About configuring multiple station access
As shown in the following table, if a bit in any of the 4-bit binary representations of a hexadecimal value in a mask is "on" (set to 1), the corresponding bit in the IPv6 address of an authorized station must match the "on" or "off" setting of the same bit in the IPv6 address you enter with the
ipv6 authorized-managers
command.
Conversely, in a mask, a "0" binary bit means that either the "on" or "off" setting of the corresponding IPv6 bit in an authorized address is valid and does not have to match the setting of the same bit in the specified IPv6 address.
Hexadecimal value in an IPv6 mask |
Binary equivalent |
---|---|
0 |
0000 |
1 |
0001 |
2 |
0010 |
3 |
0011 |
4 |
0100 |
5 |
0101 |
6 |
0110 |
7 |
0111 |
8 |
1000 |
9 |
1001 |
A |
1010 |
B |
1011 |
C |
1100 |
D |
1101 |
E |
1110 |
F |
1111 |
Configuring multiple station access
The following table shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address:
2001:DB8:0000:0000:244:17FF:FEB6:D37D
.
The mask is:
FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC
.
1st block |
2nd block |
3rd block |
4th block |
5th block |
6th block |
7th block |
8th block |
Manager- or operator-level access |
|
---|---|---|---|---|---|---|---|---|---|
IPv6 mask |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
The "F" value in the first 124 bits of the mask specifies that only the exact value of each corresponding bit in an authorized IPv6 address is allowed. However, the "C" value in the last four bits of the mask allows four possible combinations (D37C, D37D, D37E, and D37F) in the last block of an authorized IPv6 address. |
IPv6 address |
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37D |
As shown in the table, if you use a mask of
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC
with an IPv6 address, you can authorize four IPv6-based stations to access the switch. In this mask, all bits except the last two are set to
1 ("on"); the binary equivalent of hexadecimal C is 1100.
1st block |
2nd block |
3rd block |
4th block |
5th block |
6th block |
7th block |
8th block |
|
---|---|---|---|---|---|---|---|---|
IPv6 mask |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
IPv6 address entered with the
|
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37D |
Other authorized IPv6 addresses |
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37C |
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37E |
|
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37F |
Configuring multiple station access
This table shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address:
2001:DB8:0000:0000:244:17FF:FEB6:D37D
.
The mask is:
FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC
.
1st block |
2nd block |
3rd block |
4th block |
5th block |
6th block |
7th block |
8th block |
Manager- or operator-level access |
|
---|---|---|---|---|---|---|---|---|---|
IPv6 mask |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
The "F" value in the first 124 bits of the mask specifies that only the exact value of each corresponding bit in an authorized IPv6 address is allowed. However, the "C" value in the last four bits of the mask allows four possible combinations (D37C, D37D, D37E, and D37F) in the last block of an authorized IPv6 address. |
IPv6 address |
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37D |
As shown, if you use a mask of
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC
with an IPv6 address, you can authorize four IPv6-based stations to access the switch. In this mask, all bits except the last two are set to
1 ("on"); the binary equivalent of hexadecimal C is 1100.
Last block in mask: FFFC |
||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Last block in IPv6 address: D37D |
||||||||||||||||||||||||||||
Bit numbers |
Bit 15 |
Bit 14 |
Bit 13 |
Bit 12 |
Bit 11 |
Bit 10 |
Bit 9 |
Bit 8 |
Bit 7 |
Bit 6 |
Bit 5 |
Bit 4 |
Bit 3 |
Bit 2 |
Bit 1 |
Bit 0 |
||||||||||||
Bit value |
F |
F |
F |
C |
||||||||||||||||||||||||
FFFC: Last block in mask |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
0 |
0 |
||||||||||||
D37D: Last block in IPv6 address |
1 |
1 |
0 |
1 |
0 |
0 |
1 |
1 |
0 |
1 |
1 |
1 |
1 |
1 |
0 |
1 |
||||||||||||
Bit setting: |
1 = On |
0 = Off |
Therefore, this mask requires the first corresponding 126 bits in an authorized IPv6 address to be the same as in the specified IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37C. However, the last 2 bits are set to 0 ("off") and allow the corresponding bits in an authorized IPv6 address to be either "on" or "off". As a result, only four IPv6 addresses are allowed access.
