ENT-AN1273-4.5应用指南说明书

ENT-AN1273-4.5
Application Note IPv6Source Guard Software Configuration
Guide
Released
July2018
1Revision History (1)
2Introduction (2)
3Purpose (3)
4Binding Table (4)
5Configuration Examples (5)
5.1Configuring IPv6Source Guard (5)
5.2Managing Static Entry in Binding Table (7)
5.3Translating Dynamic Entries (9)
6Reference (12)
Table1•References (12)
Figure1•Enable IPv6Source Guard (5)
Figure2•Add Static Entry to Binding Table (7)
Figure3•Delete Static Entry from Binding Table (7)
Figure4•View Dynamic Binding Table (8)
Figure5•Translate Dynamic Entry to Static Binding Table (10)
Figure6•View Static Table (10)
Figure7•View Dynamic Table (10)
1Revision History
The revision history describes the changes that were implemented in the document.The changes are listed by revision,starting with the most current publication.
Revision 1.0
Revision 1.0was published in July 2018.It was the first publication of this document.
Revision History
2Introduction
This application note explains how to use the internet protocol,version 6(IPv6)source guard.
Introduction
3Purpose
The IPv6source guard rejects traffic to a network from unknown IPv6source addresses.Only the traffic from addresses found in the IPv6source guard binding table is allowed through the source guard.Addresses are added to the binding table in two ways:
•Manually entered through user interface.
•Dynamically entered by callbacks to DHCPv6snooping function (see AN1269).
The IPv6source guard works on a per switch port basis.That means that to activate the source guard on a port,it must first be globally enabled on the switch and then enabled on the port itself.
Purpose
4Binding Table
The IPv6source guard binding table contains information on:
•Verified IPv6addresses
•Associated mac address
•VLAN id if the data packets are known to have a VLAN tag
•Port to which the entry is bound
The DHCPv6snooping function provides information about the dynamically assigned IPv6addresses from the trusted DHCPv6servers.Those addresses are added to the IPv6source guard binding table,and traffic from hosts with these source addresses is allowed through the source guard.The IPv6Source Guard can be configured to set a limit on how many dynamically learned entries can be bound to each switch port.Entries can also be added manually and then need to contain all the information required by the binding table.Manually added (static)entries are saved in the running configuration,but the dynamically learned (dynamic)entries are not.Therefore,the IPv6source guard has the option of translating dynamic entries into static entries,so that they can be saved in the running configuration,if necessary.
The binding table can at most contain 112entries for the whole system.
Binding Table
5Configuration Examples
The following sections shows the various web and corresponding ICLI usage examples with feature
description.The syntax of the examples have the following characteristics.
•Text in bold denotes user input.These are the commands you need to type.
•Normal text denotes command response from the system.
•Wrapped CLI command lines(that is the user input)are shown with a‘>’marker at the start of the wrapped text.
•Truncated CLI output lines are shown with a‘<...>’marker at the end of the line.
5.1Configuring IPv6Source Guard
In this example,the IPv6source guard is enabled globally on the switch,it is enabled on a single switch
port,and then the limit of the dynamically learned entries on the port is set to2.Finally,the configuration
status is viewed.
To configure the IPv6source guard as discussed and then view the status,perform the following steps.
1.Click Configuration>Security>Network>IPv6Source Guard>Configuration,change Mode to Enabled
(enables globally),change the mode of the Gi1/1port in the list to Enabled,change Max Dynamic
Clients for the same port to2.Finally,click Save.The current IPv6source guard configuration is displayed.
Figure1•Enable IPv6Source Guard
The same functionalities can be achieved through CLI commands.Let us look at the syntax before introducing
the equivalent CLI commands for the example.
Users can use CLI commands to enable the source guard on the whole switch.The syntax for the command
is as follows:
# configure terminal
(config)# ipv6 verify source
The command does not have any optional arguments.To disable the source guard on the whole switch you simply use the“no”form of the command:
# configure terminal
(config)# no ipv6 verify source
Note:
For Serval1,Caracal,and Ocelot based systems,manually change the qos qce key
type to mac-ip-addr for all the ports where the source guard is enabled.
Users can use CLI commands to enable the source guard on an individual port.By default,the source guard is disabled on all switch ports and needs to be enabled on each port where it is supposed to be in effect. The syntax for the command is as follows:
# configure terminal
(config)# interface <port_type_list>
(config-if)# ipv6 verify source
The command does not have any optional arguments.To disable the source guard on a port,simply use the“no”form of the command:
# configure terminal
(config)# interface <port_type_list>
(config-if)# no ipv6 verify source
Users can use CLI commands to set a limit on how many dynamic entries the system can add on a particular switch port.By default,there is no limit to the number of dynamic entries,other than the system limit of 112.The syntax for the command is as follows:
# configure terminal
(config)# interface <port_type_list>
(config-if)# ipv6 verify source limit <0-2>
Where,
•limit—indicates you are setting a limit to dynamic entries.
