To specify how binding entries are maintained in the binding table, enter the device-tracking binding command in global configuration mode. With this command you can configure the lifetime of each state, the maximum number
of entries allowed in a binding table, and whether binding entry events are logged. You can also use this command to configure
static binding entries. To revert to the default value, use the no form of the command.
device-tracking binding
{
down-lifetime
| logging
| max-entries
| reachable-lifetime
| stale-lifetime
| vlan
}
For the sake of clarity, the remaining command string after each one of the above options is listed separately:
-
device-tracking binding
down-lifetime
{
seconds
| infinite
}
no device-tracking binding down-lifetime
-
device-tracking binding
logging
no device-tracking binding logging
-
device-tracking binding
max-entries
no_of_entries
[
mac-limit
no_of_entries
|
port-limit
no_of_entries
[
mac-limit
no_of_entries
]
|
vlan-limit
no_of_entries
[
mac-limit
no_of_entries
|
port-limit
no_of_entries
[
mac-limit
no_of_entries
]
]
]
no device-tracking binding max-entries
-
device-tracking binding
reachable-lifetime
{
seconds
| infinite
}
[
down-lifetime
{
seconds
| infinite
}
|
stale-lifetime
{
seconds
| infinite
}
[
down-lifetime
{
seconds
| infinite
}
]
]
no device-tracking binding reachable-lifetime
-
device-tracking binding
stale-lifetime
{
seconds
| infinite
}
[
down-lifetime
{
seconds
| infinite
}
]
no device-tracking binding stale-lifetime
-
device-tracking binding
vlan
vlan_id
{
ipv4_add
| ipv6_add
| ipv6_prefix
}
[
interface
inteface_type_no
]
[
48-bit-hardware-address
]
[
reachable-lifetime
{
seconds
| default
| infinite
}
|
tracking
{
default
| disable
|
enable
[
retry-interval
{
seconds
| default
}
]
}
[
reachable-lifetime
{
seconds
| default
| infinite
}
]
]
Syntax Description
down-lifetime
{
seconds
| infinite
}
|
Provides the option to configure a countdown timer for a binding entry in the DOWN state, or, to disable the timer.
A binding entry enters the DOWN state when the host’s connecting interface is administratively down. If a timer is configured,
one of these events may occur before timer expiry - either the interface can be up again, or, the entry can remain in the DOWN state. If the interface is up before timer expiry, the timer is stopped, and the state of the entry changes.
If the entry remains in the DOWN state after timer expiry, it is removed from the binding table. If the timer is disabled
or turned off, the entry is never removed from the binding table and can remain in the DOWN state indefinitely, or until the
interface is up again.
Configure one of these options:
-
seconds : Configure a value for the down-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 86400 seconds
(24 hours).
-
infinite : Disables the timer for the DOWN state. This means that a timer is not started when an entry enters the DOWN state.
|
logging
|
Enables generation of logs for binding entry events.
|
device-tracking binding
max-entries
no_of_entries
[
mac-limit
no_of_entries
|
port-limit
no_of_entries
|
vlan-limit
no_of_entries
]
|
Configures the maximum number of entries for a binding table. Enter a value between 1 and 200000. The default value is 200000.
Note
|
This limit applies only to dynamic entries and not static binding entries.
|
Optionally, you can also configure these limits:
-
mac-limit no_of_entries : Configures the maximum number of entries allowed per MAC address. Enter a value between 1 and 100000. By default, a limit
is not set.
-
port-limit no_of_entries Configures the maximum number of entries allowed per interface. Enter a value between 1 and 100000. By default, a limit is
not set.
-
vlan-limit no_of_entries : Configures the maximum number of entries allowed per VLAN. Enter a value between 1 and 100000. By default, a limit is not
set.
The no form of the command resets the max-entries value to 200000 and sets the mac-limit , port-limit , vlan-limit to "no limit".
|
reachable-lifetime
{
seconds
| infinite
}
|
Provides the option to configure a countdown timer for a binding entry in the REACHABLE state, or, to disable the timer.
If a timer is configured, either one of these events may occur before timer expiry - incoming packets are received from the
host, or there are no incoming packets from the host. Every time an incoming packet is received from the host, the timer is
reset. If no incoming packets are received and the timer expires, then the state of the entry changes based on the reachability
of the host. If the timer is disabled or turned off, the entry can remain in the REACHABLE state, indefinitely.
Configure one of these options:
-
seconds : Configure a value for the reachable-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 300
seconds (5 minutes).
-
infinite : Disables the timer for the REACHABLE state. This means that a timer is not started when an entry enters the REACHABLE state.
|
stale-lifetime
{
seconds
| infinite
}
|
Provides the option to configure a countdown timer for a binding entry in the STALE state, or, to disable the timer.
If a timer is configured, either one of these events may occur before timer expiry - incoming packets are received from the
host, or there are no incoming packets from the host. If an incoming packet is received, the timer is stopped and the entry
transitions to a new state. If no incoming packets are received and the timer expires, then the entry is removed from the
binding table. If the timer is disabled or turned off, the entry can remain in the STALE state, indefinitely.
