No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IP Source Guard Configuration Commands

IP Source Guard Configuration Commands

Command Support

The XGE interfaces connected to the ACU2, ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01, and ET1D2FW00S02 cards do not support IPSG.

If an interface on the ACU2 is added to an Eth-Trunk, IPSG cannot be enabled on the Eth-Trunk. If IPSG is enabled on an Eth-Trunk, the interfaces on the ACU2 cannot be added to this Eth-Trunk.

display dhcp static user-bind

Function

The display dhcp static user-bind command displays information about a static binding table.

Format

display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays the binding entry mapping a specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

ip-address ip-address

Displays the binding entry mapping a specified IP address.

The value is in dotted decimal notation.

mac-address mac-address

Displays the binding entry mapping a specified MAC address.

The value is in hexadecimal notation.

vlan vlan-id

Displays the binding entry mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

all

Displays all entries in the binding table.

-

verbose

Displays detailed information about the binding table.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command is used to view information about a configured static binding table. The information includes the IP address, MAC address, VLAN information, and interface information.

Example

# Display information about the static binding table.

<HUAWEI> display dhcp static user-bind all
DHCP static Bind-table:                                  
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address           MAC Address   VSI/VLAN(O/I/P) Interface
--------------------------------------------------------------------------------
10.1.1.1            0001-0002-0003 10 /-- /--      GE1/0/1 
--------------------------------------------------------------------------------
Print count:      1     Total count:      1

# Display detailed information about the static binding table.

<HUAWEI> display dhcp static user-bind all verbose
DHCP static Bind-table:                                  
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
 IP Address  : 10.21.21.254                                                     
 MAC Address : --                                                               
 VSI         : --                                                               
 VLAN(O/I/P) : 10  /--  /--                                                     
 Interface   : GE1/0/1                                                         
 IPSG Status : IPv4 effective slot: <1>
--------------------------------------------------------------------------------
Print count:           1          Total count:           1                      
Table 14-84  Description of the display dhcp static user-bind command output

Item

Description

DHCP static Bind-table

Static DHCP binding entries.

To configure a static DHCP binding table, run the user-bind static command.

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

VLAN ID.
  • O: Outer VLAN
  • I: Inner VLAN
  • P: Vlan-mapping

IP Address

User IP address.

MAC Address

User MAC address.

VSI

Name of the VSI that the online user belongs to.

VLAN(O/I/P)

Inner VLAN ID, outer VLAN ID, or VLAN mapping information of the online user.

Interface

User access interface.

IPSG Status

Whether the binding table is effective for IP packet checking after IP packet checking is enabled. The value can be:
  • IPv4 effective slot: <1> indicates that the binding table is effective for IPv4 packet checking in slot 1.
  • Ineffective

This field is invalid if IP packet checking is not enabled.

display dhcpv6 static user-bind

Function

The display dhcpv6 static user-bind command displays the IPv6 binding table.

Format

display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

display dhcpv6 static user-bind ipv6-prefix { prefix/prefix-length | all } [ verbose ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays the binding entry mapping a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ipv6-address ipv6-address

Displays the binding entry mapping a specified IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X::X:X.

mac-address mac-address

Displays the binding entry mapping a specified MAC address.

The value is in hexadecimal notation.

vlan vlan-id

Displays the binding entry mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

ipv6-prefix

Displays an IPv6 suffix binding entry.

-

prefix/prefix-length

Displays the binding entry mapping a specified IPv6 prefix.

prefix is a 32-digit hexadecimal number, in the format of X:X::X:X.

prefix-length is an integer that ranges from 1 to 128.

all

Displays all entries in the binding table.

-

verbose

Displays detailed information about the binding table.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command is used to view information about a configured DHCPv6 static binding table. The information includes the IPv6 address, MAC address, VLAN information, and interface information. If prefix delegation (PD) users exist on the network, the device generates an IPv6 prefix binding entry. The display dhcpv6 static user-bind ipv6-prefix command displays the static IPv6 prefix binding entries.

