Manuals / Brands / Computer Equipment / Switch / HP / Computer Equipment / Switch

HP ProCurve 2910AL Example, 2001:DB8:0000:0000:244:17FF:FEB6:D37D, FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC

1 194

Download 194 pages, 2.43 Mb

IPv6 Management Security Features

Authorized IP Managers for IPv6

Example. Figure 6-3 shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D. The mask is:

FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC.

1st

2nd

3rd

4th

5th

6th

7th

8th

Manager- or Operator-Level Access

Block

Block

Block

Block

Block

Block

Block

Block

IPv6 Mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFC

The “F” value in the first 124 bits of the

IPv6 Address

2001

DB8

0000

0000

244

17FF

FEB6

D37D

mask specifies that only the exact value

of each corresponding bit in an

authorized IPv6 address is allowed.

However, the “C” value in the last four

bits of the mask allows four possible

combinations (D37C, D37D, D37E, and

D37F) in the last block of an authorized

IPv6 address.

Figure 6-3. Example: Mask for Configuring Four Authorized IPv6 Manager Stations

Last block in Mask: FFFC

Last block in IPv6 Address: D37D

Bit Numbers

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

Bit

15

14

13

12

11

10

9

8

7

6

5

4

3

2

1

0

Bit Value

F

F

F

C

FFFC: Last Block

in Mask

D37D: Last Block

in IPv6 Address

Bit Setting:

= 1 (On)

= 0 (Off)

Figure 6-4. Example: How a Mask Determines Four Authorized IPv6 Manager Addresses

As shown in Figure 6-4, if you use a mask of FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC with an IPv6 address, you can authorize four IPv6-based stations to access the switch. In this mask, all bits except the last two are set to 1 (“on”); the binary equivalent of hexadecimal C is 1100.

Therefore, this mask requires the first corresponding 126 bits in an authorized IPv6 address to be the same as in the specified IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37C. However, the last two bits are set

