Enable IP Source Guard on a Port for IPv6 Addresses

About this task

Enable IP Source Guard (IPSG) on a port, to add a higher level of security to the port by preventing IP spoofing. When you enable IPSG on the interface, filters are installed for IPv6 addresses that are already learned on that interface.

Important

Important

Do not enable IPSG on MLT, DMLT, SMLT, LAG, trunk ports or ports that are a part of private VLANs.

Before you begin

Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise, the system displays error messages.

  • DHCP Snooping is enabled globally.

  • The port is a member of a VLAN that is configured with both DHCP Snooping and IPv6 Neighbor Discovery inspection.

  • The port is an untrusted port enabled with both DHCP Snooping and IPv6 Neighbor Discovery inspection.

  • The port has enough resources allocated, to support the maximum number of 10 IP addresses allowed for IPSG.

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Configure the maximum number of allowed IPv6 addresses on a port:

    ipv6 source-guard [max-allowed-addr <2-10>]

    Note

    Note

    Ensure that you configure the maximum number of allowed IPv6 addresses on a port, before you enable IPSG on that port.

  3. Enable IPSG on the port:

    ipv6 source-guard enable

  4. Verify IPSG configuration information on the port:

    show ipv6 source-guard interface gigabitEthernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]

Example

Enable IPSG on a port.

Configure the maximum allowed IPv6 addresses on port 4/1 as 10 and enable IPSG on that port.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 4/1
Switch:1(config-if)#ipv6 source-guard max-allowed-addr 10
Switch:1(config-if)#ipv6 source-guard enable

Verify the configuration.

Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 4/1
Slot/Port  Source Guard  Number of  IPv6  Address
             Mode        address allowed  overflow count
==========================================================
4/1          Enabled           10          0

Optionally view all interfaces with IPSG enabled.

Switch:1(config-if)#show ipv6 source-guard interface enabled
Slot/Port  Source Guard  Number of  IPv6  Address
             Mode        address allowed  overflow count
==========================================================
4/1          Enabled            4           0
3/1          Enabled            9           0

Variable Definitions

The following table defines parameters for the ipv6 source-guard command.

Variable

Value

enable

Enables IP Source Guard on a port.

max-allowed-addr <2–10>

Specifies the maximum number of IPv6 addresses allowed to transmit data through the port. The default value is 4.

Note:

To reset the value to default, IPSG must be disabled on the interface.