Example

# Display the DHCPv6 static binding table.

<HUAWEI> display dhcpv6 static user-bind all
DHCPV6 static Bind-table:                                                       
Flags:O - outer vlan ,I - inner vlan ,P - map vlan                              
IP Address                      MAC Address     VSI/VLAN(O/I/P) Interface       
--------------------------------------------------------------------------------
fc00:1::1                       0001-0002-0003  10  /--  /--    --              
--------------------------------------------------------------------------------
Print count:           1          Total count:           1                      
# Display detailed information about the DHCPv6 static binding table.
<HUAWEI> display dhcpv6 static user-bind all verbose
DHCPV6 static Bind-table:                                  
--------------------------------------------------------------------------------
 IP Address  : fc00:1::1                                                     
 MAC Address : 0001-0002-0003                                                   
 VSI         : --                                                               
 VLAN(O/I/P) : 10  /--  /--                                                     
 Interface   : --                                                         
 IPSG Status : IPv6 effective slot: <1>
--------------------------------------------------------------------------------
Print count:           1          Total count:           1                      
# Display the IPv6 prefix static binding table.
<HUAWEI> display dhcpv6 static user-bind ipv6-prefix all
PD static Bind-table:                                                           
Flags:O - outer vlan ,I - inner vlan ,P - map vlan                              
IPv6 Prefix                     MAC Address     VSI/VLAN(O/I/P) Interface       
--------------------------------------------------------------------------------
fc00:1000::12/32                0001-0002-0003  10  /--  /--    --              
--------------------------------------------------------------------------------
Print count:           1          Total count:           1                      
Table 14-85  Description of the display dhcpv6 static user-bind command output

Item

Description

DHCPV6 static Bind-table

Static DHCPv6 binding entries.

To configure a static DHCPv6 binding table, run the user-bind static command.

Flags:O - outer vlan ,I - inner vlan ,P - map vlan

VLAN ID.
  • O: Outer VLAN
  • I: Inner VLAN
  • P: Map VLAN

IPv6 Prefix

User IPv6 prefix.

IP Address

User IPv6 address.

MAC Address

User MAC address.

VSI

Name of the VPN instance that the online user belongs to.

VLAN(O/I/P)

Outer VLAN ID, inner VLAN ID, or VLAN mapping information of the online user.

Interface

User access interface.

IPSG Status

Whether the binding table is effective for IP packet checking after IP packet checking is enabled. The value can be:
  • IPv6 effective slot: <1> indicates that the binding table is effective for IPv6 packet checking in slot 1.
  • ineffective

This field is invalid if IP packet checking is not enabled.

display ip source check user-bind

Function

The display ip source check user-bind command displays the IPSG configurations.

Format

display ip source check user-bind interface interface-type interface-number

Parameters

Parameter Description Value
interface interface-type interface-number Displays the IP packet check configuration on a specified interface. The interface is specified by the interface type and number.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display ip source check user-bind command displays the IP packet check configuration on an interface, including IP packet check items and the alarm function of IP packet check.

Example

# Display the IP packet check configuration on GE1/0/1.
<HUAWEI> display ip source check user-bind interface gigabitethernet 1/0/1
 ipv4 source check user-bind enable                                                                                                 
 ipv6 source check user-bind enable 
 ip source check user-bind check-item ip-address                                
 ip source check user-bind alarm enable                                         
 ip source check user-bind alarm threshold 200       
Table 14-86  Description of the display ip source check user-bind command output

Item

Description

ipv4 source check user-bind enable

IPv4 packet check is enabled.

ipv6 source check user-bind enable

IPv6 packet check is enabled.

ip source check user-bind check-item ip-address

IP packet check items.

An IP packet check item can contain the IP address, MAC address, VLAN ID, and interface number.

To specify check items, run the ip source check user-bind check-item (interface view) or ip source check user-bind check-item (VLAN view) commands.

ip source check user-bind alarm enable

Alarm function of IP packet check is enabled.

To enable the alarm function of IP packet check, run the ip source check user-bind alarm enable command.

ip source check user-bind alarm threshold 200

Alarm threshold for IP packet check.

To set the alarm threshold for IP packet check, run the ip source check user-bind alarm threshold command.

display ip source-trail

Function

The display ip source-trail command displays the result of IP source trail.