If polling is enabled, a final attempt is made to probe the host at stale timer expiry.
Note
|
If polling is enabled, polling occurs when the reachable lifetime timer expires (3 times), and then a final attempt at stale
timer expiry as well. The time required to poll an entry after expiry of reachable lifetime, is subtracted from the stale
lifetime.
|
Configure one of these options:
-
seconds : Configure a value for the stale-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 86400 seconds
(24 hours).
-
infinite : Disables the timer for the STALE state. This means that a timer is not started when an entry enters the STALE state.
|
device-tracking binding
vlan
vlan_id
{
ipv4_add
| ipv6_add
| ipv6_prefix
}
[
interface
inteface_type_no
]
[
48-bit-hardware-address
]
[
reachable-lifetime
{
seconds
| default
| infinite
}
|
tracking
{
default
| disable
|
enable
[
retry-interval
{
seconds
| default
}
]
}
[
reachable-lifetime
{
seconds
| default
| infinite
}
]
]
|
Creates a static binding entry in the binding table. You can also specify how static binding entries are maintained in the
binding table.
Note
|
The limit you configure for the max-entries no_of_entries option (above) does not apply to static binding entires. There is no limit to the number of static entries you can create.
|
-
Enter an IP address or prefix:
-
ipv4_add : Enter an IPv4 address.
-
ipv6_add : Enter an IPv6 address.
-
ipv6_prefix : Enter an IPv6 prefix.
-
interface inteface_type_no : Enter an interface type and number. Use the question mark (?) online help function to display the types of interfaces available
on the device.
-
(Optional) 48-bit-hardware-address : Enter a MAC address. If you do not configure a MAC address for the binding entry, any MAC address is allowed.
-
(Optional) reachable-lifetime {seconds | default | infinite } : Configures the reachable lifetime settings for a static binding entry in the REACHABLE state. If you want to configure a
reachable lifetime for a static binding entry, you must specify the MAC address for the entry.
If you do not configure a value, the same value as configured for device-tracking binding reachable-lifetime applies.
seconds : Configure a value for the reachable-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 300
seconds (5 minutes).
default : Uses the same value as configured for dynamic entries in the binding table.
infinite : Disables the timer for the REACHABLE state. This means that a timer is not started when a static binding entry enters the
REACHABLE state.
-
(Optional) tracking {default | disable | enable} : Configures polling related settings for a static binding entry.
default: Polling is disabled.
disable : Disables polling for a static binding entry.
enable : Enables polling for a static binding entry.
When you enable tracking, you also have the option to configure a retry-interval. This is a multiplicative factor or "base value", for the backoff algorithm. The backoff algorithm determines the wait time
between the 3 polling attempts that occur after reachable lifetime expiry.
Enter a value between 1 and 3600 seconds. The default value is one.
|
Command Default
If you do not configure a value, the default values for down, reachable, and stale lifetimes, and maximum number of binding
entries allowed in a binding table are applicable - as long as a policy-level value is not set. See the Usage Guidelines below for further details.
Command Modes
Global configuration [Device(config)# ]
Command History
Release |
Modification |
Cisco IOS XE Fuji 16.9.2
|
This command was introduced.
|
Usage Guidelines
The device-tracking binding command enables you to specify how entries are maintained in a binding table, at a global level. The settings therefore apply
to all interfaces and VLANs where SISF-based device-tracking is enabled. But for the system to start extracting binding information
from packets that enter the network and to create binding entries to which the settings you configure here will apply, there
must exist a policy that is attached an interface or VLAN.
If there is no policy on any interface or VLAN, the only entries that can exist in a binding table are any static binding
entries you create.
Changing Any Binding Entry Setting
When you reconfigure a value or setting with the device-tracking binding command, the change applies only to subsequently created binding entries. The changed configuration does not apply to existing
entries. The older setting applies to an older entry.
To display the current settings, enter the show device-tracking database command in privileged EXEC mode.
Global versus Policy-Level Settings
For some of the settings you configure with this command, there are policy level counterparts. (A policy level paramter is
configured in the device-tracking configuration mode and applies only to that policy). The tables below clarifies when a globally
configured value takes precedence and when a policy-level value takes precedence:
Option under device-tracking binding global configuration command
|
Policy-level counterpart in the device-tracking configuration mode
|
device-tracking binding reachable-lifetime
{
seconds
| infinite
}
|
tracking enable [reachable-lifetime [seconds | infinite] ]
|
Device(config)# device-tracking binding
reachable-lifetime 2000
|
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)#
Device(config-device-tracking)# tracking enable
reachable-lifetime 250
|
If a policy-level value and a globally configured value exists, the policy-level value applies.
If only a globally configured value exists, the globally configured value applies.
If only a policy-level value exists the policy-level value applies.
