Edge-Core ECS3510-10PD Management Manual page 410

| Security Measures
C 13
HAPTER
IPv6 Source Guard
C U
OMMAND SAGE
◆ Setting source guard mode to SIP (Source IP) enables this function on
the selected port. Use the SIP option to check the VLAN ID, IPv6 global
unicast source IP address, and port number against all entries in the
binding table.
◆ After IPv6 source guard is enabled on an interface, the switch initially
blocks all IPv6 traffic received on that interface, except for ND packets
allowed by ND snooping and DHCPv6 packets allowed by DHCPv6
snooping. A port access control list (ACL) is applied to the interface.
Traffic is then filtered based upon dynamic entries learned via ND
snooping or DHCPv6 snooping, or static addresses configured in the
source guard binding table. The port allows only IPv6 traffic with a
matching entry in the binding table and denies all other IPv6 traffic.
Table entries include a MAC address, IPv6 global unicast address, entry
◆
type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6-
Binding), VLAN identifier, and port identifier.
Static addresses entered in the source guard binding table (using the
◆
Static Binding page) are automatically configured with an infinite lease
time. Dynamic entries learned via DHCPv6 snooping are configured by
the DHCPv6 server itself.
If IPv6 source guard is enabled, an inbound packet's source IPv6
◆
address will be checked against the binding table. If no matching entry
is found, the packet will be dropped.
Filtering rules are implemented as follows:
◆
If ND snooping and DHCPv6 snooping are disabled, IPv6 source
■
guard will check the VLAN ID, source IPv6 address, and port
number. If a matching entry is found in the binding table and the
entry type is static IPv6 source guard binding, the packet will be
forwarded.
If ND snooping or DHCP snooping is enabled, IPv6 source guard will
■
check the VLAN ID, source IP address, and port number. If a
matching entry is found in the binding table and the entry type is
static IPv6 source guard binding, dynamic ND snooping binding, or
dynamic DHCPv6 snooping binding, the packet will be forwarded.
If IP source guard if enabled on an interface for which IPv6 source
■
bindings (dynamically learned via ND snooping or DHCPv6
snooping, or manually configured) are not yet configured, the
switch will drop all IPv6 traffic on that port, except for ND packets
and DHCPv6 packets.
Only IPv6 global unicast addresses are accepted for static bindings.
■
P
ARAMETERS
These parameters are displayed:
◆ Port – Port identifier (Range: 1-10)
– 410 –