Format

display ip source-trail [ ip-address ip-address [ slot slot-id | verbose ] ]

Parameters

Parameter Description Value
ip-address ip-address Specifies the destination IP address. The value is in dotted decimal notation.
slot slot-id Specifies the slot ID. If the slot ID is specified, the IP source trail result of the board in this slot is displayed. Set the value according to the device configuration.
verbose Displays detailed information about the result of IP source trail. If this parameter is not specified, brief information about the result of IP source trail is displayed. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The device can trace the specified IP address 10 minutes after ip source-trail command is run. Then you can run the display ip source-trail command to view the result of IP source trail.

If no IP address is specified, brief information about all the results of IP source trail is displayed.

You can specify a slot ID to view the result of IP source trail on a specified board. The format of the display ip source-trail command output with slot slot-id specified is the same as the format of the display ip source-trail command.

In the views except diagnostic view, the IP source trail information of 8 flows with the highest traffic volume is displayed for each destination IP address. In the diagnostic view, the IP source trail information of 128 flows with the highest traffic volume is displayed for each destination IP address.

Example

# Display all the results of IP source trail.

<HUAWEI> display ip source-trail
 Destination Address: 10.0.0.1       
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------
   10.0.0.2        GE2/0/1    2.211G     49.250M    41.252M    114.791K
   10.0.0.7        GE2/0/1    5.392M     120.057K   3.183M     8.859K
   10.0.0.8        GE2/0/1    4.862M     108.259K   3.263M     9.082K
   10.0.0.4        GE2/0/1    4.291M     95.554K    3.263M     9.083K
   10.0.0.6        GE2/0/1    3.313M     73.773K    3.264M     9.084K
   10.0.0.3        GE2/0/1    2.253M     50.178K    3.266M     9.089K
   10.0.0.9        GE2/0/1    1.560M     34.750K    3.268M     9.096K
   10.0.0.5        GE2/0/1    1.153M     25.675K    3.271M     9.104K
 Destination Address: 10.1.1.2        
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------
   10.1.1.100      GE2/0/1    5.433M     120.964K   3.184M     8.861K
   10.1.1.104      GE2/0/1    5.025M     111.889K   3.263M     9.081K
   10.1.1.107      GE2/0/1    4.659M     103.721K   3.263M     9.082K
   10.1.1.103      GE2/0/1    4.577M     101.907K   3.263M     9.082K
   10.1.1.101      GE2/0/1    3.598M     80.126K    3.264M     9.083K
   10.1.1.105      GE2/0/1    3.028M     67.420K    3.264M     9.085K
   10.1.1.106      GE2/0/1    1.438M     32.027K    3.269M     9.098K
   10.1.1.102      GE2/0/1    1.193M     26.583K    3.271M     9.103K
 Destination Address: 10.1.1.3        
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------
   -               -          -          -          -          -
 Destination Address: 10.1.1.4        
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------
   -               -          -          -          -          -             

# Display detailed information of the result of IP source trail on IP address 10.0.0.1.

<HUAWEI> display ip source-trail ip-address 10.0.0.1 verbose
 Destination Address: 10.0.0.1       
 -------------------------------------------------------------
   Source address       : 10.0.0.3
   Source interface     : GE2/0/1
   Bytes                : 14.691M
   Pkts                 : 327.050K
   Average rate(Bits/s) : 297.062K
   Average rate(Pkts/s) : 826
   Realtime rate(Pkts/s): 929
   Maximal rate(Pkts/s) : 930
   Start time           : 2008-11-19  16:28:16
   End time             : 2008-11-19  16:34:53
   -----------------------------------------------------------
   Source address       : 10.0.0.9
   Source interface     : GE2/0/1
   Bytes                : 14.622M
   Pkts                 : 325.505K
   Average rate(Bits/s) : 296.921K
   Average rate(Pkts/s) : 826
   Realtime rate(Pkts/s): 929
   Maximal rate(Pkts/s) : 930
   Start time           : 2008-11-19  16:28:14
   End time             : 2008-11-19  16:34:51
   -----------------------------------------------------------    
Table 14-87  Description of the display ip source-trail command output

Item

Description

SrcAddr

Source address

Source IP address of a packet.

