366
Figure 115 Network diagram
Configuration procedure
1. Configure ND snooping:
# In VLAN 2, enable ND snooping.
<Device> system-view
[Device] vlan 2
[Device-vlan2] ipv6 nd snooping enable
[Device-vlan2] quit
2. Configure the IPv6 source guard function:
# Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on
both the source IP address and MAC address.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Display the IPv6 source guard entries generated on port GigabitEthernet 1/0/1.
[Device] display ipv6 source binding
Total entries found: 1
MAC Address IP Address VLAN Interface Type
040a-0000-0001 2001::1 2 GE1/0/1 ND-SNP
# Display the IPv6 ND snooping entries to see whether they are consistent with the dynamic IP source
guard entries generated on GigabitEthernet 1/0/1.
[Device] display ipv6 nd snooping
IPv6 Address MAC Address VID Interface Aging Status
2001::1 040a-0000-0001 2 GE1/0/1 25 Bound
---- Total entries: 1 ----
The output shows that a dynamic IPv6 source guard entry has generated on port GigabitEthernet 1/0/1
based on the ND snooping entry.
Global static IP source guard configuration example
Network requirements
As shown in Figure 116, Device A is a distribution layer device. Device B is an access device. Host A in
VLAN 10 and Host B in VLAN 20 communicate with each other through Device A.
• Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A
and Host B.
• Configure Device B to forward packets of Host A and Host B normally.
To Next Page
Loading...