•<port_type_list>—specifies the port type and and identifier list(for example,GigabitEthernet 1/2–4).
•<0-2>—integer number to indicate the limit of dynamic entries being set.
The command does not have any optional arguments.To set the number of allowed dynamic clients on the port interface back to unlimited,simply use the“no”form of the command:
# configure terminal
(config)# interface <port_type_list>
(config-if)# no ipv6 verify source limit
Users can view switch and per port mode of the IPv6source guard.The syntax for the command is as follows:
# show ipv6 verify source [interface <port_type_list>]
Where,
•interface—limits the display of port mode to certain ports.
•<port_type_list>—specifies the port type and and identifier list(for example,GigabitEthernet 1/2–4).
If none of the optional arguments are provided,then the command shows the snooping configuration for
all ports.
# configure terminal
(config)# ipv6 verify source
(config)# interface GigabitEthernet 1/2
(config-if)# ipv6 verify source
(config-if)# ipv6 verify source limit 2
(config-if)# end
# show ipv6 verify source
Ipv6 Source Guard Mode : enabled
Port Port Mode Dynamic Entry Limit
---- --------- -------------------
GigabitEthernet 1/1 disabled unlimited
GigabitEthernet 1/2 enabled 2
GigabitEthernet 1/3 disabled unlimited
GigabitEthernet 1/4 disabled unlimited
GigabitEthernet 1/5 disabled unlimited
GigabitEthernet 1/6 disabled unlimited
<output truncated for readability>
5.2Managing Static Entry in Binding Table
In this example,a static entry for an enabled port interface is added to the IPv6source guard binding table.
Previously a dynamic entry was added to the binding table through DHCPv6snooping on the same switch
port.Then,the resulting contents of the binding table is monitored.
To add a static entry to the IPv6source guard binding table and then view the status of the binding table,
perform the following steps.
1.Click Configuration>Security>Network>IPv6Source Guard>Static Table,configure the page as
shown in the following figure,and then click Add Entry.The table on the page is updated and shows
the new static entry.
Figure2•Add Static Entry to Binding Table
Note:
If the new static entry should not have a VLAN Id,either leave that box empty or enter
0.
2.To delete a static entry,next to the relevant entry in the table,click Delete.
Figure3•Delete Static Entry from Binding Table
3.To view the dynamic entry in the binding table,click Monitor>Security>Network>IPv6Source Guard.
The dynamic entry table is displayed as shown in the following figure.
Figure4•View Dynamic Binding Table
The same functionalities can be achieved through CLI commands.Let us look at the syntax before introducing the equivalent CLI commands for the example.
Users can use CLI commands to manually add an entry to the source guard binding table.The syntax for the command is as follows:
# configure terminal
(config)# ipv6 source binding interface <port_type_id> [vlan <vlan_id>] <ipv6_ucast>
<mac_ucast>
Where,
•interface—limits the entry to a particular port.
•<port_type_id>—specifies the port type id(for example,GigabitEthernet1/2).
•<vlan_id>—specifies the VLAN id to match the VLAN tag in data packets.This is an optional field.•<ipv6_ucast>—specifies the IPv6global unicast address of the entry.
•<mac_ucast>—specifies the IPv6global MAC address of the entry.
If data traffic is not expected to contain a VLAN tag,the VLAN id should be left out.
Users can use CLI commands to delete an entry from the binding e the“no”form of the command with the parameters set to the values of the entry you want to delete.The syntax for the command is as follows:
# configure terminal
(config)# no ipv6 source binding interface <port_type_id> [vlan <vlan_id>] <ipv6_ucast> <mac_ucast>
Users can view entries in the source guard binding table.It is possible to filter entries per port,view only static entries or only dynamic.The syntax for the command is as follows:
# show ipv6 source binding [ dhcpv6-snooping | static ] [ interface <port_type_list> ] Where,
•dhcpv6-snooping—indicates that only the dynamic entries need to be displayed.•static—indicates that only the static entries need to be displayed.
•interface—limits the display of entries to certain ports.
•<port_type_list>—specifies port type and identifier list(for example,GigabitEthernet1/1-4).
If none of the optional arguments are provided,the command shows the entire binding table,that is,all
the dynamic and the static entries on all ports.
The equivalent CLI commands to add a static entry to the IPv6source guard binding table and then monitor
the status of the binding table are:
# configure terminal
(config)# ipv6 source binding interface GigabitEthernet 1/2 2001::1 00:00:00:00:00:01
(config)# end
# show ipv6 source binding
Type Port VLAN IPv6 Address MAC Address
---- ---- ---- ------------ -----------
Static GigabitEthernet 1/2 None 2001::1 00-00-00-00-00-01
Dynamic GigabitEthernet 1/2 2 2001::2 00-00-00-00-00-02
The equivalent CLI commands to delete a static entry from the IPv6source guard binding table and then
monitor the status of the binding table are:
# configure terminal
(config)# no ipv6 source binding interface GigabitEthernet 1/2 2001::1 00:00:00:00:00:01
(config)# end
# show ipv6 source binding
Type Port VLAN IPv6 Address MAC Address
---- ---- ---- ------------ -----------
Dynamic GigabitEthernet 1/2 2 2001::2 00-00-00-00-00-02
5.3Translating Dynamic Entries
In this example,the current dynamic entry is saved to the running configuration by translating it into a
static entry.Then,the results in the binding table and in the running configuration can be viewed.