SrcIF

Source interface

Source interface.

Bytes

Number of bytes received from the source IP address.

Pkts

Number of packets received from the source IP address.

Bits/s

Average rate(Bits/s)

Average rate of data received from the source IP address, in bit/s.

Pkts/s

Average rate(Pkts/s)

Average rate of data received from the source IP address, in pps.

Realtime rate(Pkts/s)

Real-time rate of data received from the source IP address, in pps.

Maximal rate(Pkts/s)

Maximum real-time rate of data received from the source IP address, in pps.

Start time

Start time that data is sent from the source IP address.

End time

End time that data is sent from the source IP address. If data flow transmission is not complete, the value is the query time.

Related Topics

display mac-address snooping

Function

The display mac-address snooping command displays snooping MAC address entries generated based on the snooping binding table.

Format

display mac-address snooping [ interface-type interface-number | vlan vlan-id ] * [ verbose ]

Parameters

Parameter Description Value
interface-type interface-number
Displays the static MAC address entry on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id

Displays all the static MAC address entries on all the interfaces in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

verbose

Displays detailed information about static MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you run the user-bind ip sticky-mac command in the interface view, the device generates snooping MAC address entries based on the snooping binding table. A snooping MAC address entry includes the user MAC address and VLAN ID. The display mac-address snooping command displays snooping MAC address entries generated based on the snooping binding table. If no interface or VLAN is specified, all the snooping MAC address entries generated based on the snooping binding table are displayed.

Example

# Display the snooping MAC address entries generated based on the snooping binding table on the device.

<HUAWEI> display mac-address snooping
------------------------------------------------------------------------------- 
MAC Address    VLAN/VSI/BD                          Learned-From        Type       
------------------------------------------------------------------------------- 
0000-c102-0602 10/-/-                             GE1/0/1             snooping     
------------------------------------------------------------------------------- 
Total items displayed = 1
Table 14-88  Description of the display mac-address snooping command output

Item

Description

MAC Address

User MAC address.

VLAN/VSI/BD

ID of the VLAN, name of the VSI, or ID of the BD that the user belongs to.

Learned-From

Port number.

Type

Type of a MAC address entry, including:
  • static: indicates a static MAC address entry.
  • blackhole: indicates a blackhole MAC address entry.
  • dynamic: indicates a dynamic MAC address entry.
  • security: indicates a security MAC address entry.
  • sticky: indicates a sticky MAC address entry.
  • snooping: indicates a MAC address entry generated based on the snooping binding table.

ip anti-attack source-ip equals destination-ip drop

Function

The ip anti-attack source-ip equals destination-ip drop command enables the device to discard IP packets with the same source and destination IP addresses.

The undo ip anti-attack source-ip equals destination-ip drop command disables the device from discarding IP packets with the same source and destination IP addresses.

By default, the device does not discard IP packets with the same source and destination IP addresses.

Format

ip anti-attack source-ip equals destination-ip drop { all | slot slot-id }

undo ip anti-attack source-ip equals destination-ip drop { all | slot slot-id }

Parameters

Parameter

Description

Value

all

Indicates all boards, including MPUs and LPUs.

-

slot slot-id

Specifies the slot ID.

Set the value according to the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Generally, IP packets with the same source and destination IP addresses can be forwarded. When you determine that the IP packets are attack packets, you can use the ip anti-attack source-ip equals destination-ip drop command to enable the device to discard the IP packets.

Example

# Enable the device to discard IP packets with the same source and destination IP addresses on all the boards.

<HUAWEI> system-view
[HUAWEI] ip anti-attack source-ip equals destination-ip drop all

ip source check user-bind alarm enable

Function

The ip source check user-bind alarm enable command enables the alarm function of IP packet check.

The undo ip source check user-bind alarm enable command disables the alarm function of IP packet check.

By default, the alarm function of IP packet check is disabled.

Format

ip source check user-bind alarm enable

undo ip source check user-bind alarm enable

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The ip source check user-bind alarm enable command enables the alarm function for IP packet check. If the number of discarded packets reaches the threshold, the device sends an alarm to the NMS device.