See: Example: Configuring a Reachable, Stale, and Down Lifetime at the Global vs Policy Level.
|
Option under device-tracking binding global configuration command
|
Policy-level counterpart in the device-tracking configuration mode
|
device-tracking binding stale-lifetime
{
seconds
| infinite
}
|
tracking disable [stale-lifetime [seconds | infinite] ]
|
Device(config)# device-tracking binding
stale-lifetime 2000
|
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)#
Device(config-device-tracking)# tracking enable
stale-lifetime 500
|
If a policy-level value and a globally configured value exists, the policy-level value applies.
If only a globally configured value exists, the globally configured value applies.
If only a policy-level value exists the policy-level value applies.
See: Example: Configuring a Reachable, Stale, and Down Lifetime at the Global vs Policy Level.
|
Option under device-tracking binding global configuration command
|
Policy-level counterpart in the device-tracking configuration mode
|
device-tracking binding
max-entries
no_of_entries
[
mac-limit
no_of_entries
|
port-limit
no_of_entries
|
vlan-limit
no_of_entries
]
|
limit address-count ip-per-port
|
Device(config)# device-tracking binding
max-entries 30 vlan-limit 25 port-limit 20 mac-limit 19
|
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)#
Device(config-device-tracking)# limit address-count 30
|
If a policy-level value and globally configured values exist, the creation of binding entries is stopped when a limit is reached - this can be one of
the global values or the policy-level value.
If only globally configured values exist, the creation of binding entries is stopped when a limit is reached.
If only a policy-level value exists, the creation of binding entries is stopped when the policy-level limit is reached.
Example: Global vs Policy-Level Address Limits.
|
Option under device-tracking binding global configuration command
|
Policy-level counterpart in the device-tracking configuration mode
|
device-tracking binding
max-entries
no_of_entries
[
mac-limit
no_of_entries
]
|
IPv4 per MAC and IPv6 per MAC
While you cannot configure either one of the above limits in a policy, a programmatically created policy may have either one,
both, or neither one of the limits.
|
Device(config)# device-tracking binding max-entries 300
mac-limit 3
|
Device# show device-tracking policy LISP-DT-GLEAN-VLAN
Policy LISP-DT-GLEAN-VLAN configuration:
security-level glean (*)
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
limit address-count for IPv4 per mac 4 (*)
limit address-count for IPv6 per mac 12 (*)
tracking enable
<output truncated>
|
If a policy-level value and globally configured values exists, the creation of binding entries is stopped when a limit is reached - this can be one of
the global values or the policy-level value.
If only globally configured values exist, the creation of binding entries is stopped when a limit is reached.
If only a policy-level value exists, the creation of binding entries is stopped when the policy-level limit is reached.
|
Configuring Down, Reachable, Stale Lifetimes
When you configure a non-default value for the down-lifetime , or reachable-lifetime , or stale-lifetime keywords, the system reverts the lifetimes that you do not configure, to default values. The following example clarifies
this behaviour: Example: Configuring Non-Default Values for Reachable, Stale, and Down Lifetimes.
To display the currently configured lifetime values, enter the show running-config | include device-tracking command in privileged EXEC mode.
Configuring MAC, Port, VLAN Limits
When you configure a non-default value for the mac-limit , or port-limit , or vlan-limit keywords, the system reverts the limits that you do not configure, to default values.
To configure all three limits in the same command line, first configure the VLAN limit, then the port limit, and finally the
MAC limit:
Device(config)# device-tracking binding max-entries 15 vlan-limit 2 port-limit 20 mac-limit 5
You can also use this system behavior when you want to reset one or more - but not all limits, to their default values. Although the default for all three keywords is that there is no limit, you cannot enter
the number "0" to set a limit to its default value. Zero is not within the valid value range for any of the limits. To reset
one or more limits to their default values, leave out the corresponding keyword. The following example clarifies this behaviour:
Example: Setting VLAN, Port, and MAC Limits to Default Values.
Enabling Logging of Binding Entry Events
When you configure the device-tracking binding logging global configuration command to generate logs for binding entry events, you may also have to configure a few general logging
settings, depending on your requirements:
-
(Required) The logging buffered informational command in global configuration mode.
With this command you enable message logging at a device level and you specify a severity level. Configuring the command allows
logs to be copied and stored to a local, internal buffer. Specifying a severity level causes messages at that level and numerically
lower levels to be logged.
Logs generated for binding entry events have a severity level of 6 (meaning, informational). For example:
%SISF-6-ENTRY_CREATED: Entry created IP=192.0.2.24 VLAN=200 MAC=001b.4411.4ab6 I/F=Te1/0/4 Preflevel=00FF
-
(Optional) The logging console command in global configuration mode.
With this command you send the logs to the console (all available TTY lines).
Caution
|
A low severity level may cause the number of messages being displayed on the console to increase significantly. Further, the
console is a slow display device. In message storms some logging messages may be silently dropped when the console queue becomes
full. Set severity levels accordingly.
|
If you don't want to configure this command, you can view logs when required by entering the show logging command in privileged EXEC mode.
