369
Figure 114 Network diagram
Configuration procedure
1. Configure ND snooping:
# In VLAN 2, enable ND snooping.
<Device> system-view
[Device] vlan 2
[Device-vlan2] ipv6 nd snooping enable
[Device-vlan2] quit
2. Configure the IPv6 source guard feature:
# Configure the IPv6 source guard feature on Ethernet 1/0/1 to filter packets based on both the
source IP address and MAC address.
[Device] interface ethernet 1/0/1
[Device-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address
[Device-Ethernet1/0/1] quit
Verifying the configuration
# Display the IPv6 source guard binding entries generated on Ethernet 1/0/1.
[Device] display ipv6 source binding
Total entries found: 1
MAC Address IP Address VLAN Interface Type
040a-0000-0001 2001::1 2 Eth1/0/1 ND-SNP
# Display all ND snooping entries.
[Device] display ipv6 nd snooping
IPv6 Address MAC Address VID Interface Aging Status
2001::1 040a-0000-0001 2 Eth1/0/1 25 Bound
---- Total entries: 1 ----
The output shows that a dynamic IPv6 source guard binding entry has generated on Ethernet 1/0/1
based on the ND snooping entry.
Global static IP source guard configuration example
Network requirements
As shown in Figure 115 , Device A is a distribution layer device. Device B is an access device. Host A in
VLAN 10 and Host B in VLAN 20 communicate with each other through Device A.
• Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A
and Host B.
• Configure Device B to forward packets of Host A and Host B correctly.
To Next Page
Loading...
Need help?
General