Prerequisites

IP packet check has been enabled using the ip source check user-bind enable command on the interface.

Follow-up Procedure

Run the ip source check user-bind alarm threshold command to set the alarm threshold.

Example

# Enable the alarm function for IP packet check on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind alarm enable

ip source check user-bind alarm threshold

Function

The ip source check user-bind alarm threshold command sets the alarm threshold for IP packet check.

The undo ip source check user-bind alarm threshold command restores the default alarm threshold for IP packet check.

By default, the alarm threshold is 100.

Format

ip source check user-bind alarm threshold threshold

undo ip source check user-bind alarm threshold

Parameters

Parameter Description Value
threshold Specifies an alarm threshold for IP packet check. The value is an integer that ranges from 1 to 1000.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the alarm function of IP packet check is enabled, run the ip source check user-bind alarm threshold command to set the alarm threshold for IP packet check.

Prerequisites

The alarm function of IP packet check has been enabled using the ip source check user-bind alarm enable command.

Example

# Set the alarm threshold for IP packet check to 200 on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind alarm enable
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind alarm threshold 200

ip source check user-bind check-item (interface view)

Function

The ip source check user-bind check-item command configures IP packet check items on an interface.

The undo ip source check user-bind check-item command restores the default IP packet check items.

By default, the check items contain the IP address, MAC address, VLAN and interface information..

Format

ip source check user-bind check-item { ip-address | mac-address | vlan } *

undo ip source check user-bind check-item

Parameters

Parameter Description Value
ip-address Checks whether the IP address of an IP packet matches a binding entry. -
mac-address Checks whether the MAC address of an IP packet matches a binding entry. -
vlan Checks whether VLAN information of an IP packet matches a binding entry. -

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When you check an IP packet against the binding table, run the ip source check user-bind check-item (interface view) command to specify items in the IP packet to be checked on a specified interface. When the device receives an IP packet, it checks the items against the binding table. Only packets that match the binding entries can be forwarded; otherwise, packets are discarded. The optional check items of an IP packet contain the source IP address, source MAC address, and VLAN information. Interface information is a mandatory check item.

Prerequisites

IP packet check has been enabled using the ip source check user-bind enable command in the interface view.

Precautions

When a large number of binding entries exist, it may take a long time to check IP packets, reducing forwarding efficiency.

This command is valid only for dynamic binding entries. The device checks the received packets against entries in the static binding table.

Example

# Enable IP packet check on GE1/0/1 to check whether the IP address in the IP packet matches the binding entry.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind check-item ip-address

ip source check user-bind check-item (VLAN view)

Function

The ip source check user-bind check-item command configures IP packet check items in a VLAN.

The undo ip source check user-bind check-item command restores the default IP packet check items in a VLAN.

By default, the check items contain the IP address, MAC address, VLAN and interface information.

Format

ip source check user-bind check-item { ip-address | mac-address | interface } *

undo ip source check user-bind check-item

Parameters

Parameter Description Value
ip-address Checks whether the IP address of an IP packet matches a binding entry. -
mac-address Checks whether the MAC address of an IP packet matches a binding entry. -
interface Checks whether interface information of an IP packet matches a binding entry. -

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When you check an IP packet against the binding table, run the ip source check user-bind check-item (VLAN view) command to configure IP packet check items in a specified VLAN. When the device receives an IP packet, it checks the items against the binding table. Only packets that match the binding entries can be forwarded; otherwise, packets are discarded. The optional check items of an IP packet contain the source IP address, source MAC address, and interface information. VLAN information is a mandatory check item.

Prerequisites

IP packet check has been enabled using the ip source check user-bind enable command in the VLAN view.

Precautions

When a large number of binding entries exist, it may take a long time to check IP packets, reducing forwarding efficiency.

This command is valid only for dynamic binding entries. The device checks the received packets against entries in the static binding table.

Example

# Enable IP packet check in VLAN 100 and check whether the IP address in the IP packet matches the binding entry.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] ip source check user-bind enable
[HUAWEI-vlan100] ip source check user-bind check-item ip-address

ip source check user-bind enable

Function

The ip source check user-bind enable command enables IP packet check.

