Multiple station access configuration

To authorize multiple stations to access the switch without having to re-enter the ipv6 authorized-managers command for each station, carefully select the IPv6 address of an authorized IPv6 manager and an associated mask to authorize a range of IPv6 addresses.

If a bit in any of the 4-bit binary representations of a hexadecimal value in a mask is "on" (set to 1), the corresponding bit in the IPv6 address of an authorized station must match the "on" or "off" setting of the same bit in the IPv6 address you enter with the ipv6 authorized-managers command. Conversely, in a mask, a "0" binary bit means that either the "on" or "off" setting of the corresponding IPv6 bit in an authorized address is valid and does not have to match the setting of the same bit in the specified IPv6 address.

The table shows the binary expressions represented by individual hexadecimal values in an ipv6-mask parameter.
Table 2: Hexadecimal mask values and binary equivalents

Hexadecimal value in an IPv6 mask

Binary equivalent

0

0000

1

0001

2

0010

3

0011

4

0100

5

0101

6

0110

7

0111

8

1000

9

1001

A

1010

B

1011

C

1100

D

1101

E

1110

F

1111

The table below shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D.

The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC.
Table 13: Mask for configuring a single authorized IPv6 manager station
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

Manager- or Operator-level access

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

The "F" value in the first 124 bits of the mask specifies that only the exact value of each corresponding bit in an authorized IPv6 address is allowed. However, the "C" value in the last four bits of the mask allows four possible combinations (D37C, D37D, D37E, and D37F) in the last block of an authorized IPv6 address.

IPv6 address

2001

DB8

0000

0000

244

17FF

FEB6

D37D

Table 4: How a mask determines four authorized IPv6 manager addresses (example)

Last block in mask: FFFC

Last block in IPv6 address: D37D

Bit numbers

Bit 15

Bit 14

 

Bit 13

Bit 12

Bit 11

Bit 10

 

Bit 9

Bit 8

Bit 7

Bit 6

 

Bit 5

Bit 4

Bit 3

Bit 2

 

Bit 1

Bit 0

Bit value

   

F

       

F

       

F

       

C

   

FFFC: Last block in mask

1

1

 

1

1

1

1

 

1

1

1

1

 

1

1

1

1

 

0

0

D37D: Last block in IPv6 address

1

1

 

0

1

0

0

 

1

1

0

1

 

1

1

1

1

 

0

1

Bit setting:

1 = On

 

0 = Off

Therefore, this mask requires the first corresponding 126 bits in an authorized IPv6 address to be the same as in the specified IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37C. However, the last 2 bits are set to 0 ("off") and allow the corresponding bits in an authorized IPv6 address to be either "on" or "off".

Table 5: How hexadecimal C in a mask authorizes four IPv6 manager addresses (example)
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFFC

IPv6 address entered with the ipv6 authorized-managers command

2001

DB8

0000

0000

244

17FF

FEB6

D37D

Other authorized IPv6 addresses

2001

DB8

0000

0000

244

17FF

FEB6

D37C

2001

DB8

0000

0000

244

17FF

FEB6

D37E

2001

DB8

0000

0000

244

17FF

FEB6

D37F

In this example, the IPv6 mask is applied as follows:
  • Eight management stations in different subnets are authorized by the value of the fourth block (FFF8) in the 64-bit prefix ID (FFFF:FFFF:FFFF:FFF8) of the mask. (The fourth block of the prefix ID is often used to define subnets in an IPv6 network.)The binary equivalent of FFF8 that is used to specify valid subnet IDs in the IPv6 addresses of authorized stations is 1111 1111 1111 1000.The three "off" bits (1000) in the last part of this block (FFF8) of the mask allow for eight possible authorized IPv6 stations: 2001:DB8:0000:0000:244:17FF:FEB6:D37D2001:DB8:0000:0001:244:17FF:FEB6:D37D 2001:DB8:0000:0002:244:17FF:FEB6:D37D2001:DB8:0000:0003:244:17FF:FEB6:D37D2001:DB8:0000:0004:244:17FF:FEB6:D37D2001:DB8:0000:0005:244:17FF:FEB6:D37D2001:DB8:0000:0006:244:17FF:FEB6:D37D2001:DB8:0000:0007:244:17FF:FEB6:D37D

  • Each authorized station has the same 64-bit device ID (244:17FF:FEB6:D37D), because the value of the last four blocks in the mask is FFFF (binary value 1111 1111).FFFF requires all bits in each corresponding block of an authorized IPv6 address to have the same "on" or "off" setting as the device ID in the specified IPv6 address. In this case, each bit in the device ID (last four blocks) in an authorized IPv6 address is fixed and can be only one value: 244:17FF:FEB6:D37D.

Table 6: Mask for configuring Authorized IPv6 Manager stations in different subnets
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

Manager- or Operator-level access

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

In this example, the IPv6 mask allows up to four stations in different subnets to access the switch. This authorized IP manager configuration is useful if only management stations are specified by the authorized IPv6 addresses.

IPv6 address

2001

DB8

0000

0000

244

17FF

FEB6

D37D

The table below shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of 244:17FF:FEB6:D37D reside.

Table 7: How a mask determines authorized IPv6 manager addresses by subnet

Fourth block in mask: FFF8

Fourth Block in Prefix ID of IPv6 Address: 0000

Bit numbers

Bit 15

Bit 14

 

Bit 13

Bit 12

Bit 11

Bit 10

 

Bit 9

Bit 8

Bit 7

Bit 6

 

Bit 5

Bit 4

Bit 3

Bit 2

 

Bit 1

Bit 0

Bit value

   

F

       

F

       

F

       

8

   

FFFC: Last block in mask

1

1

1

1

1

1

1

1

1

1

1

1

1

0

0

0

D37D:Last block in IPv6 address

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Bit setting: 1=On; 0=Off.