6-8

Contents

ProCurve Switches Page HP ProCurve 2910al Switch IPv6 Configuration Guide Page 1 Getting Started 2 Introduction to IPv6 3 IPv6 Addressing 4 IPv6 Addressing Configuration 5 IPv6 Management Features 6 IPv6 Management Security Features 7 Multicast Listener Discovery (MLD) Snooping 8 IPv6 Diagnostic and Troubleshooting A Terminology Index Product Documentation Printed Publications Electronic Publications Software Feature Index Intelligent Edge Software Manual Features Page Page Page Page Getting Started Configuration and Operation Examples Protocol Acronyms Command Syntax and Displayed Information copy tftp Command Prompts ProCurve hostname Screen Simulations Displayed Text Sources for More Information www.procurve.com Customer Care Manuals Page Getting Documentation From the Web Online Help Command Line Interface help Figure 1-3.Example of CLI Help Web Browser Interface Figure 1-4.Help for Web Browser Interface IP Addressing Physical Installation Introduction to IPv6 Page Migrating to IPv6 Figure 2-1. Dual-StackProCurve Switches Employed in an IPv4/IPv6 Network IPv6 Propagation Dual-StackOperation Connecting to Devices Supporting IPv6 Over IPv4 Tunneling Adding IPv6 Capability Supported IPv6 Operation in Release K.13.01 Management Features IPv6 Addressing DHCPv6 (Stateful) Address Configuration Static Address Configuration Default IPv6 Gateway Neighbor Discovery (ND) in IPv6 IPv6 Management Features SSHv2 on IPv6 IP Authorized Managers ICMP Rate-Limiting Ping6 Traceroute6 Domain Name System (DNS) Resolution IPv6 Neighbor Discovery (ND) Controls Event Log SNMP Loopback Address Debug/Syslog Enhancements Path MTU (PMTU) Discovery IPv6 Addressing Page IPv6 Address Structure and Format Address Format xxxx : xxxx : xxxx : xxxx : xxxx : xxxx : xxxx : Address Notation Network Prefix Interface (Device) Identifier IPv6 Address Sources General IPv6 Address Types Static Address Configuration Related Information Stateless Address Autoconfiguration (SLAAC) Stateful (DHCPv6) Address Configuration Static Address Configuration Address Types Address Scope Unicast Address Prefixes Multicast Prefix (ff) Autoconfiguring Link-LocalUnicast Addresses Extended Unique Identifier (EUI) Statically Configuring Link-LocalAddresses Stateless Autoconfiguration of a Global Unicast Address Static Configuration of a Global Unicast Address Prefixes in Routable IPv6 Addresses Unique Local Unicast IPv6 Address Anycast Addresses Overview of the Multicast Operation in IPv6 IPv6 Multicast Address Format multicast scope: Bit group identifier: Solicited-NodeMulticast Address Format www.iana.org Loopback Address Preferred and Valid Address Lifetimes N o t e s IPv6 Addressing Configuration Page Feature Default CLI show General Configuration Steps Configuring IPv6 Addressing Enabling IPv6 with an Automatically Configured Link-LocalAddress Default: Disabled show run Notes: Default: Disabled autoconfig Operating Notes Enabling DHCPv6 ipv6 enable [rapid-commit]: Default: Disabled Configuring a Static IPv6 Address on a VLAN Statically Configuring a Link-LocalUnicast Address Statically Configuring A Global Unicast Address Statically Configuring An Anycast Address anycast: Default: None Duplicate Address Detection (DAD) for Statically Configured Addresses Neighbor Discovery (ND) Duplicate Address Detection (DAD) DAD Operation Configuring DAD Page View the Current IPv6 Addressing Configuration IPv6 Routing: Disabled Default Gateway: ND DAD: Address Origin: Autoconfig: DHCP: Manual: IPv6 Address/Prefix Length: Figure 4-1.Example of Show IPv6 Command Output ipv6 nd dad- attempts Page Figure 4-2.Example of Show IPv6 VLAN < vid > Output Syntax: show run Page Router Advertisements Router Solicitations Default IPv6 Router Router Redirection Viewing Gateway and IPv6 Route Information Viewing IPv6 Router Information MTU: Hop Limit: Prefix Advertised: Valid Lifetime: Preferred Lifetime: Preferred Lifetime Valid Lifetime Sources of IPv6 Address Lifetimes Table 4-1.IPv6 Unicast Addresses Lifetimes Address Source Lifetime Criteria Page IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Anycast Addresses Viewing the Neighbor Cache Figure 5-1.Example of Neighbor Cache Without Specifying a VLAN Figure 5-2.Example of Neighbor Cache Content for a Specific VLAN Clearing the Neighbor Cache Outbound Telnet6 to Another Device Viewing the Current Telnet Activity on a Switch Enabling or Disabling Inbound Telnet6 Access Viewing the Current Inbound Telnet6 Configuration Configuring (Enabling or Disabling) the SNTP Mode Configuring an IPv6 Address for an SNTP Server Syntax:. show sntp timep SNTP Mode: SNTP Server Address: Protocol Version: Configuring (Enabling or Disabling) the Timep Mode timep dhcp: Note Timep Mode: Server Address: Poll Interval (min) [720]: show timep ip timep manual TFTP File Transfers over IPv6 Enabling TFTP for IPv6 tftp6 U s a g e N o t e s Using TFTP to Copy Files over IPv6 target autorun-cert-file autorun-key-file command-file pub-key-file startup-config crash-log slot-id master >: Using Auto-TFTPfor IPv6 boot system flash primary reload SNMP Features Supported SNMP Configuration Commands Supported snmp-server Figure 5-8.“show snmp-server”Command Output with IPv6 Address show snmpv3 targetaddress Figure 5-9.“show snmpv3 targetaddress” Command Output with IPv6 Address IP Preserve for IPv6 ip preserve Figure 5-10.Example of How to Enter IP Preserve in a Configuration File dhcp-bootp Page IPv6 Management Security Features IPv6 Management Security Usage Notes Page Configuring Authorized IP Managers for Switch Access Using a Mask to Configure Authorized Management Stations authorized-managers command Figure 6-1.Mask for Configuring a Single Authorized IPv6 Manager Station Configuring Multiple Station Access Figure 6-2.Hexadecimal Mask Values and Binary Equivalents Example 2001:DB8:0000:0000:244:17FF:FEB6:D37D FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC 2001:DB8:0000:0000:244:17FF:FEB6:D37D/64 FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFF FFF8 FFFF:FFFF:FFFF:FFF8 244:17FF:FEB6:D37D Figure 6-8.Binary Equivalents of Authorized Subnet IDs (in Hexadecimal) Displaying an Authorized IP Managers Configuration Figure 6-9.Example of “show ipv6 authorized-managers”Output Figure 6-10.How Masks Determine Authorized IPv6 Manager Addresses Additional Examples of Authorized IPv6 Managers Configuration FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00 operator manager Configuring SSH for IPv6 no ip ssh 4or6 Displaying an SSH Configuration Secure Copy and Secure FTP for IPv6 ip-version ip ssh filetransfer no ip ssh filetransfer Multicast Listener Discovery (MLD) Snooping Overview Introduction to MLD Snooping MLD host multicast router Figure 7-1.Without MLD, multicast traffic is flooded to all ports Figure 7-2.With MLD snooping, traffic is sent to MLD hosts Forwarding in MLD snooping Listeners and joins Queries Leaves Page Enabling or Disabling MLD Snooping on a VLAN Configuring Per-PortMLD Traffic Filters Configuring the Querier Configuring Fast Leave Configuring Forced Fast Leave Current MLD Status Figure 7-5.Continuation of Figure Page Current MLD Configuration Figure 7-7.Example of an MLD Configuration for a Specific VLAN Ports Currently Joined Statistics Figure 7-9.Example of MLD Statistics for All VLANs Configured Figure 7-10.Example of MLD Statistics for a Single VLAN Counters Page Page IPv6 Diagnostic and Troubleshooting ICMP Rate-Limiting error-interval: Range: Default: 10; Range: 1 no ipv6 icmp error-interval Ping for IPv6 (Ping6) link-local-address hostname switch-number [repetitions] [timeout] [data-size] [data-fill] Figure 8-1.Examples of IPv6 Ping Tests Traceroute for IPv6 traceroute ipv6-address minttl: minttl maxttl timeout Figure 8-2.Examples of IPv6 Traceroute Probes DNS Configuration ip-addr 2001:db8::127:10 ■the domain suffix mygroup.procurve.net Viewing the Current Configuration Operating Notes Configuring Debug and Event Log Messaging Debug Command Configuring Debug Destinations Logging Command Page Terminology Page Index Symbols