Enable IP Source Guard on a Port for IPv6 Addresses
Before you begin
Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise, the system displays error messages.
-
DHCP Snooping is enabled globally.
-
The port is a member of a VLAN that is configured with both DHCP Snooping and IPv6 Neighbor Discovery inspection.
-
The port is an untrusted port enabled with both DHCP Snooping and IPv6 Neighbor Discovery inspection.
-
The port has enough resources allocated, to support the maximum number of 10 IP addresses allowed for IPSG.
About this task
Enable IP Source Guard (IPSG) on a port, to add a higher level of security to the port by preventing IP spoofing. When you enable IPSG on the interface, filters are installed for IPv6 addresses that are already learned on that interface.
Important
Do not enable IPSG on MLT, DMLT, SMLT, LAG, trunk ports or ports that are a part of private VLANs.
Procedure
Example
Enable IPSG on a port.
Configure the maximum allowed IPv6 addresses on port 1/1 as 10 and enable IPSG on that port.
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/1 Switch:1(config-if)#ipv6 source-guard max-allowed-addr 10 Switch:1(config-if)#ipv6 source-guard enable
Verify the configuration.
Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 1/1 Slot/Port Source Guard Number of IPv6 Address Mode address allowed overflow count ========================================================== 1/1 Enabled 10 0
Optionally view all interfaces with IPSG enabled.
Switch:1(config-if)#show ipv6 source-guard interface enabled Slot/Port Source Guard Number of IPv6 Address Mode address allowed overflow count ========================================================== 1/1 Enabled 4 0 1/2 Enabled 9 0
Variable Definitions
The following table defines parameters for the ipv6 source-guard command.
Variable |
Value |
---|---|
enable |
Enables IP Source Guard on a port. |
max-allowed-addr <2–10> |
Specifies the maximum number of IPv6 addresses allowed to transmit data through the port. The default value is 4. Note:
To reset the value to default, IPSG must be disabled on the interface. |