If the logging console command is not enabled, logs are not displayed on the device console, but if you have configured device-tracking binding logging and logging buffered informational , logs will be generated and available in the local buffer.
For information about the kind of binding entry events for which logs are generated, see the system message guide for the corresponding release: System Message Guides. Search for SISF-6
.
While the device-tracking binding logging command logs binding entry events, there is also the device-tracking logging command, which enables snooping security logging. The two command log different kinds of events and the generated logs have
different severity levels.
Creating a Static Binding Entry
If there are silent but reachable hosts in the Layer 2 domain, and you want to retain binding information for these silent
hosts, you can create static binding entries.
While there is no limit to the number of static entries you can create, these entries also contribute to the size of the binding
table. Consider the number of such entries you require, before you create them.
You can create a static binding entry even if a policy is not attached to the interface or VLAN specified in the static binding
entry.
When you configure a static binding entry followed by its settings (for example, reachable-lifetime), the configuration applies
only to that static binding entry and not to any other entries, static or dynamic. The following example shows you how to
created a static binding entry: Example: Creating a Static Binding Entry.
Example: Configuring Non-Default Values for Reachable, Stale, and Down Lifetimes
The following example clarifies system behaviour when you configure values for reachable, stale, and down lifetimes seperately
(the effect is not cumulative). It also show you how to configure values in a way that configuration is retained for all the
lifetimes.
In the first step of this example only a reachable-lifetime is configured. This means the down-lifetime and stale lifetime
are set to default, because the stale-lifetime and down-lifetime keywords have been left out:
Device(config)# device-tracking binding reachable-lifetime 700
Device(config)# exit
Device# show running-config | include device-tracking
device-tracking policy sisf-01
device-tracking attach-policy sisf-01
device-tracking attach-policy sisf-01 vlan 200device-tracking binding reachable-lifetime 700
device-tracking binding logging
In the next step of this example, a stale-lifetime of 1500 seconds and a down-lifetime of 1000 seconds is configured. With
this, the reachable-lifetime configured in the previous step, is to default:
Device(config)# device-tracking binding stale-lifetime 1500 down-lifetime 1000
Device(config)# exit
Device# show running-config | include device-tracking
device-tracking policy sisf-01
device-tracking attach-policy sisf-01
device-tracking attach-policy sisf-01 vlan 200device-tracking binding stale-lifetime 1500 down-lifetime 1000
device-tracking binding logging
In the next step of this example, reachable, down, and stale lifetimes of 700, 1000, and 200 respectively, are configured.
With this, the value for the stale-lifetime is changed from 1500 seconds, to 1000 seconds. The down-lifetime is changed from
1000 to 200. The reachable-lifetime is configured as 700 seconds.
Device(config)# device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200
Device(config)# exit
Device# show running-config | include device-tracking
device-tracking policy sisf-01
device-tracking attach-policy sisf-01
device-tracking attach-policy sisf-01 vlan 200device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200
device-tracking binding logging
If any one of the lifetimes requires a change and the values for the other lifetimes must be retained, all three keywords
must be reconfigured with the required values - everytime, and in the same command line.
Example: Configuring a Reachable, Stale, and Down Lifetime at the Global vs Policy Level
The following example shows you how to configure the reachable, stale, and down lifetimes for binding entries, at a global
level. This example also shows you how you can then override the global setting and configure a different lifetime for entries
learnt on a particular interface or VLAN, by configuring a policy-level setting.
In the first part of the example, the output of the show device-tracking policy policy-name command shows that a policy-level value is not set and the default binding table settings are applicable to the existing
entries. After a reachable, stale, and down lifetime is configured with the device-tracking binding command in global configuration mode, the new values are effective and are applied only to the four new entries that are
added to the table.
Note
|
In the output of the show device-tracking database command, note the Time left column for the binding entries. There is minor difference in the reachable lifetime of each entry. This is a system-imposed
jitter (+/- 5 percent of the configured value), to ensure that system performance is not affected when a large number of entries
are added to the binding table. Binding entries go through their lifecycle in a staggered manner thus preventing points of
congestion.