The undo ip source check user-bind enable command disables IP packet check.

By default, IP packet check is disabled.

Format

ip source check user-bind enable

undo ip source check user-bind enable

ipv4 source check user-bind enable

undo ipv4 source check user-bind enable

ipv6 source check user-bind enable

undo ipv6 source check user-bind enable

Parameters

None

Views

VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Unauthorized users often send bogus packets with the source IP address and MAC address of authorized users to access or attack the network. Then authorized users cannot access stable and secure networks. To address this problem, you can configure IP packet check.

When IP packet check is enabled, the device checks the IP address, MAC address, VLAN information, and interface information against the binding table. You can run the ip source check user-bind check-item (interface view) or ip source check user-bind check-item (VLAN view) command to specify IP packet check items. Only packets that match the binding entries can be forwarded; otherwise, packets are discarded.

Prerequisites

The IP packet check is based by binding table. So,
  • The dynamic DHCP snooping binding table has been generated for DHCP users.
  • The static binding table has been configured manually for users using static IP addresses.
  • The dynamic ND snooping binding table has been generated for users dynamically obtaining IPv6 addresses through Stateless Address Autoconfiguration.

Precautions

After IP packet check is enabled using the ip source check user-bind enable command, the device checks the source IPv4 and IPv6 addresses of users' IP packets. The configuration file is displayed as follows:
 ipv4 source check user-bind enable                                                                                                 
 ipv6 source check user-bind enable   

To check only IPv4 or IPv6 packets, run the ipv4 source check user-bind enable or ipv6 source check user-bind enable command.

After an interface on ACU2 is added to an Eth-Trunk, IPSG cannot be enabled on the Eth-Trunk. After IPSG is enabled on an Eth-Trunk, the interface on ACU2 cannot be added to the Eth-Trunk.

Example

# Enable IPv4 and IPv6 packet check on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable

# Enable IPv4 packet check on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ipv4 source check user-bind enable

ip source-trail

Function

The ip source-trail command enables the device to search the attack source according to the destination IP address of the attacked device.

The undo ip source-trail command cancels the configuration.

By default, IP source trail is disabled.

Format

ip source-trail ip-address ip-address

undo ip source-trail ip-address ip-address

Parameters

Parameter Description Value
ip-address Specifies the destination IP address. The value is in dotted decimal notation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After IP source trail is enabled, statistics on the packets sent to the specified IP address are recorded. The system supports a maximum of 32 destination IP addresses.

NOTE:

If the device has not traced the specified IP address, the display ip source-trail command displays the result of last IP source trail. Therefore, you are advised to run the display ip source-trail command 10 minutes after running the ip source-trail ip-address command.

Example

# Configure IP source trail on IP address 10.0.0.1.

<HUAWEI> system-view
[HUAWEI] ip source-trail ip-address 10.0.0.1

# Disable IP source trail on IP address 10.0.0.1.

[HUAWEI] undo ip source-trail ip-address 10.0.0.1

reset ip source-trail

Function

The reset ip source-trail command clears results of IP source trail.

Format

reset ip source-trail [ ip-address ip-address ]

Parameters

Parameter Description Value
ip-address Specifies the destination IP address. The value is in dotted decimal notation.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

After this command is run, the results of IP source trail are cleared and cannot be restored.

Example

# Clear results of IP source trail on IP address 10.0.0.1.

<HUAWEI> reset ip source-trail ip-address 10.0.0.1

user-bind static

Function

The user-bind static command configures a static binding table.

The undo user-bind static command deletes a static binding table.

By default, no static binding table is configured.

Format

user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

undo user-bind static [ { ip-address { start-ip [ to end-ip ] } &<1-10> | ipv6-address [ start-ip [ to end-ip ] ] &<1-10> | ipv6-prefix [ prefix/prefix-length ] } | mac-address mac-address | interface interface-type interface-number | vlan vlan-id [ ce-vlan ce-vlan-id ] ] *

Parameters

Parameter Description Value
interface interface-type interface-number Specifies the interface connected to a user in a static binding entry.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ip-address Indicates the static IPv4 address. -
ipv6-address Indicates the static IPv6 address. -
start-ip [ to end-ip ] Specifies the user IP address in a static binding entry.
  • start-ip specifies the first IP address.
  • to end-ip specifies the last IP address. The value of end-ip must be larger than the value of start-ip. start-ip and end-ip identify a VLAN range.

