ip-mac

Defines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addresses

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

ip-mac [conflict|routing] 
ip-mac conflict drop-only
ip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
ip-mac routing conflict drop-only
ip-mac routing conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]

Parameters

ip-mac conflict drop-only

conflict

Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default.

drop-only

Drops a packet without logging

ip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]

conflict

Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default.

log-and-drop

Logs the event and drops the packet. This is the default setting.

log-only

Logs the event only, the packet is not dropped

log-level

Configures the log level

<0-7>

Sets the numeric logging level

alerts

Numerical severity 1. Indicates a condition where immediate action is required

critical

Numerical severity 2. Indicates a critical condition

debugging

Numerical severity 7. Debugging messages

emergencies

Numerical severity 0. System is unusable

errors

Numerical severity 3. Indicates an error condition

informational

Numerical severity 6. Indicates a informational condition

notification

Numerical severity 5. Indicates a normal but significant condition

warnings

Numerical severity 4. Indicates a warning condition. This is the default setting.

ip-mac routing conflict drop-only

routing

Enables IPMAC routing conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address.

conflict

Defines the action performed when a routing table conflict is detected. This option is enabled by default.

drop-only

Drops a packet without logging

ip-mac routing conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]

routing

Defines a routing table based action

conflict

Action performed when a conflict exists in the routing table. This option is enabled by default.

log-and-drop

Logs the event and drops the packet. This is the default setting.

log-only

Logs the event only, the packet is not dropped

log-level

Configures the log level to log this event under

<0-7>

Sets the numeric logging level

alerts

Numerical severity 1. Indicates a condition where immediate action is required

critical

Numerical severity 2. Indicates a critical condition

debugging

Numerical severity 7. Debugging messages

emergencies

Numerical severity 0. System is unusable

errors

Numerical severity 3. Indicates an error condition

informational

Numerical severity 6. Indicates a informational condition

notification

Numerical severity 5. Indicates a normal but significant condition

warnings

Numerical severity 4. Indicates a warning condition. This is the default setting.

Examples

nx9500-6C8809(config-fw-policy-testFW)#ip-mac conflict drop-only
nx9500-6C8809(config-fw-policy-testFW)#ip-mac routing conflict log-and-drop log-level notifications
nx9500-6C8809(config-fw-policy-testFW)#show context
firewall-policy testFW
 ip dos fraggle drop-only
 ip dos tcp-sequence-past-window drop-only
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 alg facetime
 dns-snoop entry-timeout 1200
nx9500-6C8809(config-fw-policy-testFW)#

Related Commands

no Disables actions based on device IP MAC table, IP address, and MAC address conflict detection