|
Current configuration, which shows that policy-level reachable lifetime is not configured. The binding table entries show
that the current reachable lifetime is 500 seconds (time left + age):
Device# show device-tracking policy sisf-01
Device-tracking policy sisf-01 configuration:
security-level guard
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP6
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
Policy sisf-01 is applied on the following targets:
Target Type Policy Feature Target range
Te1/0/4 PORT sisf-01 Device-tracking vlan 200
Device# show device-tracking database
Binding Table has 4 entries, 4 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left <<<<
ARP 192.0.9.9 000a.959d.6816 Te1/0/4 200 0064 40s REACHABLE 466 s
ARP 192.0.9.8 000a.959d.6816 Te1/0/4 200 0064 40s REACHABLE 472 s
ARP 192.0.9.7 000a.959d.6816 Te1/0/4 200 0064 40s REACHABLE 470 s
ARP 192.0.9.6 000a.959d.6816 Te1/0/4 200 0064 40s REACHABLE 469 s
Configuration of reachable, stale and down lifetime at the global level. New values apply only to binding entries created
after this:
Device(config)# device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200
Device # show device-tracking database
Binding Table has 8 entries, 8 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.13 000a.959d.6816 Te1/0/4 200 00C8 4s REACHABLE 699 s <<<< new global value applied
ARP 192.0.9.12 000a.959d.6816 Te1/0/4 200 00C8 4s REACHABLE 719 s <<<< new global value applied
ARP 192.0.9.11 000a.959d.6816 Te1/0/4 200 00C8 4s REACHABLE 728 s <<<< new global value applied
ARP 192.0.9.10 000a.959d.6816 Te1/0/4 200 00C8 4s REACHABLE 712 s <<<< new global value applied
ARP 192.0.9.9 000a.959d.6816 Te1/0/4 200 0064 9mn STALE try 0 1209 s
ARP 192.0.9.8 000a.959d.6816 Te1/0/4 200 0064 9mn VERIFY 5 s try 3
ARP 192.0.9.7 000a.959d.6816 Te1/0/4 200 0064 9mn VERIFY 2816 ms try 3
ARP 192.0.9.6 000a.959d.6816 Te1/0/4 200 0064 9mn VERIFY 1792 ms try 3
In this second part of the example, a policy level value is configured and the reachable lifetime is set to 50 seconds. This
new reachable lifetime is again applicable only to entries created after this.
Only a reachable lifetime is configured at the policy-level and not a stale and down lifetime. This means it is still the
global values that apply if the reachable lifetime of the two new entries expires and they move to the STALE or DOWN state.
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# tracking enable reachable-lifetime 50
Device# show device-tracking policy sisf-01
Device-tracking policy sisf-01 configuration:
security-level guard
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP6
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
tracking enable reachable-lifetime 50 <<<< new value applies only to binding entries created after this and on interfaces and VLANs where this policy is attached.
Policy sisf-01 is applied on the following targets:
Target Type Policy Feature Target range
Te1/0/4 PORT sisf-01 Device-tracking vlan 200
Device# show device-tracking database
Binding Table has 10 entries, 10 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.21 000a.959d.6816 Te1/0/4 200 0064 5s REACHABLE 45 s <<<< new policy-level value applied
ARP 192.0.9.20 000a.959d.6816 Te1/0/4 200 0064 5s REACHABLE 46 s <<<< new policy-level value applied
ARP 192.0.9.13 000a.959d.6816 Te1/0/4 200 00C8 14mn STALE try 0 865 s
ARP 192.0.9.12 000a.959d.6816 Te1/0/4 200 00C8 14mn STALE try 0 183 s
ARP 192.0.9.11 000a.959d.6816 Te1/0/4 200 00C8 14mn STALE try 0 178 s
ARP 192.0.9.10 000a.959d.6816 Te1/0/4 200 00C8 14mn STALE try 0 165 s
ARP 192.0.9.9 000a.959d.6816 Te1/0/4 200 0064 23mn STALE try 0 327 s
ARP 192.0.9.8 000a.959d.6816 Te1/0/4 200 0064 23mn STALE try 0 286 s
ARP 192.0.9.7 000a.959d.6816 Te1/0/4 200 0064 23mn STALE try 0 303 s
ARP 192.0.9.6 000a.959d.6816 Te1/0/4 200 0064 23mn STALE try 0 306 s
Device# show device-tracking database <<<< checking binding table again after new policy-level reachable-lifetime expires
Binding Table has 7 entries, 7 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.21 000a.959d.6816 Te1/0/4 200 0064 3mn STALE try 0 887 s <<<< global value applies for stale-lifetime; policy-level value was not configured
ARP 192.0.9.20 000a.959d.6816 Te1/0/4 200 0064 3mn STALE try 0 884 s <<<< global value applies for stale-lifetime; policy-level value was not configured
ARP 192.0.9.13 000a.959d.6816 Te1/0/4 200 00C8 17mn STALE try 0 664 s
ARP 192.0.9.9 000a.959d.6816 Te1/0/4 200 0064 27mn STALE try 0 136 s
ARP 192.0.9.8 000a.959d.6816 Te1/0/4 200 0064 27mn STALE try 0 96 s
ARP 192.0.9.7 000a.959d.6816 Te1/0/4 200 0064 27mn STALE try 0 108 s
ARP 192.0.9.6 000a.959d.6816 Te1/0/4 200 0064 27mn STALE try 0 111 s
Example: Creating a Static Binding Entry
The following example shows you how to create a static binding entry. The "S" at the beginning of the entry indicates that
it is a static binding entry: Device(config)# device-tracking binding vlan 100 192.0.2.1 interface tengigabitethernet1/0/1 00:00:5e:00:53:af reachable-lifetime infinite
Device(config)# exit
Device# show device-tracking database
Binding Table has 2 entries, 0 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
S 192.0.2.1 0000.5e00.53af Te1/0/1 100 0100 14s REACHABLE N/A
Example: Global vs Policy-Level Address Limits
The following example show you how to assess which address limit is reached, when you configure address limits at the global
level and at the policy-level.
The global level settings refer to the values configured for the following command string: device-tracking bindingmax-entries no_of_entries [ mac-limit no_of_entries| port-limit no_of_entries| vlan-limit no_of_entries]
The policy level parameter refers to the limit address-count option in the device-tracking configuration mode.
For this first part of the example, the configuration is as follows:
-
Global configuration: max-entries=30, vlan-limit=25, port-limit=20, mac-limit=19.
-
Policy-level configuration: limit address-count=45.
The output of the show device-tracking database details privileged EXEC command shows that the port limit (max/port
) is reached first. A maximum of 20 entries are allowed on a port or interface. No further binding entries are created after
this. While the mac limit is configured with a lower absolute value (19), the output of the show device-tracking database mac privileged EXEC command shows that there are only 3 unique MAC address in the list of binding entries in the table - this
limit is therefore not reached.
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# device-tracking binding max-entries 30 vlan-limit 25 port-limit 20 mac-limit 19
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# limit address-count 45
Device(config-device-tracking)# end
Device# show device-tracking policy sisf-01
Device-tracking policy sisf-01 configuration:
security-level guard
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP6
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
limit address-count 45
Policy sisf-01 is applied on the following targets:
Target Type Policy Feature Target range
Te1/0/4 PORT sisf-01 Device-tracking vlan 200
Device# show device-tracking database details
Binding table configuration:
----------------------------
max/box : 30
max/vlan : 25
max/port : 20
max/mac : 19
Binding table current counters:
------------------------------
dynamic : 20
local : 0
total : 20 <<<< no further entries created after this.
Binding table counters by state:
----------------------------------
REACHABLE : 20
total : 20
<output truncated>
Device# show device-tracking database
Binding Table has 20 entries, 20 dynamic (limit 30)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.39 000c.959d.6816 Te1/0/4 200 0064 14s REACHABLE 37 s
ARP 192.0.9.38 000b.959d.6816 Te1/0/4 200 0064 14s REACHABLE 37 s
ARP 192.0.9.37 000b.959d.6816 Te1/0/4 200 0064 14s REACHABLE 36 s
ARP 192.0.9.36 000b.959d.6816 Te1/0/4 200 0064 14s REACHABLE 39 s
ARP 192.0.9.35 000b.959d.6816 Te1/0/4 200 0064 14s REACHABLE 38 s
ARP 192.0.9.34 000b.959d.6816 Te1/0/4 200 0064 14s REACHABLE 37 s
ARP 192.0.9.33 000b.959d.6816 Te1/0/4 200 0064 15s REACHABLE 36 s
ARP 192.0.9.32 000b.959d.6816 Te1/0/4 200 0064 15s REACHABLE 37 s
ARP 192.0.9.31 000b.959d.6816 Te1/0/4 200 0064 15s REACHABLE 36 s
ARP 192.0.9.30 000b.959d.6816 Te1/0/4 200 0064 15s REACHABLE 36 s
ARP 192.0.9.29 000b.959d.6816 Te1/0/4 200 0064 15s REACHABLE 35 s
ARP 192.0.9.28 000a.959d.6816 Te1/0/4 200 0064 15s REACHABLE 36 s
ARP 192.0.9.27 000a.959d.6816 Te1/0/4 200 0064 16s REACHABLE 35 s
ARP 192.0.9.26 000a.959d.6816 Te1/0/4 200 0064 16s REACHABLE 36 s
ARP 192.0.9.25 000a.959d.6816 Te1/0/4 200 0064 16s REACHABLE 34 s
ARP 192.0.9.24 000a.959d.6816 Te1/0/4 200 0064 16s REACHABLE 35 s
ARP 192.0.9.23 000a.959d.6816 Te1/0/4 200 0064 16s REACHABLE 34 s
ARP 192.0.9.22 000a.959d.6816 Te1/0/4 200 0064 16s REACHABLE 36 s
ARP 192.0.9.21 000a.959d.6816 Te1/0/4 200 0064 17s REACHABLE 33 s
ARP 192.0.9.20 000a.959d.6816 Te1/0/4 200 0064 17s REACHABLE 33 s
Device# show device-tracking database mac
MAC Interface vlan prlvl state Time left Policy Input_index
000c.959d.6816 Te1/0/4 200 NO TRUST MAC-REACHABLE 27 s sisf-01 12
000b.959d.6816 Te1/0/4 200 NO TRUST MAC-REACHABLE 27 s sisf-01 12
000a.959d.6816 Te1/0/4 200 NO TRUST MAC-REACHABLE 27 s sisf-01 12
For this second part of the example, the configuration is as follows:
-
Global configuration: max-entries=30, vlan-limit=25, port-limit=20, mac-limit=19.
-
Policy-level configuration: limit address-count=14.
The limit that is reached first is the policy-level, limit address-count . A maximum of 14 IP addresses (IPv4 and 1Pv6) are allowed on the port or interface where policy "sisf-01" is applied. No
further binding entries are created after this. While the mac limit is configured with a lower absolute value (19), there
are only 3 unique MAC address in the list of binding entries in the table - this limit is therefore not reached.
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# limit address-count 14
Device(config-device-tracking)# end
Device# show device-tracking policy sisf-01
Device-tracking policy sisf-01 configuration:
security-level guard
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP6
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
limit address-count 14
Policy sisf-01 is applied on the following targets:
Target Type Policy Feature Target range
Te1/0/4 PORT sisf-01 Device-tracking vlan 200
After the stale lifetime of all the existing entries has expired and the entries have been removed from the binding table,
new entries are added according to the reconfigured values:
Device# show device-tracking database <<<<checking time left for stale-lifetime to expire for existing entries.
Binding Table has 20 entries, 20 dynamic (limit 30)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.39 000c.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 316 s
ARP 192.0.9.38 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 279 s
ARP 192.0.9.37 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 308 s
ARP 192.0.9.36 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 274 s
ARP 192.0.9.35 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 279 s
ARP 192.0.9.34 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 261 s
ARP 192.0.9.33 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 258 s
ARP 192.0.9.32 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 263 s
ARP 192.0.9.31 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 266 s
ARP 192.0.9.30 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 273 s
ARP 192.0.9.29 000b.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 277 s
ARP 192.0.9.28 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 282 s
ARP 192.0.9.27 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 272 s
ARP 192.0.9.26 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 268 s
ARP 192.0.9.25 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 244 s
ARP 192.0.9.24 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 248 s
ARP 192.0.9.23 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 284 s
ARP 192.0.9.22 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 241 s
ARP 192.0.9.21 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 256 s
ARP 192.0.9.20 000a.959d.6816 Te1/0/4 200 0064 13mn STALE try 0 243 s
Device# show device-tracking database <<<no output indicates no entries in the database
Device# show device-tracking database details
Binding table configuration:
----------------------------
max/box : 30
max/vlan : 25
max/port : 20
max/mac : 19
Binding table current counters:
------------------------------
dynamic : 14
local : 0
total : 14
Binding table counters by state:
----------------------------------
REACHABLE : 14
total : 14
<output truncated>
Device# show device-tracking database
Binding Table has 14 entries, 14 dynamic (limit 30)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.68 0001.5e00.53af Te1/0/4 200 0064 4s REACHABLE 48 s
ARP 192.0.9.67 0001.5e00.53af Te1/0/4 200 0064 4s REACHABLE 48 s
ARP 192.0.9.66 0001.5e00.53af Te1/0/4 200 0064 4s REACHABLE 47 s
ARP 192.0.9.65 0001.5e00.53af Te1/0/4 200 0064 4s REACHABLE 48 s
ARP 192.0.9.64 0001.5e00.53af Te1/0/4 200 0064 4s REACHABLE 46 s
ARP 192.0.9.63 0000.5e00.53af Te1/0/4 200 0064 7s REACHABLE 44 s
ARP 192.0.9.62 0000.5e00.53af Te1/0/4 200 0064 7s REACHABLE 45 s
ARP 192.0.9.61 0000.5e00.53af Te1/0/4 200 0064 7s REACHABLE 43 s
ARP 192.0.9.60 0000.5e00.53af Te1/0/4 200 0064 7s REACHABLE 44 s
ARP 192.0.9.59 0000.5e00.53af Te1/0/4 200 0064 7s REACHABLE 44 s
ARP 192.0.9.58 0000.5e00.53af Te1/0/4 200 0064 8s REACHABLE 44 s
ARP 192.0.9.57 0000.5e00.53af Te1/0/4 200 0064 8s REACHABLE 44 s
ARP 192.0.9.56 0000.5e00.53af Te1/0/4 200 0064 10s REACHABLE 41 s
ARP 192.0.9.55 0000.5e00.53af Te1/0/4 200 0064 10s REACHABLE 40 s
Device# show device-tracking database mac
MAC Interface vlan prlvl state Time left Policy Input_index
0001.5e00.53af Te1/0/4 200 NO TRUST MAC-REACHABLE 30 s sisf-01 12
0000.5e00.53af Te1/0/4 200 NO TRUST MAC-REACHABLE 30 s sisf-01 12
Example: Setting VLAN, Port, and MAC Limits to Default Values
The following example shows you how to reset one or more limits to their default values.
Device(config)# device-tracking binding max-entries 30 vlan-limit 25 port-limit 20 mac-limit 19 <<<< all three limits configured.
Device(config)#exit
Device# show device-tracking database details
Binding table configuration:
----------------------------
max/box : 30
max/vlan : 25
max/port : 20
max/mac : 19
<output truncated>
Device# configure terminal
Device(config)# device-tracking binding max-entries 30 vlan-limit 25 <<<< only VLAN limit configured; port-limit and mac-limit keywords leftout.
