CLI Reference Guide-R04

ManualsBrandsEdgecore Networks ManualsFixed Broadband AccessENHANCED TEMPERATURE L2+ GIGABIT ETHERNET ACCESS / AGGREGATION SWITCH WITH 4 X 10G UPLINKS

351

352

353

354

355

356

357

358

359

360

Table Of Contents

Chapter 9

| General Security Measures

IPv6 Source Guard

– 360 –

ipv6 dhcp snooping (341)

ipv6 dhcp snooping vlan (345)

ipv6 source-guard This command configures the switch to filter inbound traffic based on the source

IPv6 address or address prefix stored in the binding table. Use the no form to

disable this function.

Syntax

ipv6 source-guard {sip | sdp}

no ipv6 source-guard

sip – Enable IPv6 source address filtering

sdp – Enable IPv6 source prefix filtering

Default Setting

Address Filtering: Disabled

Prefix Filtering: Disabled

Command Mode

Interface Configuration (Ethernet)

Command Usage

◆ Source guard is used to filter traffic on an insecure port which receives

messages from outside the network or firewall, and therefore may be subject to

traffic attacks caused by a host trying to use the IP address of a neighbor.

◆ This command checks the VLAN ID, IPv6 global unicast source IP address or

address prefix, and port number against all entries in the binding table. Use the

no ipv6 source guard command to disable this function on the selected port.

◆ After IPv6 source guard is enabled on an interface, the switch initially blocks all

IPv6 traffic received on that interface, except for ND packets allowed by ND

snooping and DHCPv6 packets allowed by DHCPv6 snooping. A port access

control list (ACL) is applied to the interface. Traffic is then filtered based upon

dynamic entries learned via ND snooping or DHCPv6 snooping, or static

addresses configured in the source guard binding table. The port allows only

IPv6 traffic with a matching entry in the binding table and denies all other IPv6

traffic.

◆ Table entries include a MAC address, IPv6 global unicast address, source-

delegated IPv6 prefix, entry type (Static-IPv6-SG-Binding, Dynamic-ND-

Snooping, Dynamic-DHCPv6-Snooping), VLAN identifier, and port identifier.

◆ Static addresses entered in the source guard binding table with the ipv6

source-guard binding command are automatically configured with an infinite

lease time. Dynamic entries learned via DHCPv6 snooping are configured by

the DHCPv6 server itself.