376
• Enable DHCPv6 snooping and leave the interface connected to the gateway as its default status
(non-trusted port) so that the hosts cannot obtain IP addresses through DHCPv6. For more
information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide.
Packet check principles
Switch B checks ND protocol packets against ND snooping entries and static binding entries; and checks
the IPv6 data packets from the hosts against dynamic binding entries (including ND snooping entries)
applied on the interfaces connected to the hosts and against static binding entries. The items to be
examined include MAC address, IPv6 address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
<SwitchB> system-view
[SwitchB] ipv6 savi strict
# Enable IPv6.
[SwitchB] ipv6
# Assign Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 to VLAN 10.
[SwitchB] vlan 10
[SwitchB-vlan10] port ethernet 1/0/1 ethernet 1/0/2 ethernet 1/0/3
[SwitchB-vlan10] quit
# Enable global unicast address ND snooping and link-local address ND snooping.
[SwitchB] ipv6 nd snooping enable link-local
[SwitchB] ipv6 nd snooping enable global
[SwitchB] vlan 10
[SwitchB-vlan10] ipv6 nd snooping enable
# Enable ND detection.
[SwitchB-vlan10] ipv6 nd detection enable
[SwitchB-vlan10] quit
# Enable DHCPv6 snooping.
[SwitchB] ipv6 dhcp snooping enable
# Configure uplink port Ethernet 1/0/3 as an ND trusted port.
[SwitchB] interface ethernet 1/0/3
[SwitchB-Ethernet1/0/3] ipv6 nd detection trust
[SwitchB-Ethernet1/0/3] quit
# Configure the dynamic IPv6 source guard binding function on downlink ports Ethernet 1/0/1 and
Ethernet 1/0/2.
[SwitchB] interface ethernet 1/0/1
[SwitchB-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address
[SwitchB-Ethernet1/0/1] quit
[SwitchB] interface ethernet 1/0/2
[SwitchB-Ethernet1/0/2] ipv6 verify source ipv6-address mac-address
[SwitchB-Ethernet1/0/2] quit
To Next Page
Loading...
Need help?
General