< Home

user-bind ip sticky-mac

Function

The user-bind ip sticky-mac command enables the device to generate snooping MAC entries.

The undo user-bind ip sticky-mac command disables the device from generating snooping MAC entries.

By default, the device does not generate snooping MAC entries.

Format

user-bind ip sticky-mac

undo user-bind ip sticky-mac

Parameters

None

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent the users with unauthorized MAC addresses from attacking the network, run the user-bind ip sticky-mac command to configure the device to generate snooping MAC entries on the interface that is prone to attack. After the device is configured to generate snooping MAC entries, it translates the dynamic MAC entries learned by the interface into snooping MAC entries (snooping MAC entries are a type of static MAC entries) based on the DHCP snooping binding table and ND snooping binding table, or generates snooping MAC entries based on the static binding entries.

After the configuration is complete, the interface forwards only the IP packets of which the source MAC addresses are included in the static MAC entries (static and snooping), and discards other IP packets.

  • To view MAC entry information on the device, see display mac-address.

  • If a binding entry is modified, the matching snooping MAC entry is also modified.

Prerequisites

Before using the user-bind ip sticky-mac command, ensure that the DHCP snooping function has been enabled by the dhcp snooping enable command.

Precautions

To ensure correct packet forwarding for authorized static users on an interface, you can run the user-bind static command to configure static binding entries, which generate static MAC entries, or run the mac-address static command to configure static MAC entries.

When configuring a static binding entry, specify the MAC address, VLAN ID, and interface number. The VLAN ID must already exist on the device. If you do not specify the three parameters, a snooping MAC entry cannot be generated based on this static binding entry.

To allow DHCPv6 users to go online, enable both DHCP snooping and ND snooping.

The user-bind ip sticky-mac command cannot be used together with the following commands.

Command

Description

dot1x enable

Enables 802.1X authentication on an interface.

mac-authen

Enables MAC address-based authentication on an interface.

authentication-profile (Interface view or VAP profile view)

Applies an authentication profile to the interface or VAP profile.

mac-address learning disable (Interface view and VLAN view)

Enables MAC address learning.

mac-limit

Sets the maximum number of MAC addresses to be learned.

port vlan-mapping vlan map-vlan

port vlan-mapping vlan inner-vlan

Enables VLAN mapping.

port-security enable

Enables port security.

Example

# Configure the GE0/0/1 interface to generate snooping MAC entries based on the snooping binding table.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] user-bind ip sticky-mac
Parent Topic: IP Source Guard Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic