Configure IP Source Guard on a Port for IPv6 Addresses

About this task

Enable IPSG to add a higher level of security to a desired port, by preventing IP spoofing. When you enable IPSG on an interface, filters are automatically installed for the IPv6 addresses that are already learned on that interface.

Before you begin

Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise, the system displays error messages.

  • DHCP Snooping is enabled globally.

  • The port is a member of a VLAN that is configured with both DHCP Snooping and IPv6 Neighbor Discovery inspection.

  • The port is an untrusted port enabled with both DHCP Snooping and IPv6 Neighbor Discovery inspection.

  • The port has enough resources allocated to support the maximum number of 10 IP addresses allowed for IPSG.

Procedure

  1. In the navigation pane, expand Configuration > IPv6.
  2. Click IPv6.
  3. Click the Source Guard tab.
  4. Double-click the InterfaceState field.
  5. Select a value from the list: true or false.
  6. Double-click the MaxAddr field.
  7. Enter the maximum number of IPv6 addresses that are allowed to transmit data on the port.
  8. Optional: To clear the overflow counters, double-click ClearOverflowCount and select true.
  9. Click Apply to save your changes.
  10. Click Refresh to update the Source Guard tab.

Source Guard field descriptions

Use the data in the following table to use the Source Guard tab.

Name

Description

IfIndex

Specifies a value that uniquely identifies the port.

InterfaceState

Specifies the state of the interface. The default value is false.

MaxAddr

Specifies the maximum number of IPv6 addresses allowed to transmit data through the port. The default value is 4.

Note:

To reset the value to default, IPSG must first be disabled on the interface.

OverflowCount

Specifies the number of IPv6 addresses for which filters are not added on the IPSG port, due to a lack of filter resources.

The default value is 0.

ClearOverflowCount

Specifies whether the overflow counter must be cleared. By default, the value is false.