[x]

IP source guard configuration examples > Dynamic IPv6 source guard using DHCPv6 snooping

 

 Next

Dynamic IPv6 source guard using DHCPv6 snooping

Network requirements

As shown in Figure 113, the host (DHCPv6 client) and the DHCPv6 server are connected to the device through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

Enable DHCPv6 and DHCPv6 snooping on the device, so that the host can obtain an IP address through the DHCPv6 server and the IPv6 IP address and the MAC address of the host can be recorded in a DHCPv6 snooping entry.

Enable IPv6 source guard function on the device's port GigabitEthernet 1/0/1 to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through DHCP server.

Figure 113: Network diagram

Configuration procedure

  • Configure DHCPv6 snooping.

    • # Enable DHCPv6 snooping globally.

    <Device> system-view
[Device] ipv6 dhcp snooping enable

    # Enable DHCPv6 snooping in VLAN 2.

    [Device] vlan 2
[Device-vlan2] ipv6 dhcp snooping vlan enable
[Device-vlan2] quit

    # Configure the port connecting to the DHCP server as a trusted port.

    [Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust
[Device-GigabitEthernet1/0/2] quit

  • Configure the IPv6 source guard function.

    • # Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.

    [Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address
[Device-GigabitEthernet1/0/1] quit

    Verifying the configuration

    # Display the dynamic IPv6 source guard entries generated on port GigabitEthernet 1/0/1.

    [Device] display ipv6 source binding
Total entries found: 1
 MAC Address          IP Address        VLAN   Interface      Type
 040a-0000-0001       2001::1           2      GE1/0/1        DHCPv6-SNP

    # Display all DHCPv6 snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1/0/1.

    [Device] display ipv6 dhcp snooping user-binding dynamic
IP Address                     MAC Address    Lease      VLAN Interface
============================== ============== ========== ==== ==================
2001::1                        040a-0000-0001 286        2    GigabitEthernet1/0/1
---   1 DHCPv6 snooping item(s) found   ---

    The output shows that a dynamic IPv6 source guard entry has been generated on port GigabitEthernet 1/0/1 based on the DHCPv6 snooping entry.

    prev

     

    up

     next

    Static IPv6 source guard entry configuration 

    home

     Dynamic IPv6 source guard using ND snooping

    © Copyright 2016 Hewlett Packard Enterprise Development LP