If to end-ip is not specified, only the start IP address is added to the static binding entry.

You can specify a maximum of 10 VLAN ranges at a time. The entered VLAN ranges cannot overlap.

The IPv4 address is in dotted decimal notation in the format of X.X.X.X. The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
ipv6-prefix prefix/prefix-length Specifies the prefix of an IPv6 address The prefix consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X. prefix-length is an integer that ranges from 1 to 128.
mac-address mac-address Specifies the user MAC address in a static binding entry. The value is in hexadecimal notation.

The value is in the format of H-H-H.

vlan vlan-id Specifies the user VLAN ID in a static binding entry. The value is an integer that ranges from 1 to 4094.
ce-vlan ce-vlan-id Specifies the inner VLAN tag of a QinQ packet in a static binding entry. The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When DHCP snooping is enabled, a dynamic binding table is automatically generated for dynamic users. However, a static binding table cannot be generated for static users. If IP source guard is enabled but no static binding table is available, the device discards all static users' forwarding packets. To enable the device to forward static users' packets, run the user-bind static command to configure a static binding table.

Precautions

After a static binding table is configured and IP source guard is enabled, the device performs a match check on IP packets based on the configured binding entries. If the match check fails, the device discards the IP packets.

Example

# Configure a static binding entry for a user in VLAN 2 with the IP address 10.1.1.1.

<HUAWEI> system-view
[HUAWEI] user-bind static ip-address 10.1.1.1 vlan 2

user-bind ip sticky-mac

Function

The user-bind ip sticky-mac command enables the device to generate snooping MAC entries.

The undo user-bind ip sticky-mac command disables the device from generating snooping MAC entries.

By default, the device does not generate snooping MAC entries.

Format

user-bind ip sticky-mac

undo user-bind ip sticky-mac

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent the users with unauthorized MAC addresses from attacking the network, run the user-bind ip sticky-mac command to configure the device to generate snooping MAC entries on the interface that is prone to attack. After the device is configured to generate snooping MAC entries, it translates the dynamic MAC entries learned by the interface into snooping MAC entries (snooping MAC entries are a type of static MAC entries) based on the DHCP snooping binding table and ND snooping binding table, or generates snooping MAC entries based on the static binding entries.

After the configuration is complete, the interface forwards only the IP packets of which the source MAC addresses are included in the static MAC entries (static and snooping), and discards other IP packets.

NOTE:
  • To view MAC entry information on the device, see display mac-address.

  • If a binding entry is modified, the matching snooping MAC entry is also modified.

Prerequisites

Before using the user-bind ip sticky-mac command, ensure that the DHCP snooping function has been enabled by the dhcp snooping enable command.

Precautions

To ensure correct packet forwarding for authorized static users on an interface, you can run the user-bind static command to configure static binding entries, which generate static MAC entries, or run the mac-address static command to configure static MAC entries.

When configuring a static binding entry, specify the MAC address, VLAN ID, and interface number. The VLAN ID must already exist on the device. If you do not specify the three parameters, a snooping MAC entry cannot be generated based on this static binding entry.

To allow DHCPv6 users to go online, enable both DHCP snooping and ND snooping.

The user-bind ip sticky-mac command cannot be used together with the following commands.

Command

Description

dot1x enable

Enables 802.1X authentication on an interface.

mac-authen

Enables MAC address-based authentication on an interface.

authentication-profile (Interface view or VAP profile view)

Applies an authentication profile to the interface or VAP profile.

mac-address learning disable (Interface view and VLAN view)

Enables MAC address learning.

mac-limit

Sets the maximum number of MAC addresses to be learned.

port vlan-mapping vlan map-vlan

port vlan-mapping vlan inner-vlan

Enables VLAN mapping.

port-security enable

Enables port security.

Example

# Configure the GE1/0/1 interface to generate snooping MAC entries based on the snooping binding table.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] user-bind ip sticky-mac
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 127734

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next