1st block |
2nd block |
3rd block |
4th block |
5th block |
6th block |
7th block |
8th block |
|
---|---|---|---|---|---|---|---|---|
IPv6 mask |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
IPv6 address entered with the
|
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37D |
Other authorized IPv6 addresses |
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37C |
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37E |
|
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37F |
The table above shows an example in which a mask is applied to the IPv6 address:
2001:DB8:0000:0000:244:17FF:FEB6:D37D/64
. The specified mask
FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFF
configures eight management stations as authorized IP manager stations.
In this example, the IPv6 mask is applied as follows:
-
Eight management stations in different subnets are authorized by the value of the fourth block (
FFF8
) in the 64-bit prefix ID (FFFF:FFFF:FFFF:FFF8
) of the mask. (The fourth block of the prefix ID is often used to define subnets in an IPv6 network.)The binary equivalent ofFFF8
that is used to specify valid subnet IDs in the IPv6 addresses of authorized stations is1111 1111 1111 1000
.The three "off" bits (1000) in the last part of this block (FFF8
) of the mask allow for eight possible authorized IPv6 stations: 2001:DB8:0000:0000:244:17FF:FEB6:D37D 2001:DB8:0000:0001:244:17FF:FEB6:D37D 2001:DB8:0000:0002:244:17FF:FEB6:D37D 2001:DB8:0000:0003:244:17FF:FEB6:D37D2001:DB8:0000:0004:244:17FF:FEB6:D37D2001:DB8:0000:0005:244:17FF:FEB6:D37D2001:DB8:0000:0006:244:17FF:FEB6:D37D2001:DB8:0000:0007:244:17FF:FEB6:D37D -
Each authorized station has the same 64-bit device ID (
244:17FF:FEB6:D37D
), because the value of the last four blocks in the mask isFFFF
(binary value 1111 1111).
FFFF
requires all bits in each corresponding block of an authorized IPv6 address to have the same "on" or "off" setting as the device ID in the specified IPv6 address. In this case, each bit in the device ID (last four blocks) in an authorized IPv6 address is fixed and can be only one value: 244:17FF:FEB6:D37D.
1st block |
2nd block |
3rd block |
4th block |
5th block |
6th block |
7th block |
8th block |
Manager- or operator-level access |
|
---|---|---|---|---|---|---|---|---|---|
IPv6 mask |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
FFFF |
In this example, the IPv6 mask allows up to four stations in different subnets to access the switch. This authorized IP manager configuration is useful if only management stations are specified by the authorized IPv6 addresses. For how the bitmap of the IPv6 mask determines authorized IP manager stations, see fix this — Example of How an ACL Filters Packets — |
IPv6 address |
2001 |
DB8 |
0000 |
0000 |
244 |
17FF |
FEB6 |
D37D |
This table shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of
244:17FF:FEB6:D37D
reside.
Fourth block in mask: FFF8 |
||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Fourth Block in Prefix ID of IPv6 Address: 0000 |
||||||||||||||||||||||||||||
Bit numbers |
Bit 15 |
Bit 14 |
Bit 13 |
Bit 12 |
Bit 11 |
Bit 10 |
Bit 9 |
Bit 8 |
Bit 7 |
Bit 6 |
Bit 5 |
Bit 4 |
Bit 3 |
Bit 2 |
Bit 1 |
Bit 0 |
||||||||||||
Bit value |
F |
F |
F |
8 |
||||||||||||||||||||||||
FFFC: Last block in mask |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
0 |
0 |
0 |
||||||||||||
D37D:Last block in IPv6 address |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
||||||||||||
Bit setting: |
1 = On |
0 = Off |
FFF8
in the fourth block of the mask means that bits 3 to 15 of the block are fixed and, in an authorized IPv6 address, must correspond to the "on" and "off" settings shown for the binary equivalent 0000 in the fourth block of the IPv6 address. Conversely, bits 0 to 2 are variable and, in an authorized IPv6 address, may be either "on" (1) or "off" (0).
As a result, assuming that the seventh and eighth bytes (fourth hexadecimal block) of an IPv6 address are used as the subnet ID, only the following binary expressions and hexadecimal subnet IDs are supported in this authorized IPv6 manager configuration:
Authorized subnet ID in fourth hexadecimal block of IPv6 address |
Binary equivalent |
---|---|
0000 |
0000 0000 |
0001 |
0000 0001 |
0002 |
0000 0010 |
0003 |
0000 0011 |
0004 |
0000 0100 |
0005 |
0000 0101 |
0006 |
0000 0110 |
0007 |
0000 0111 |