Support models and software version:
ECS4120 series v1.2.2.24 and above.
Overview
IPv6 Prefix Guard can work within the IPv6 Source Guard feature which restricting IPv6 traffic on non-routed, Layer 2 interface by filtering traffic based on the DHCPv6 Snooping binding table and manually configured static IPv6 bindings. IPv6 Prefix Guard is used when IPv6 prefix are delegated to the device using DHCPv6 prefix delegation. IPv6 Prefix Guard will record the range of prefix address assigned to the link and block the traffic which its source address sourced with a prefix outside this range.
Configuration (Support CLI/WEB GUI/SNMP)
<A> CLI Command
Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[CLI format]
ipv6 source-guard { sip | sdp | max-binding }sip - Enable IPv6 source address filtering.
sdp - Enable IPv6 source prefix filtering.
max-binding - Limits max binding entries.
Console#con Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 source-guard sdp Console(config-if)#ipv6 source-guard max-binding 3 Console(config-if)#end Console#show ipv6 source-guard Interface Filter-type Max-binding --------- ----------- ----------- Eth 1/1 SDP 3 Eth 1/2 DISABLED 5 Eth 1/3 DISABLED 5
Add static IPv6 source guard or IPv6 prefix guard binding entry on global configuration mode.
[CLI format]
ipv6 source-guard binding Mac-Address vlan VLAN_ID { IPv6-Address | IPv6-Prefix } interface ethernet Unit/PortMac-Address - A valid unicast MAC address. (x-x-x-x-x-x or xxxxxxxxxxxx)
VLAN_ID - ID of a configured VLAN. (Range: 1-4094)
IPv6-Address - Corresponding full IPv6 address.
IPv6-Prefix - Corresponding IPv6 prefix of the form IPv6-address/prefix-length.
Unit - Unit identifier. (Range: 1)
Port - Port number. (Range: 1-28 or 52)
Console#con Console(config)#ipv6 source-guard binding 90-E6-BA-63-96-CD vlan 1 2001:b000:2::/64 interface ethernet 1/21 Console(config)#end Console#show ipv6 source-guard binding DHCPV6SNP: DHCP - Stateful address NDSNP: ND - Stateless address STA - Static IPv6 source guard binding MAC Address IPv6 Address/IPv6 Prefix VLAN Interface Type -------------- --------------------------------------- ---- --------- ---- 90E6-BA63-96CD 2001:b000:2::/64 1 Eth 1/21 STA
<B> WEB GUI
Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[WEB GUI]
Security > IPv6 Source Guard > Port Configuration > Filter Type & Max Binding Entry > Apply
Add static ipv6 source guard or ipv6 prefix guard binding entry on the switch.
[WEB GUI]
Security > IPv6 Source Guard > Static Binding > Action: Add > Apply
[WEB GUI]
Security > IPv6 Source Guard > Static Binding > Action: Show
<C> SNMP
Enable IPv6 source guard or IPv6 prefix guard on port interface configuration and set maximum binding number.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardMode | ip6SrcGuardMaxBinding}.{ip6SrcGuardPortIfIndex} {integer} {value}
For ip6SrcGuardMode, OID 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2
Set to disabled(1) means IPv6 Source Guard is disabled.
Set to srcIp(2) means IPv6 Source Guard is enabled, and packets are filtered by checking source ip.
Set to srcPrefix(3) means IPv6 Prefix Guard is enabled, and packets are filtered by checking source prefix.
For ip6SrcGuardMaxBinding, OID 1.3.6.1.4.1.259.10.1.45.1.74.1.1.3
This object indicates the maximum number of bindings associated with the port.(Range from 1 to 5)
For ip6SrcGuardPortIfIndex,
This object idents the port which is capable of IPv6 Source Guard feature.
IPv6 source guard is disable on port interface by default.
C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24 SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 1
Enable IPv6 Prefix Guard on port24.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24 i 3 SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 3
Display the current mode of IPv6 source guard.
C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.2.24 SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.2.24 = INTEGER: 3
Configure IPv6 source guard maximum binding entry number to 3 on port24.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.1.1.3.24 i 3 SNMPv2-SMI::enterprises.259.10.1.45.1.74.1.1.3.24 = INTEGER: 3
[Result]
Console#show ipv6 source-guard Interface Filter-type Max-binding --------- ----------- ----------- Eth 1/23 DISABLED 5 Eth 1/24 SDP 3 Eth 1/25 DISABLED 5
Add a static IPv6 source guard or IPv6 prefix guard binding entry on the switch.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {ip6SrcGuardBindingVlanIndex | ip6SrcGuardBindingPortIfIndex | ip6SrcGuardBindingStatus}.{ip6SrcGuardBindingType}.{ip6SrcGuardBindingMacAddress}.{ip6SrcGuardBindingIpv6Address}.{ip6SrcGuardBindingPrefixLen}.{ip6SrcGuardBindingMode} {integer} {value}
For ip6SrcGuardBindingVlanIndex, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.4
This object indicates the VLAN id of the associated client.(Range from 1 to 4094)
For ip6SrcGuardBindingPortIfIndex, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.5
This object indicates the port of the associated client.
For ip6SrcGuardBindingStatus, OID 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6
active(1), which indicates that the conceptual row is available for use by the managed device.
notInService(2), which indicates that the conceptual row exists in the agent, but is unavailable for use by the managed device.
notReady(3), createAndGo(4), createAndWait(5), destroy(6)
For ip6SrcGuardBindingType,
This object indicates the binding type of the associated client.
static(1),dhcp6snp(2),ndsnp(3)
For ip6SrcGuardBindingMacAddress,
This object indicates the MAC address of the associated client.(Hexadecimal to Decimal)
For ip6SrcGuardBindingIpv6Address,
This object indicates the IPv6 address of the associated client.(Hexadecimal to Decimal)
For ip6SrcGuardBindingPrefixLen,
The object indicates the delegated prefix length of the associated client.
For ip6SrcGuardBindingMode,
The object indicates the mode of this binding.
address(1) means the mode of the binding entry is address mode.
prefix(2) means the mode of the binding entry is prefix mode.
Read the IPv6 source-guard dynamic binding via CLI and SNMP.
Console#show ipv6 source-guard binding DHCPV6SNP: DHCP - Stateful address NDSNP: ND - Stateless address STA - Static IPv6 source guard binding MAC Address IPv6 Address/IPv6 Prefix VLAN Interface Type -------------- --------------------------------------- ---- --------- ---- 382C-4A77-DD37 2001:db8:2222::/64 1 Eth 1/24 DHCP
C:\>snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1 SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.4.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = Gauge32: 1 -> VLAN=1 SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.5.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 24 -> Port=Eth1/24 SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.2.56.44.74.119.221.55.32.1.13.184.34.34.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 1 -> Status=Active(1)
Configure a static IPv6 prefix binding via SNMP.
MAC 90-E6-BA-63-96-CD=144.230.186.99.150.205
IPv6 prefix 2001:b000:2::/64=32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0
(1) Create a static IPv6 prefix binding entry.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 5 SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 5
(2) Set the entry on VLAN1.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.4.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 u 1 SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.4.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = Gauge32: 1
(3) Bind the entry on port21.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.5.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 21 SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.5.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 21
(4) Active the entry.
C:\>snmpset -v 2c -c private 192.168.1.1 1.3.6.1.4.1.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 i 1 SNMPv2-SMI::enterprises.259.10.1.45.1.74.2.1.6.1.144.230.186.99.150.205.32.1.176.0.0.2.0.0.0.0.0.0.0.0.0.0.64.2 = INTEGER: 1
Check the IPv6 source guard binding entry by CLI.
