How to configure and use the binding table

21

The user-bind command is used to create a static DHCP binding table. The dynamic DHCP binding table is automatically generated after DHCP snooping is enabled.
In V100R005 and later versions, the ip source check user-bind enable command is used to filter packets.
You can use the following combination of ip-address, mac-address, interface, and vlan to configure the static binding table:

In the interface view:
--Interface and IP address
--Interface and MAC address
--Interface, IP address, and MAC address
--Interface, IP address, and VLAN ID
--Interface, MAC address, and VLAN ID
--Interface, IP address, MAC address, and VLAN ID
In the VLAN view:
--VLAN ID and IP address
--VLAN ID and MAC address
--VLAN ID, IP address, and MAC address
--VLAN ID, IP address, and interface
--VLAN ID, MAC address, and interface
--VLAN ID, IP address, MAC address, and interface
For example, VLAN ID and IP address indicates that the packets whose IP address and VLAN matching the binding entry are allowed to pass through, regardless of the interface receiving the packets and the MAC address of the packets.

Other related questions:
Configure binding tables for IPSG (user-bind binding tables) on S series switches
Configure a binding table for IPSG (user-bind binding table) on an S series switch (except the S1700) as follows: �?Static binding table A static binding entry contains at least one of the following: IP address, MAC address, interface, VLAN, and IP address and MAC address. An interface cannot be bound to a VLAN to form a binding entry. For example, configure a static binding entry of VLAN 2 and IP address 1.1.1.1. [HUAWEI] user-bind static ip-address 1.1.1.1 vlan 2 Note: Static binding entries can be configured only in the system view. �?Dynamic binding table Enable DHCP snooping globally and on an interface. Generally, the interface directly or indirectly connected to the DHCP server or gateway is configured as a trusted interface. After DHCP snooping is enabled and the trusted interface is configured, user-side interfaces automatically generate dynamic binding entries based on received DHCP ACK packets. For example, enable DHCP snooping globally and on GE0/0/1, and configure G0/0/1 as a trusted interface. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable [HUAWEI-GigabitEthernet0/0/1] dhcp snooping trusted Note: If both DHCP relay and VRRP are configured on a switch, DHCP snooping cannot be enabled. DHCP snooping cannot be enabled if the DHCP server is at the subordinate VLAN side and the DHCP client is at the principle VLAN side. After DHCP snooping is configured, the switch generates DHCP snooping entries for the hosts when the hosts go online again. Then IPSG takes effect. If you enable IPSG before the switch generates DHCP snooping dynamic binding entries, the switch rejects all packets except DHCP Request packets. In this situation, the hosts with dynamic IP addresses cannot communicate with each other. Therefore, before enabling the IPSG function, configure the DHCP snooping function to enable the switch to generate dynamic binding entries.

How to configure a binding table on a CE series switch
IP source guard (IPSG) enables a device to check IP packets against a binding table. Binding tables are classified into dynamic and static binding tables.
If user IP addresses are dynamically allocated through DHCP, configure the DHCP snooping function. If user IP addresses are statically configured, configure a static binding table manually.
1. For users who dynamically obtain IP addresses through DHCP:
<HUAWEI> system-view
[~HUAWEI] dhcp enable //Enable DHCP globally.
[*HUAWEI] dhcp snooping enable //Enable DHCP snooping globally.
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping enable //Enable DHCP snooping on 10GE1/0/1.
[*HUAWEI-10GE1/0/1] dhcp snooping trusted //Configure 10GE1/0/1 as a trusted interface.
[*HUAWEI-10GE1/0/1] commit
2. For users who use static IP addresses:
<HUAWEI> system-view
[~HUAWEI] user-bind static ip-address 1.1.1.1 mac-address 2-2-2 interface 10ge 1/0/1
[*HUAWEI] commit

Delete entries in binding tables for IPSG (user-bind binding tables) on S series switches
Delete entries in a binding table for IPSG (user-bind binding table) on an S series switch (except the S1700) as follows: Binding entries include static entries and dynamic entries. Dynamic entries are automatically generated when DHCP snooping is enabled. To delete dynamic entries, disable DHCP snooping. Static entries are configured manually. To delete static entries, perform the following operations: 1. Run the display dhcp static user-bind all command to view all static binding entries on the switch. [HUAWEI] display dhcp static user-bind all 2. Delete binding entries as required. a. Delete the static binding entry of IP address 192.168.1.1. [HUAWEI] undo user-bind static ip-address 192.168.1.1 mac-address 0001-0001-0001 b. Delete the static binding entry of MAC address 0002-0002-0002. [HUAWEI]undo user-bind static mac-address 0002-0002-0002 c. Delete all static binding entries of GE0/0/1. [HUAWEI] undo user-bind static interface gigabitethernet 0/0/1 d. Delete all static binding entries in VLAN 10. [HUAWEI] undo user-bind static vlan 10 e. Delete all entries in the static binding table. [HUAWEI]undo user-bind static

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top