About configuring multiple station access

As shown in the following table, if a bit in any of the 4-bit binary representations of a hexadecimal value in a mask is "on" (set to 1), the corresponding bit in the IPv6 address of an authorized station must match the "on" or "off" setting of the same bit in the IPv6 address you enter with the ipv6 authorized-managers command.

Conversely, in a mask, a "0" binary bit means that either the "on" or "off" setting of the corresponding IPv6 bit in an authorized address is valid and does not have to match the setting of the same bit in the specified IPv6 address.

Table 4: Hexadecimal mask values and binary equivalents

Hexadecimal value in an IPv6 mask

Binary equivalent

0

0000

1

0001

2

0010

3

0011

4

0100

5

0101

6

0110

7

0111

8

1000

9

1001

A

1010

B

1011

C

1100

D

1101

E

1110

F

1111

Configuring multiple station access

The following table shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D.

The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC.

Table 25679: Mask for configuring a single authorized IPv6 manager station
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

Manager- or operator-level access

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

The "F" value in the first 124 bits of the mask specifies that only the exact value of each corresponding bit in an authorized IPv6 address is allowed. However, the "C" value in the last four bits of the mask allows four possible combinations (D37C, D37D, D37E, and D37F) in the last block of an authorized IPv6 address.

IPv6 address

2001

DB8

0000

0000

244

17FF

FEB6

D37D

As shown in the table, if you use a mask of FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC with an IPv6 address, you can authorize four IPv6-based stations to access the switch. In this mask, all bits except the last two are set to 1 ("on"); the binary equivalent of hexadecimal C is 1100.

Table 25679: Mask for configuring a single authorized IPv6 manager station
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

IPv6 address entered with the ipv6 authorized-managers command

2001

DB8

0000

0000

244

17FF

FEB6

D37D

Other authorized IPv6 addresses

2001

DB8

0000

0000

244

17FF

FEB6

D37C

2001

DB8

0000

0000

244

17FF

FEB6

D37E

2001

DB8

0000

0000

244

17FF

FEB6

D37F

Configuring multiple station access

This table shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D.

The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC.

Table 25679: Mask for configuring a single authorized IPv6 manager station
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

Manager- or operator-level access

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

The "F" value in the first 124 bits of the mask specifies that only the exact value of each corresponding bit in an authorized IPv6 address is allowed. However, the "C" value in the last four bits of the mask allows four possible combinations (D37C, D37D, D37E, and D37F) in the last block of an authorized IPv6 address.

IPv6 address

2001

DB8

0000

0000

244

17FF

FEB6

D37D

As shown, if you use a mask of FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC with an IPv6 address, you can authorize four IPv6-based stations to access the switch. In this mask, all bits except the last two are set to 1 ("on"); the binary equivalent of hexadecimal C is 1100.

Table 8: How a mask determines four authorized IPv6 manager addresses

Last block in mask: FFFC

Last block in IPv6 address: D37D

Bit numbers

Bit 15

Bit 14

 

Bit 13

Bit 12

Bit 11

Bit 10

 

Bit 9

Bit 8

Bit 7

Bit 6

 

Bit 5

Bit 4

Bit 3

Bit 2

 

Bit 1

Bit 0

Bit value

   

F

       

F

       

F

       

C

   

FFFC: Last block in mask

1

1

 

1

1

1

1

 

1

1

1

1

 

1

1

1

1

 

0

0

D37D: Last block in IPv6 address

1

1

 

0

1

0

0

 

1

1

0

1

 

1

1

1

1

 

0

1

Bit setting:

1 = On

 

0 = Off

Therefore, this mask requires the first corresponding 126 bits in an authorized IPv6 address to be the same as in the specified IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37C. However, the last 2 bits are set to 0 ("off") and allow the corresponding bits in an authorized IPv6 address to be either "on" or "off". As a result, only four IPv6 addresses are allowed access.

Table 25679: Mask for configuring a single authorized IPv6 manager station
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

IPv6 address entered with the ipv6 authorized-managers command

2001

DB8

0000

0000

244

17FF

FEB6

D37D

Other authorized IPv6 addresses

2001

DB8

0000

0000

244

17FF

FEB6

D37C

2001

DB8

0000

0000

244

17FF

FEB6

D37E

2001

DB8

0000

0000

244

17FF

FEB6

D37F

The table above shows an example in which a mask is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D/64. The specified mask FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFF configures eight management stations as authorized IP manager stations.

