Dynamic IPv6 source guard using DHCPv6 snooping configuration example

Network requirements

As shown in Figure 102, enable DHCPv6 and DHCPv6 snooping on the device. The host can obtain an IP address through the DHCPv6 server and the IPv6 IP address and the MAC address of the host can be recorded in a DHCPv6 snooping entry.

Enable IPv6 source guard feature on the device's port Ethernet 1/0/1 to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the DHCP server to pass.

Figure 102: Network diagram

Configuration procedure

  • Configure DHCPv6 snooping:

  • # Enable DHCPv6 snooping globally.

    <Device> system-view
    [Device] ipv6 dhcp snooping enable
    

    # Enable DHCPv6 snooping in VLAN 2.

    [Device] vlan 2
    [Device-vlan2] ipv6 dhcp snooping vlan enable
    [Device-vlan2] quit
    

    # Configure the port connecting to the DHCP server as a trusted port.

    [Device] interface ethernet 1/0/2
    [Device-Ethernet1/0/2] ipv6 dhcp snooping trust
    [Device-Ethernet1/0/2] quit
    
  • Configure the IPv6 source guard feature:

  • # Configure the IPv6 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.

    [Device] interface ethernet 1/0/1
    [Device-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address
    [Device-Ethernet1/0/1] quit
    

    Verifying the configuration

    # Display the dynamic IPv6 source guard binding entries generated on Ethernet 1/0/1.

    [Device] display ipv6 source binding
    Total entries found: 1
     MAC Address          IP Address        VLAN   Interface       Type
     040a-0000-0001       2001::1           2      Eth1/0/1         DHCPv6-SNP
    

    # Display all DHCPv6 snooping entries.

    [Device] display ipv6 dhcp snooping user-binding dynamic
    IP Address                     MAC Address    Lease      VLAN Interface
    ============================== ============== ========== ==== ==================
    2001::1                        040a-0000-0001 286        2    Ethernet1/0/1
    ---   1 DHCPv6 snooping item(s) found   ---
    

    The output shows that a dynamic IPv6 source guard binding entry has been generated on Ethernet 1/0/1 based on the DHCPv6 snooping entry.