set ip-source-guard binding ip

The set ip-source-guard binding ip command configures a static IP source guard binding entry.

The delete ip-source-guard binding ip command deletes the configuration.

Command Syntax

set ip-source-guard binding ip <ip_address> mac <mac-address> interface <interface-name> vlan <vlan-id>

delete ip-source-guard binding ip<ip_address> [mac <mac-address> interface<interface-name>vlan <vlan-id>]

Parameter

Parameter	Description
ip <ip_address>	Specifies a source IPv4 address for the static binding entry. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
mac <mac-address>	Specifies a source MAC address for the static binding entry. The value is in the format of H:H:H:H:H:H. An H contains 2 hexadecimal numbers, and cannot be all 0s, all Fs (a broadcast address), or a multicast address.
interface <interface-name>	Specifies ingress interface name for the static binding entry. The value is a physical port, such as ge-1/1/1, te-1/1/2.
vlan <vlan-id>	Specifies the VLAN ID. The value is an integer that ranges from 1 to 4094.

Usage Guidelines

In IP Source Guard, static binding entries involve manually associating IP addresses with specific interfaces on a network device. IP Source Guard allows only traffic with matching source IP addresses and source MAC addresses to pass through the specified interface, thereby enhancing network security by preventing IP address spoofing attacks.

NOTE:

In the following example, a static IP source guard binding entry is configured on the device. When attempting to delete this entry, an error occurs.

set ip-source-guard binding ip 110.100.10.2 mac 00:00:00:00:00:01 interface ge-1/1/1 vlan 10

admin@PICOS# delete ip-source-guard binding ip 110.100.10.2 mac 00:00:00:00:00:01 interface ge-1/1/1 vlan 10
Deleting:
  10
OK
admin@PICOS# commit
IPSG: vlan is required for ip 110.100.10.2, mac 00:00:00:00:00:01, interface ge-1/1/1
Commit failed.

admin@PICOS# delete ip-source-guard binding ip 110.100.10.2 mac 00:00:00:00:00:01
Deleting:
    00:00:00:00:00:01 {
                 interface "ge-1/1/1" {
                     vlan 10
        }
    }       
OK
admin@PICOS# commit
IPSG: mac is required for ip 110.100.10.2
Commit failed.

This is typically caused by the following two reasons:

Due to the hierarchy structure design of PICOS CLI, when performing a deletion operation, the specified level and all its subordinate levels (i.e., the parameters and subsequent parameters in the command line) will be deleted, while the upper-level hierarchy (i.e., the parameters before the command line) will not be deleted.
In the configuration of a static IP source guard binding entry, the command set ip-source-guard binding ip <ip_address> mac <mac-address> interface <interface-name> vlan <vlan-id> requires all four parameters: IP address, MAC address, interface name, and VLAN ID, to be configured.

For this type of deletion error, you can complete the deletion configuration by removing the first hierarchy level ip-source-guard binding ip.

admin@PICOS# delete ip-source-guard binding ip 110.100.10.2
Deleting:
    110.100.10.2 {
        mac 00:00:00:00:00:01 {
            interface "ge-1/1/1" {
                vlan 10
            }
        }
    }
OK

admin@PICOS# commit
Commit OK.
Save done.

Example

Configure a static IP source guard binding entry manually.

admin@PICOS# set ip-source-guard binding ip 10.1.1.10 mac 22:22:22:11:11:11 interface ge-1/1/3 vlan 40
admin@PICOS# commit