In this example, the IPv6 mask is applied as follows:

  • Eight management stations in different subnets are authorized by the value of the fourth block (FFF8) in the 64-bit prefix ID (FFFF:FFFF:FFFF:FFF8) of the mask. (The fourth block of the prefix ID is often used to define subnets in an IPv6 network.)The binary equivalent of FFF8 that is used to specify valid subnet IDs in the IPv6 addresses of authorized stations is 1111 1111 1111 1000.The three "off" bits (1000) in the last part of this block (FFF8) of the mask allow for eight possible authorized IPv6 stations: 2001:DB8:0000:0000:244:17FF:FEB6:D37D 2001:DB8:0000:0001:244:17FF:FEB6:D37D 2001:DB8:0000:0002:244:17FF:FEB6:D37D 2001:DB8:0000:0003:244:17FF:FEB6:D37D2001:DB8:0000:0004:244:17FF:FEB6:D37D2001:DB8:0000:0005:244:17FF:FEB6:D37D2001:DB8:0000:0006:244:17FF:FEB6:D37D2001:DB8:0000:0007:244:17FF:FEB6:D37D

  • Each authorized station has the same 64-bit device ID (244:17FF:FEB6:D37D), because the value of the last four blocks in the mask is FFFF (binary value 1111 1111).

FFFF requires all bits in each corresponding block of an authorized IPv6 address to have the same "on" or "off" setting as the device ID in the specified IPv6 address. In this case, each bit in the device ID (last four blocks) in an authorized IPv6 address is fixed and can be only one value: 244:17FF:FEB6:D37D.

Table 10: Mask for configuring authorized IPv6 Manager stations in different subnets
 

1st block

2nd block

3rd block

4th block

5th block

6th block

7th block

8th block

Manager- or operator-level access

IPv6 mask

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

FFFF

In this example, the IPv6 mask allows up to four stations in different subnets to access the switch. This authorized IP manager configuration is useful if only management stations are specified by the authorized IPv6 addresses. For how the bitmap of the IPv6 mask determines authorized IP manager stations, see fix this — Example of How an ACL Filters Packets —

IPv6 address

2001

DB8

0000

0000

244

17FF

FEB6

D37D

This table shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of 244:17FF:FEB6:D37D reside.

Table 11: How a mask determines authorized IPv6 manager addresses by subnet

Fourth block in mask: FFF8

Fourth Block in Prefix ID of IPv6 Address: 0000

Bit numbers

Bit 15

Bit 14

 

Bit 13

Bit 12

Bit 11

Bit 10

 

Bit 9

Bit 8

Bit 7

Bit 6

 

Bit 5

Bit 4

Bit 3

Bit 2

 

Bit 1

Bit 0

Bit value

   

F

       

F

       

F

       

8

   

FFFC: Last block in mask

1

1

1

1

1

1

1

1

1

1

1

1

1

0

0

0

D37D:Last block in IPv6 address

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Bit setting:

1 = On

0 = Off

 

FFF8 in the fourth block of the mask means that bits 3 to 15 of the block are fixed and, in an authorized IPv6 address, must correspond to the "on" and "off" settings shown for the binary equivalent 0000 in the fourth block of the IPv6 address. Conversely, bits 0 to 2 are variable and, in an authorized IPv6 address, may be either "on" (1) or "off" (0).

As a result, assuming that the seventh and eighth bytes (fourth hexadecimal block) of an IPv6 address are used as the subnet ID, only the following binary expressions and hexadecimal subnet IDs are supported in this authorized IPv6 manager configuration:

Table 12: Binary equivalents of authorized subnet IDs (in hexadecimal)

Authorized subnet ID in fourth hexadecimal block of IPv6 address

Binary equivalent

0000

0000 0000

0001

0000 0001

0002

0000 0010

0003

0000 0011

0004

0000 0100

0005

0000 0101

0006

0000 0110

0007

0000 0111