< Home

Binding an IP Address to a MAC Address Using the CLI

This section describes how to bind an IP address to a MAC address using the CLI.

Procedure

  1. Access the system view.

    system-view

  2. Enable IP-MAC binding.

    firewall mac-binding enable

    After this function is enabled, the device compares the packets that match the binding between the IP address and MAC address and filters out those that do not match the binding.

  3. Bind IP addresses to MAC addresses.

    • Configure IP-MAC binding.

      firewall mac-binding ip-address mac-address [ vpn-instance vpn-instance-name ] [ vid vlan-id ] [ description description-text ]

      When inserting an MAC-IP address binding entry, comply with the following principles:

      • If an IP address is configured in an address MAC-IP binding for several times, the entry configured later overwrites the entry configured earlier.
      • One MAC address can be bound to multiple IP addresses.
      • MAC-IP address binding can be inserted or deleted irrespective of whether the address binding function is enabled.

      If vid is in use during the configuration, you can associate the binding with the VLAN. Then the binding is available only for the VLAN. Identical IP address may be on different VLANs. To search for the correct entry, you should set the vid parameter to associate it with the corresponding VLAN in the following conditions:

      • Layer-2 Ethernet interfaces are virtualized into Layer-3 interfaces through VlANIF for forwarding packets on the VLAN.
      • A sub-interface is created on the Layer-3 Ethernet interface and the VLAN where the sub-interface belongs is specified through the vlan-type dot1q command to forward packets on the VLAN.

      For the interfaces that do not belong to the VLAN, you do not need to set the vid parameter for them.

    • On the interface, launch ARP probe for the specified network segment and perform IP-MAC address binding.

      1. Run the interface interface-type interface-number command to access the interface view.

        The interfaces that can be configured with this function should be Layer-3 interfaces specified with IP addresses, including Ethernet interface and its subinterface, Eth-Trunk interface and its subinterface, and VLANIF interface.

      2. Run the ip-address ip-address { mask | mask-length } [ sub ] command to specify the interface IP address.

      3. Optional:

        Run the arp scan [ start-ip-address to end-ip-address ] command to enable ARP automatic scanning on an interface so that the interface can send ARP Request packets to all interfaces whose IP addresses are in the same network segment with the IP address of the interface.

      4. Optional:

        Run the gratuitous-arp send enable [ interval time-interval ] command to send gratuitous ARP packets through an interface to update the ARP table on the gateway.

        Make sure that correct gateway MAC addresses are in ARP entries on the client.

      5. Run the quit command to return to system view.

      6. Run the firewall mac-binding interface interface-type interface-number command to bind all dynamic ARP packets to the specified interface.

        You can also bind certain ARP entries on the specified interface as required. To perform such binding, run the display arp interface command to query ARP entries on the specified interface, and run the firewall mac-binding command to bind ARP entries one by one.

Example

In this example, to bind IP address 10.1.1.1 with MAC address 0001-0002-0003, run the following commands:

<sysname> system-view
[sysname] firewall mac-binding enable
[sysname] firewall mac-binding 10.1.1.1 0001-0002-0003

Enable ARP automatic probe on interface GigabitEthernet 0/0/1 and bind all ARP entries on the interface. 

<sysname> system-view
[sysname] firewall mac-binding enable
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet0/0/1] ip-address 10.1.1.2 24
[sysname-GigabitEthernet0/0/1] gratuitous-arp send enable interval 10
[sysname-GigabitEthernet0/0/1] quit
[sysname] firewall mac-binding interface GigabitEthernet 0/0/1

Follow-up Procedure

To query whether the device checks whether the binding between the IP address and the MAC address on the device is correct, run the display firewall mac-binding enable command. 

<sysname> display firewall mac-binding enable
 Mac-binding is enabled

In this example, the previous information shows that the IP address and MAC address binding function is already enabled. If Mac-binding is disabled is displayed, it indicates that the function is disabled in the current system.

To check the existing binding in the current system, run the display firewall mac-binding item command.

<sysname> display firewall mac-binding item
 Firewall Mac-binding items :
 Current items : 2
IP ADDRESS          MAC ADDRESS         VLAN-ID     VPN-INSTANCE          DESCRIPTION
192.168.1.1         00e0-fcff-0200                  public  
192.168.1.2         00e0-fcff-0100                  public

In this example, the previous information shows that two binding entries exist on the device.

You can use the display firewall mac-binding item command and the ip-address parameter together to check the entries only related to the IP address. For example, if running the display firewall mac-binding item 192.168.1.2 command, you can only view the second entry. In this way, you can perform the rapid query in the case that there are a large number of entries.

Parent Topic: IP-MAC Binding
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic