[x]

IP source guard configuration examples > Dynamic IPv6 source guard using ND snooping configuration example

 

 Next

Dynamic IPv6 source guard using ND snooping configuration example

Network requirements

As shown in Figure 103, enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages.

Enable the IPv6 source guard feature on Ethernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.

Figure 103: Network diagram

Configuration procedure

  • Configure ND snooping:

    • # In VLAN 2, enable ND snooping.

    <Device> system-view
[Device] vlan 2
[Device-vlan2] ipv6 nd snooping enable
[Device-vlan2] quit

  • Configure the IPv6 source guard feature:

    • # Configure the IPv6 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.

    [Device] interface ethernet 1/0/1
[Device-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address
[Device-Ethernet1/0/1] quit

    Verifying the configuration

    # Display the IPv6 source guard binding entries generated on Ethernet 1/0/1.

    [Device] display ipv6 source binding
Total entries found: 1
 MAC Address          IP Address        VLAN   Interface       Type
 040a-0000-0001       2001::1           2      Eth1/0/1         ND-SNP

    # Display all ND snooping entries.

    [Device] display ipv6 nd snooping
IPv6 Address                   MAC Address     VID  Interface      Aging Status
2001::1                        040a-0000-0001  2    Eth1/0/1        25     Bound
---- Total entries: 1 ----

    The output shows that a dynamic IPv6 source guard binding entry has generated on Ethernet 1/0/1 based on the ND snooping entry.

    prev

     

    up

     next

    Dynamic IPv6 source guard using DHCPv6 snooping configuration example 

    home

     Global static IP source guard configuration example

    © Copyright 2016 Hewlett Packard Enterprise Development LP