Chapter 8
| General Security Measures
IPv6 Source Guard
– 314 –
Command Mode
Interface Configuration (Ethernet)
Command Usage
â—† This command sets the maximum number of address entries that can be
mapped to an interface in the binding table, including both dynamic entries
discovered by ND snooping, DHCPv6 snooping, and static entries set by the
ipv6 source-guard command.
â—† IPv6 source guard maximum bindings must be set to a value higher than
DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
â—† If IPv6 source guard, ND snooping, and DHCPv6 snooping are enabled on a
port, the dynamic bindings used by ND snooping, DHCPv6 snooping, and IPv6
source guard static bindings cannot exceed the maximum allowed bindings set
by the ipv6 source-guard max-binding command. In other words, no new
entries will be added to the IPv6 source guard binding table.
â—† If IPv6 source guard is enabled on a port, and the maximum number of allowed
bindings is changed to a lower value, precedence is given to deleting entries
learned through DHCPv6 snooping, ND snooping, and then manually
configured IPv6 source guard static bindings, until the number of entries in the
binding table reaches the newly configured maximum number of allowed
bindings.
Example
This example sets the maximum number of allowed entries in the binding table for
port 5 to one entry.
Console(config)#interface ethernet 1/5
Console(config-if)#ipv6 source-guard max-binding 1
Console(config-if)#
show ipv6 source-
guard
This command shows whether IPv6 source guard is enabled or disabled on each
interface, and the maximum allowed bindings.
Command Mode
Privileged Exec
Example
Console#show ipv6 source-guard
Interface Filter-type Max-binding
--------- ----------- -----------
Eth 1/1 DISABLED 5
Eth 1/2 DISABLED 5
Eth 1/3 DISABLED 5
Eth 1/4 DISABLED 5
Eth 1/5 SIP 1
Eth 1/6 DISABLED 5
To Next Page
Loading...
Need help?
General