Dynamic IPv6SG using DHCPv6 snooping configuration example

Network requirements

As shown in Figure 118, the host (the DHCPv6 client) obtains an IP address from the DHCPv6 server. Perform the following tasks:

Enable DHCPv6 snooping on the switch to make sure the DHCPv6 client obtains an IPv6 address from the authorized DHCPv6 server. To generate a DHCPv6 snooping entry for the DHCPv6 client, enable recording of client information in DHCPv6 snooping entries.
Enable dynamic IPv6SG on GigabitEthernet 1/0/1 to filter incoming packets by using the IPv6SG bindings generated based on DHCPv6 snooping entries. Only packets from the DHCPv6 client are allowed to pass.

Figure 118: Network diagram

Configuration procedure

Configure DHCPv6 snooping:

# Enable DHCPv6 snooping globally.

<Switch> system-view
[Switch] ipv6 dhcp snooping enable

# Configure the interface connecting to the DHCP server as a trusted interface.

[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] ipv6 dhcp snooping trust
[Switch-GigabitEthernet1/0/2] quit

Enable IPv6SG:
# Enable IPv6SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPv6SG.
```
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address
```
# Enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/1.
```
[Switch-GigabitEthernet1/0/1] ipv6 dhcp snooping binding record
[Switch-GigabitEthernet1/0/1] quit
```

Verifying the configuration

# Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 snooping entry.

[Switch] display ipv6 source binding dhcpv6-snooping
Total entries found: 1
IPv6 Address         MAC Address    Interface               VLAN Type
2001::1              040a-0000-0001  GE1/0/1                1    DHCPv6 snooping

prev	up	next
Static IPv6SG configuration example	home	Configuring ARP attack protection