Support models and software version:
ECS4120 series v1.2.2.24 and above.
IPv6 Prefix Guard can work within the IPv6 Source Guard feature which restricting IPv6 traffic on non-routed, Layer 2 interface by filtering traffic based on the DHCPv6 Snooping binding table and manually configured static IPv6 bindings. IPv6 Prefix Guard is used when IPv6 prefix are delegated to the device using DHCPv6 prefix delegation. IPv6 Prefix Guard will record the range of prefix address assigned to the link and block the traffic which its source address sourced with a prefix outside this range.
Configuration (Support CLI/WEB GUI/SNMP)
<A> CLI Command
- Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[CLI format]
ipv6 source-guard { sip | sdp | max-binding }
sip - Enable IPv6 source address filtering.
sdp - Enable IPv6 source prefix filtering.
max-binding - Limits max binding entries.
Console(config)#interface ethernet 1/1
Console(config-if)#ipv6 source-guard sdp
Console(config-if)#ipv6 source-guard max-binding 3
Console#show ipv6 source-guard
Interface Filter-type Max-binding
--------- ----------- -----------
Eth 1/1 SDP 3
Eth 1/2 DISABLED 5
Eth 1/3 DISABLED 5
- Add static IPv6 source guard or IPv6 prefix guard binding entry on global configuration mode.
[CLI format]
ipv6 source-guard binding Mac-Address vlan VLAN_ID { IPv6-Address | IPv6-Prefix } interface ethernet Unit/Port
Mac-Address - A valid unicast MAC address. (x-x-x-x-x-x or xxxxxxxxxxxx)
VLAN_ID - ID of a configured VLAN. (Range: 1-4094)
IPv6-Address - Corresponding full IPv6 address.
IPv6-Prefix - Corresponding IPv6 prefix of the form IPv6-address/prefix-length.
Unit - Unit identifier. (Range: 1)
Port - Port number. (Range: 1-28 or 52)
Console(config)#ipv6 source-guard binding 90-E6-BA-63-96-CD vlan 1 2001:b000:2::/64 interface ethernet 1/21
Console#show ipv6 source-guard binding
DHCP - Stateful address
ND - Stateless address
STA - Static IPv6 source guard binding
MAC Address IPv6 Address/IPv6 Prefix VLAN Interface Type
-------------- --------------------------------------- ---- --------- ----
90E6-BA63-96CD 2001:b000:2::/64 1 Eth 1/21 STA
- Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
Security > IPv6 Source Guard > Port Configuration > Filter Type & Max Binding Entry > Apply
- Add static ipv6 source guard or ipv6 prefix guard binding entry on the switch.
Security > IPv6 Source Guard > Static Binding > Action: Add > Apply
Security > IPv6 Source Guard > Static Binding > Action: Show
- Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardMode | ip6SrcGuardMaxBinding}.{ip6SrcGuardPortIfIndex} {integer} {value}
For ip6SrcGuardMode, OID
Set to disabled(1) means IPv6 Source Guard is disabled.
Set to srcIp(2) means IPv6 Source Guard is enabled, and packets are filtered by checking source ip.
Set to srcPrefix(3) means IPv6 Prefix Guard is enabled, and packets are filtered by checking source prefix.
For ip6SrcGuardMaxBinding, OID
This object indicates the maximum number of bindings associated with the port.(Range from 1 to 5)
For ip6SrcGuardPortIfIndex,
This object idents the port which is capable of IPv6 Source Guard feature.
IPv6 source guard is disable on port interface by default.
C:\>snmpwalk -v 2c -c private
SNMPv2-SMI::enterprises. = INTEGER: 1
Enable IPv6 Prefix Guard on port24.
C:\>snmpset -v 2c -c private i 3
SNMPv2-SMI::enterprises. = INTEGER: 3
Display the current mode of IPv6 source guard.
C:\>snmpwalk -v 2c -c private
SNMPv2-SMI::enterprises. = INTEGER: 3
Configure IPv6 source guard maximum binding entry number to 3 on port24.
C:\>snmpset -v 2c -c private i 3
SNMPv2-SMI::enterprises. = INTEGER: 3
Console#show ipv6 source-guard
Interface Filter-type Max-binding
--------- ----------- -----------
Eth 1/23 DISABLED 5
Eth 1/24 SDP 3
Eth 1/25 DISABLED 5
- Add a static IPv6 source guard or IPv6 prefix guard binding entry on the switch.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardBindingVlanIndex | ip6SrcGuardBindingPortIfIndex | ip6SrcGuardBindingStatus}.{ip6SrcGuardBindingType}.{ip6SrcGuardBindingMacAddress}.{ip6SrcGuardBindingIpv6Address}.{ip6SrcGuardBindingPrefixLen}.{ip6SrcGuardBindingMode} {integer} {value}
For ip6SrcGuardBindingVlanIndex, OID
This object indicates the VLAN id of the associated client.(Range from 1 to 4094)
For ip6SrcGuardBindingPortIfIndex, OID
This object indicates the port of the associated client.
For ip6SrcGuardBindingStatus, OID
active(1), which indicates that the conceptual row is available for use by the managed device.
notInService(2), which indicates that the conceptual row exists in the agent, but is unavailable for use by the managed device.
notReady(3), createAndGo(4), createAndWait(5), destroy(6)
For ip6SrcGuardBindingType,
This object indicates the binding type of the associated client.
For ip6SrcGuardBindingMacAddress,
This object indicates the MAC address of the associated client.(Hexadecimal to Decimal)
For ip6SrcGuardBindingIpv6Address,
This object indicates the IPv6 address of the associated client.(Hexadecimal to Decimal)
For ip6SrcGuardBindingPrefixLen,
The object indicates the delegated prefix length of the associated client.
For ip6SrcGuardBindingMode,
The object indicates the mode of this binding.
address(1) means the mode of the binding entry is address mode.
prefix(2) means the mode of the binding entry is prefix mode.
Read the IPv6 source-guard dynamic binding via CLI and SNMP.
Console#show ipv6 source-guard binding
DHCP - Stateful address
ND - Stateless address
STA - Static IPv6 source guard binding
MAC Address IPv6 Address/IPv6 Prefix VLAN Interface Type
-------------- --------------------------------------- ---- --------- ----
382C-4A77-DD37 2001:db8:2222::/64 1 Eth 1/24 DHCP
C:\>snmpwalk -v 2c -c private
SNMPv2-SMI::enterprises. = Gauge32: 1 -> VLAN=1
SNMPv2-SMI::enterprises. = INTEGER: 24 -> Port=Eth1/24
SNMPv2-SMI::enterprises. = INTEGER: 1 -> Status=Active(1)
Configure a static IPv6 prefix binding via SNMP.
MAC 90-E6-BA-63-96-CD=
IPv6 prefix 2001:b000:2::/64=
(1) Create a static IPv6 prefix binding entry.
C:\>snmpset -v 2c -c private i 5
SNMPv2-SMI::enterprises. = INTEGER: 5
(2) Set the entry on VLAN1.
C:\>snmpset -v 2c -c private u 1
SNMPv2-SMI::enterprises. = Gauge32: 1
(3) Bind the entry on port21.
C:\>snmpset -v 2c -c private i 21
SNMPv2-SMI::enterprises. = INTEGER: 21
(4) Active the entry.
C:\>snmpset -v 2c -c private i 1
SNMPv2-SMI::enterprises. = INTEGER: 1
Check the IPv6 source guard binding entry by CLI.
Please sign in to leave a comment.