To translate dynamic entries and then view the status,perform the following steps.
1.Click Configuration>Security>Network>IPv6Source Guard>Configuration,and then click Translate
Dynamic to Static.
Figure5•Translate Dynamic Entry to Static Binding Table
2.Click Configuration>Security>Network>IPv6Source Guard>Static Table.The entry appears in the
static table as shown in the following figure.
Figure6•View Static Table
3.Click Monitor>Security>Network>IPv6Source Guard.The entry disappears from the dynamic table
as shown in the following figure.
Figure7•View Dynamic Table
The same functionalities can be achieved through CLI commands.Let us look at the syntax before introducing the equivalent CLI commands for the example.
User can use CLI commands to translate all the current dynamic entries in the binding table into static entries,and with that those are saved to the running configuration.The syntax for the command is as follows:
# configure terminal
(config)# ipv6 verify source translate
The command does not have any optional arguments.
The equivalent CLI commands for the example are:
# configure terminal
(config)# ipv6 verify source translate
(config)# end
# show ipv6 source binding
Type Port VLAN IPv6 Address MAC Address
---- ---- ---- ------------ -----------
Static GigabitEthernet 1/2 None 2001::1 00-00-00-00-00-01
Static GigabitEthernet 1/2 2 2001::2 00-00-00-00-00-02
# show running-config
Building configuration... username privilege 15 password encrypted
!vlan 2 ipv6 dhcp snooping ipv6 verify source ipv6 source binding interface GigabitEthernet 1/2 2001::1 00-00-00-00-00-01
ipv6 source binding interface GigabitEthernet 1/2 vlan 2 2001::2 00-00-00-00-00-02
<output truncated for readability>
6Reference
The reference documents are listed in the following table.
Table 1•References
Description Document
Internet Protocol,vVersion 6(IPv6)specification RFC 8200
DHCPv6-Shield:Protecting against rogue DHCPv6servers RFC 7610
https:///c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book/ip6-src-guard.pdf Cisco IPv6Source Guard
and Prefix Guard
Microsemi ICLI configuration guide AN1104
IPv6Source Guard -requirement specification RS1179
DHCPv6Shield –requirement specification RS1177
Reference
Microsemi makes no warranty,representation,or guarantee regarding the information contained herein or the suitability of its products and services for any particular purpose,nor does Microsemi assume any liability whatsoever arising out of the application or use of any product or circuit.The products sold hereunder and any other products sold by Microsemi have been subject to limited testing and should not be used in conjunction with mission-critical equipment or applications.Any performance specifications are believed to be reliable but are not verified,and Buyer must conduct and complete all performance and other testing of the products,alone and together with,or installed in,any end-products.Buyer shall not rely on any data and performance specifications or parameters provided by Microsemi.It is the Buyer's responsibility to independently determine suitability of any products and to test and verify the same.The information provided by Microsemi hereunder is provided "as is,where is"and with all faults,and the entire risk associated with such information is entirely with the Buyer.Microsemi does not grant,explicitly or implicitly,to any party any patent rights,licenses,or any other IP rights,whether with regard to such information itself or anything described by such rmation provided in this document is proprietary to Microsemi,and Microsemi reserves the right to make any changes to the information in this document or to any products and services at any time without
notice.Microsemi Headquarters
One Enterprise,Aliso Viejo,
CA 92656USA
Within the USA:+1(800)713-4113
Outside the USA:+1(949)380-6100
Sales:+1(949)380-6136
Fax:+1(949)215-4996
Email:***************************
©2019Microsemi.All rights reserved.
Microsemi and the Microsemi logo are
trademarks of Microsemi Corporation.All
other trademarks and service marks are the
property of their respective owners.Microsemi,a wholly owned subsidiary of Microchip Technology Inc.(Nasdaq:MCHP),offers a comprehensive portfolio of semiconductor and system solutions for aerospace &defense,communications,data center and industrial markets.Products include high-performance and radiation-hardened analog mixed-signal integrated
circuits,FPGAs,SoCs and ASICs;power management products;timing and synchronization devices and precise time solutions,setting the world's standard for time;voice processing devices;RF solutions;discrete components;enterprise storage and communication solutions;security technologies and scalable anti-tamper products;Ethernet solutions;Power-over-Ethernet ICs and midspans;as well as custom design capabilities and services.Microsemi is headquartered in Aliso Viejo,California,and has approximately 4,800employees globally.Learn more at .VPPD-04658
Legal。