C
HAPTER
25
| General Security Measures
IPv6 Source Guard
– 930 –
COMMAND USAGE
â—† This command sets the maximum number of address entries that can
be mapped to an interface in the binding table, including both dynamic
entries discovered by ND snooping, DHCPv6 snooping, and static
entries set by the ipv6 source-guard command.
â—† IPv6 source guard maximum bindings must be set to a value higher
than DHCPv6 snooping maximum bindings and ND snooping maximum
bindings.
â—† If IPv6 source guard, ND snooping, and DHCPv6 snooping are enabled
on a port, the dynamic bindings used by ND snooping, DHCPv6
snooping, and IPv6 source guard static bindings cannot exceed the
maximum allowed bindings set by the ipv6 source-guard max-
binding command. In other words, no new entries will be added to the
IPv6 source guard binding table.
â—† If IPv6 source guard is enabled on a port, and the maximum number of
allowed bindings is changed to a lower value, precedence is given to
deleting entries learned through DHCPv6 snooping, ND snooping, and
then manually configured IPv6 source guard static bindings, until the
number of entries in the binding table reaches the newly configured
maximum number of allowed bindings.
EXAMPLE
This example sets the maximum number of allowed entries in the binding
table for port 5 to one entry.
Console(config)#interface ethernet 1/5
Console(config-if)#ipv6 source-guard max-binding 1
Console(config-if)#
show ipv6
source-guard
This command shows whether IPv6 source guard is enabled or disabled on
each interface, and the maximum allowed bindings.
COMMAND MODE
Privileged Exec
EXAMPLE
Console#show ipv6 source-guard
Interface Filter-type Max-binding
--------- ----------- -----------
Eth 1/1 DISABLED 5
Eth 1/2 DISABLED 5
Eth 1/3 DISABLED 5
Eth 1/4 DISABLED 5
Eth 1/5 SIP 1
Eth 1/6 DISABLED 5
.
.
.
To Next Page
Loading...
Need help?
General