Device(config)# exit
Device# show device-tracking database details
Binding table configuration:
----------------------------
max/box : 30
max/vlan : 25
max/port : no limit <<<reset to default
max/mac : no limit <<<reset to default
Example: Global vs Policy-Level Limits Relating to MAC Addresses
The following example shows how precendence is determined for global and policy-level MAC limits. The global value specifies
the maximum number of entries allowed per MAC address. The policy-level IPv4 per MAC and IPv6 per MAC limits, which may be
present only in a programmatic policy, specify the number of IPv4 and IPv6 addresses allowed per MAC address.
In the first part of the example, the global value (10 entries allowed per MAC address) is higher than the policy-level setting
(3 IPv4 addresses allowed for each MAC address). The Binding table current counters
, in the output of the show device-tracking database details privileged EXEC command shows that and the limit that is reached first is the policy level limit.
Note
|
No configuration is displayed for the policy-level setting, because you cannot configure the "IPv4 per mac" or the "IPv6 per mac" in any policy. In this example, the DT-PROGRAMMATIC policy is applied to target
by configuring the ip dhcp snooping vlan vlan command in global configuration mode. The IPv4 per mac limit exists, because the programmatically created policy has a limit
for this parameter.
|
Device# configure terminal
Device(config)# ip dhcp snooping vlan 200
Device(config)# end
Device# show device-tracking policy DT-PROGRAMMATIC
Policy DT-PROGRAMMATIC configuration:
security-level glean (*)
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
limit address-count for IPv4 per mac 3 (*)
tracking enable
Policy DT-PROGRAMMATIC is applied on the following targets:
Target Type Policy Feature Target range
Te1/0/4 PORT DT-PROGRAMMATIC Device-tracking vlan 200
note:
Binding entry Down timer: 24 hours (*)
Binding entry Stale timer: 24 hours (*)
Device(config)# device-tracking binding max-entries 50 mac-limit 10
Device# show device-tracking database details
Binding table configuration:
----------------------------
max/box : 50
max/vlan : no limit
max/port : no limit
max/mac : 10
Binding table current counters:
------------------------------
dynamic : 3
local : 0
total : 3
Binding table counters by state:
----------------------------------
REACHABLE : 2
total : 3
Device# show device-tracking database
Binding Table has 3 entries, 3 dynamic (limit 50)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.8 000a.959d.6816 Te1/0/4 200 0064 4s REACHABLE 25 s
ARP 192.0.9.7 000a.959d.6816 Te1/0/4 200 0064 4s REACHABLE 27 s
ARP 192.0.9.6 000a.959d.6816 Te1/0/4 200 0064 55s VERIFY 5s try 2
<<<<<<policy-level limit reached; only up to 3 IPv4 addresses per MAC address are allowed.
Device# show device-tracking database mac
MAC Interface vlan prlvl state Time left Policy Input_index
000a.959d.6816 Te1/0/4 200 NO TRUST MAC-STALE 93585 s DT-PROGRAMMATIC 12
In the second part of the example, the global value (2 entries allowed per MAC address) is lower than the policy-level setting
(3 IPv4 addresses allowed for each MAC address). The Binding table current counters
, in the output of the show device-tracking database details privileged EXEC command shows that and the limit that is reached first is the policy level limit.
Device# show device-tracking policy DT-PROGRAMMATIC
Policy DT-PROGRAMMATIC configuration:
security-level glean (*)
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
limit address-count for IPv4 per mac 3 (*)
tracking enable
Policy DT-PROGRAMMATIC is applied on the following targets:
Target Type Policy Feature Target range
Te1/0/4 PORT DT-PROGRAMMATIC Device-tracking vlan 200
note:
Binding entry Down timer: 24 hours (*)
Binding entry Stale timer: 24 hours (*)
Device(config)# device-tracking binding max-entries 50 mac-limit 2
Device# show device-tracking database details
Binding table configuration:
----------------------------
max/box : 50
max/vlan : no limit
max/port : no limit
max/mac : 2
Binding table current counters:
------------------------------
dynamic : 2
local : 0
total : 2
Binding table counters by state:
----------------------------------
REACHABLE : 2
total : 2
Device# show device-tracking database
Binding Table has 3 entries, 3 dynamic (limit 50)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 192.0.9.3 000a.959d.6816 Te1/0/4 200 0064 5s REACHABLE 27 s
ARP 192.0.9.4 000a.959d.6816 Te1/0/4 200 0064 6s REACHABLE 20 s
<<<<<<global limit reached; only up to 2 binding entries per MAC address is allowed.
Device# show device-tracking database mac
MAC Interface vlan prlvl state Time left Policy Input_index
000a.959d.6816 Te1/0/4 200 NO TRUST MAC-STALE 93585 s DT-PROGRAMMATIC 12