv6 addresses of the packets.
mac-address: Binds source MAC addresses to the interface. With this keyword specified, IP source guard also checks the source MAC address of each packet received on the interface, and permits the packet only when both the source IPv6 and MAC addresses of the packet match a dynamic binding entry.
Usage guidelines
After you enable IPv6 source guard on an interface, IP source guard uses static and dynamic IPv6 source guard entries to filter IPv6 packets received on the interface. If a packet matches an IP source guard entry, IP source guard forwards the packet. Otherwise, it drops the packet.
The parameters configured in this command are effective when dynamic binding entries are used to filter the received IPv6 packets. If static binding entries are used, this command only enables packet filtering on the interface and the interface filters packets according to the static binding entries, regardless of the criteria configured in this command.
Examples
# Enable IPv6 source guard on Layer 2 Ethernet port GigabitEthernet 3/0/1 to filter packets received on the port based on the source IPv6 and MAC addresses.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] ipv6 verify source ip-address mac-address
Related commands
display ipv6 source binding
reset ip source binding
Use reset ip source binding to clear IPv4 source guard entries.
Syntax
reset ip source binding [ static [ ip-address ip-address ] | [ vpn-instance vpn-instance-name ] [ { dhcp-relay | dhcp-server | dhcp-snooping | dot1x } [ ip-address ip-address ] ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
static: Clears static IPv4 source guard entries.
vpn-instance vpn-instance-name: Clears dynamic IPv4 source guard entries for a VPN. The vpn-instance-name argument is the VPN instance name of an MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN, the command clears dynamic IPv4 source guard entries for the public network.
dhcp-relay: Clears dynamic IPv4 source guard entries created by DHCP relay.
dhcp-server: Clears dynamic IPv4 source guard entries created by DHCP server.
dhcp-snooping: Clears dynamic IPv4 source guard entries created by DHCP snooping. This keyword is not supported in the current software version. This keyword is reserved for future support.
dot1x: Clears dynamic IPv4 source guard entries created by 802.1X. This keyword is not supported in the current software version. This keyword is reserved for future support.
ip-address ip-address: Clears IPv4 source guard entries for an IPv4 address.
Usage guidelines
If you do not specify any parameter, the command clears IPv4 source guard entries on all interfaces on the public network.
Examples
# Clear all IPv4 source guard entries on the public network.
<Sysname> reset ip source binding
# Clear IPv4 source guard entries with the source IPv4 address being 2.2.2.2.
<Sysname> reset ip source binding static ip-address 2.2.2.2
# Clear all dynamic IPv4 source guard entries in VPN 1.
<Sysname> reset ip source binding vpn-instance 1
# Clear all dynamic IPv4 source guard entries created by DHCP relay in VPN 1.
<Sysname> reset ip source binding vpn-instance 1 dhcp-relay
# Clear the dynamic IPv4 source guard entries that are with the source IPv4 address 1.1.1.1 and created by DHCP relay.
<Sysname> reset ip source binding dhcp-relay ip-address 1.1.1.1
Related commands
· display ip source binding
· ip source binding
· ip verify source
reset ipv6 source binding
Use reset ipv6 source binding to clear IPv6 source guard entries.
Syntax
reset ipv6 source binding [ static [ ip-address ipv6-address ] | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping [ ip-address ipv6-address ] ] ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
static: Clears static IPv6 source guard entries.
vpn-instance vpn-instance-name: Clears dynamic IPv6 source guard entries for a VPN. The vpn-instance-name argument is the VPN instance name of an MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN, the command clears dynamic IPv6 source guard entries for the public network.
dhcpv6-snooping: Clears dynamic IPv6 source guard entries created by DHCPv6 snooping. This keyword is not supported in the current software version. This keyword is reserved for future support.
ip-address ipv6-address: Clears IPv6 source guard entries for an IPv6 address.
Usage guidelines
If you do not specify any parameter, the command clears IPv6 source guard entries on all interfaces on the public network.
Examples
# Clear all IPv6 source guard entries on the public network.
<Sysname> reset ipv6 source binding
# Clear IPv6 source guard entries with the source IPv6 address being 2000::1.
<Sysname> reset ipv6 source binding static ip-address 2000::1
# Clear all dynamic IPv6 source guard entries in VPN 1.
<Sysname> reset ipv6 source binding vpn-instance 1
Related commands
· display ipv6 source binding
· ipv6 source binding
· ipv6 verify source
