Overview IPv6 Source Guard

The IPv6 Source Guard function is one packet filter function and can filter and control the packets forwarded by the port, preventing the invalid packets from passing the port and improving the port security. The function can be divided to two kinds:

The port IPv6 Source Guard function filters the IPv6 packets received by the specified port. The filter mode includes IP, IP+MAC, and MAC. The specific processing modes are as follows:

• IP mode: If the source IPv6 address and VLAN ID in the packet are the same as the IPv6 address and VLAN ID recorded in the bound entries, the port forwards the packet. Otherwise, drop it.
• IP+MAC+VLAN mode: If the source IPv6 address, source MAC address, and VLAN ID in the packet are the same as the IPv6 address, MAC address and VLAN ID recorded in the bound entries, the port forwards the packet. Otherwise, drop the packet.
• MAC+VLAN mode: If the source MAC address, and VLAN ID in the packet are the same as the MAC address and VLAN ID recorded in the bound entries, the port forwards the packet. Otherwise, drop the packet.

The setting of the filter type takes effect only for the dynamic binding entry, not affecting the static binding entry.

The bound entries of the port IPv6 Source Guard include two kinds:

• Static bound entries, manual configured port IPv6 Source Guard static bound entries
• Dynamic bound entries, dynamically generated by the valid entries of the DHCPv6 Snooping function.

Global IPv6 Source Guard function filters the packets received by all ports. The specific filter modes are as follows:

• If the source IPv6 address or MAC address in the IPv6 packet is different from the IPv6 address or source MAC address in the global IPv6 Source Guard bound entries, but the source MAC address is different, drop the packet.