Dynamic IPv6 source guard using DHCPv6 snooping configuration example
Network requirements
As shown in Figure 102, enable DHCPv6 and DHCPv6 snooping on the device. The host can obtain an IP address through the DHCPv6 server and the IPv6 IP address and the MAC address of the host can be recorded in a DHCPv6 snooping entry.
Enable IPv6 source guard feature on the device's port Ethernet 1/0/1 to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the DHCP server to pass.
Figure 102: Network diagram
Configuration procedure
Configure DHCPv6 snooping:
# Enable DHCPv6 snooping globally.
<Device> system-view [Device] ipv6 dhcp snooping enable
# Enable DHCPv6 snooping in VLAN 2.
[Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit
# Configure the port connecting to the DHCP server as a trusted port.
[Device] interface ethernet 1/0/2 [Device-Ethernet1/0/2] ipv6 dhcp snooping trust [Device-Ethernet1/0/2] quit
Configure the IPv6 source guard feature:
# Configure the IPv6 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.
[Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address [Device-Ethernet1/0/1] quit
Verifying the configuration
# Display the dynamic IPv6 source guard binding entries generated on Ethernet 1/0/1.
[Device] display ipv6 source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 040a-0000-0001 2001::1 2 Eth1/0/1 DHCPv6-SNP
# Display all DHCPv6 snooping entries.
[Device] display ipv6 dhcp snooping user-binding dynamic IP Address MAC Address Lease VLAN Interface ============================== ============== ========== ==== ================== 2001::1 040a-0000-0001 286 2 Ethernet1/0/1 --- 1 DHCPv6 snooping item(s) found ---
The output shows that a dynamic IPv6 source guard binding entry has been generated on Ethernet 1/0/1 based on the DHCPv6 snooping entry.