Configuring IPv6 source guard on an interface
The IPv6 source guard feature must be configured on an interface before the interface can obtain dynamic IPv6 source guard binding entries and use static and dynamic IPv6 source guard binding entries to filter packets.
For how to configure a static IPv6 static binding entry, see "Configuring a static IPv6 source guard binding entry."
Cooperating with DHCPv6 snooping, IP source guard dynamically generates IP source guard binding entries based on the DHCPv6 snooping entries that are generated during dynamic IP address allocation.
Cooperating with ND snooping, IP source guard dynamically generates IP source guard binding entries based on dynamic ND snooping entries.
Dynamic IPv6 source guard binding entries can contain such information as the MAC address, IPv6 address, VLAN tag, ingress port information and entry type (DHCPv6 snooping or ND snooping), where the MAC address, IPv6 address, and/or VLAN tag information might not be included depending on your configuration. IP source guard applies these entries to the interface, so that the interface can filter packets accordingly.
Follow these guidelines when you configure IPv6 source guard:
If you configure the IPv6 source guard feature multiple times, only the most recent configuration takes effect.
To obtain dynamic IPv6 source guard binding entries, make sure that DHCPv6 snooping or ND snooping is configured and operating correctly. For DHCPv6 and ND snooping configuration information, see Layer 3—IP Services Configuration Guide.
If you configure both ND snooping and DHCPv6 snooping on the device, IPv6 source guard uses the type of entries that generated first. Because DHCPv6 snooping entries are usually generated first in such a case, IPv6 source guard usually uses the DHCPv6 snooping entries to filter packets on an interface.
To configure the IPv6 source guard feature on an interface:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter Layer 2 Ethernet interface view or port group view. | interface interface-type interface-number | N/A |
3. Configure the IPv6 source guard feature on the interface. | ipv6 verify source { ipv6-address | ipv6-address mac-address | mac-address } | Not configured by default. The keyword specified in the ipv6 verify source command is only for instructing the generation of dynamic IPv6 source guard binding entries. It does not affect static binding entries. When using a static binding entry, an interface does not consider the keyword into consideration. |
NOTE: Although dynamic IPv6 source guard binding entries are generated based on DHCPv6 entries, the number of dynamic IPv6 source guard binding entries is not necessarily the same as that of the DHCPv6 entries. | ||