How to configure IP source guard ACL/MAC mode via SNMP on ECS3510-28T ?

Steven_zhangCreated at:Dec 11, 2019 14:18:33Updated at:Dec 11, 2019 14:18:45

Please upgrade to phase 5 runtime software and using new MIB file(ECS3510-28T_1513.mib) for support set IPSG ACL/MAC mode via SNMP.

 

The example as below:

<Example 1> Configure IPSG ACL mode, SIP-MAC, and set max-binding on port1.

[SNMPSET command format]

snmpset -v 2c -c private {switch ip} { ipSrcGuardMode | ipSrcGuardTableMode | ipSrcGuardAclMaxBinding }.{ ipSrcGuardPortIfIndex } {integer} {value}

 

For ipSrcGuardMode, OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2 to diabled(0) means IP Source Guard is disabled.

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2 to srcIp(1) means IP Source Guard is enabled and packets are filtered by checking source IP.

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2 to srcIpMac(2) means IP Source Guard is enabled and packets are filtered by checking source IP and source MAC.

 

For ipSrcGuardTableMode, OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3 to acl(1) means IP Source Guard choose ACL mode to filter packet.

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3 to mac(2) means IP Source Guard choose MAC mode to filter packet.

 

For ipSrcGuardAclMaxBinding, OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.4

 The number of IP Source Guard bindings in ACL mode will be limited by this value. (Range: <1-16> )

 

For ipSrcGuardPortIfIndex: The port interface of the portTable.

 The ifIndex value of the port or trunk.

 

(1) Enable IP Source Guard on port1 and packets are filtered by checking source IP and source MAC.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2.1 i 2
SNMPv2-SMI::enterprises.259.10.1.27.1.48.1.1.2.1 = INTEGER: 2

(2) Configure IP Source Guard as ACL mode.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3.1 i 1
SNMPv2-SMI::enterprises.259.10.1.27.1.48.1.1.3.1 = INTEGER: 1

(3) Configure IP Source Guard max binding count as 3.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.1.1.4.1 i 3
SNMPv2-SMI::enterprises.259.10.1.27.1.48.1.1.4.1 = INTEGER: 3

Result

Console#show running-config interface ethernet 1/1
interface ethernet 1/1
 ip source-guard sip-mac
 ip source-guard mode acl max-binding 3
!

 

<Example 2> Config IPSG MAC mode, SIP, and set max-binding on port2.

[SNMPSET command format]

snmpset -v 2c -c private {switch ip} { ipSrcGuardMode | ipSrcGuardTableMode | ipSrcGuardMacMaxBinding }.{ ipSrcGuardPortIfIndex } {integer} {value}

 

For ipSrcGuardMode, OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2 to diabled(0) means IP Source Guard is disabled.

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2 to srcIp(1) means IP Source Guard is enabled and packets are filtered by checking source IP.

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2 to srcIpMac(2) means IP Source Guard is enabled and packets are filtered by checking source IP and source MAC.

 

For ipSrcGuardTableMode, OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3 to acl(1) means IP Source Guard choose ACL mode to filter packet.

 Set OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3 to mac(2) means IP Source Guard choose MAC mode to filter packet.

 

For ipSrcGuardMacMaxBinding, OID 1.3.6.1.4.1.259.10.1.27.1.48.1.1.5

 The number of IP Source Guard bindings in MAC mode will be limited by this value. (Range: <1-1024> )

 

For ipSrcGuardPortIfIndex: The port interface of the portTable.

 The ifIndex value of the port or trunk.

 

(1) Enable IP Source Guard on port2 and packets are filtered by checking source IP.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.1.1.2.2 i 1
SNMPv2-SMI::enterprises.259.10.1.27.1.48.1.1.2.2 = INTEGER: 1

(2) Configure IP Source Guard as MAC mode.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.1.1.3.2 i 2
SNMPv2-SMI::enterprises.259.10.1.27.1.48.1.1.3.2 = INTEGER: 2

(3) Configure IP Source Guard max binding count as 5.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.1.1.5.2 i 5
SNMPv2-SMI::enterprises.259.10.1.27.1.48.1.1.5.2 = INTEGER: 5

Result

Console#show running-config interface ethernet 1/2
interface ethernet 1/2
 ip source-guard sip
 ip source-guard mode mac
 ip source-guard mode mac max-binding 5
!

 

<Example 3> Static bind an entry on port.

[SNMPSET command format]

snmpset -v 2c -c private {switch ip} { ipSrcGuardAclBindingStatus | ipSrcGuardAclBindingVlanIndex | ipSrcGuardAclBindingPortIfIndex }.{ ipSrcGuardAclBindingIpAddress }.{ ipSrcGuardAclBindingMacAddress }.{ ipSrcGuardAclBindingEntryType } {integer | gauger} {value}

 

For ipSrcGuardAclBindingStatus, OID 1.3.6.1.4.1.259.10.1.27.1.48.3.1.6

 The status of this conceptual row entry.

 active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6)

 

For ipSrcGuardAclBindingVlanIndex, OID 1.3.6.1.4.1.259.10.1.27.1.48.3.1.4

 This object indicates the VLAN which a ACL binding belongs to.(VLAN ID+1000)

 

For ipSrcGuardAclBindingPortIfIndex, OID 1.3.6.1.4.1.259.10.1.27.1.48.3.1.5

 This object indicates the port or trunk where a ACL binding associated.

 

For ipSrcGuardAclBindingIpAddress,

 This object indicates the IP address of a ACL binding entry.

 

For ipSrcGuardAclBindingMacAddress,

 This object indicates the MAC address of a ACL binding entry.

 

For ipSrcGuardAclBindingEntryType,

 This object indicates that this binding is obtained from dynamically learning or is a static configuraion.

 static(1), dhcp(2), bootp(3)

 

(1) createAndWait a static ACL binding entry.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.3.1.6.192.168.1.1.0.31.198.222.224.107.1 i 5
SNMPv2-SMI::enterprises.259.10.1.27.1.48.3.1.6.192.168.1.1.0.31.198.222.224.107.1 = INTEGER: 5

(2) ACL binding entry belongs to VLAN1.(Gauge 1001 : VLAN ID+1000)

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.3.1.4.192.168.1.1.0.31.198.222.224.107.1 u 1001
SNMPv2-SMI::enterprises.259.10.1.27.1.48.3.1.4.192.168.1.1.0.31.198.222.224.107.1 = Gauge32: 1001

(3) Configure ACL binding entry on port1.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.3.1.5.192.168.1.1.0.31.198.222.224.107.1 i 1
SNMPv2-SMI::enterprises.259.10.1.27.1.48.3.1.5.192.168.1.1.0.31.198.222.224.107.1 = INTEGER: 1

(4) Active a static ACL binding entry.

C:\>snmpset -v 2c -c private 192.168.1.90 1.3.6.1.4.1.259.10.1.27.1.48.3.1.6.192.168.1.1.0.31.198.222.224.107.1 i 1
SNMPv2-SMI::enterprises.259.10.1.27.1.48.3.1.6.192.168.1.1.0.31.198.222.224.107.1 = INTEGER: 1

Result

Console#show ip source-guard binding
MAC Address       IP Address      Type           VLAN      Interface
----------------- --------------- -------------- --------- ---------
00-1f-c6-de-e0-6b 192.168.1.1     static-acl             1 Eth 1/1


    Hot articles