Enabling IPv6 source guard on a port

The IPv6 source guard function must be enabled on a port before the port can obtain dynamic IPv6 source guard entries and use static and dynamic IPv6 source guard entries to filter packets.

Dynamic IPv6 source guard entries can contain such information as the MAC address, IPv6 address, VLAN tag, ingress port information, and entry type (DHCPv6 snooping or ND snooping), where the MAC address, IPv6 address, and/or VLAN tag information may not be included depending on your configuration. IP source guard applies these entries to the port so the port can filter packets accordingly.

Follow these guidelines when you configure IPv6 source guard:

To configure the IPv6 source guard function on a port:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter Layer 2 Ethernet interface view or port group view.

interface interface-type interface-number

N/A

3. Enable the IPv6 source guard function on the port.

ipv6 verify source { ipv6-address | ipv6-address mac-address | mac-address }

IP source guard is disabled by default.

The keyword specified in the ipv6 verify source command is only for instructing the generation of dynamic IPv6 source guard entries. It does not affect static binding entries. When using a static binding entry, a port does not take the keyword into consideration.


[NOTE: ]

NOTE:

Although dynamic IPv6 source guard entries are generated based on DHCPv6 entries, the number of dynamic IPv6 source guard entries is not necessarily the same as that of the DHCPv6 entries.