Dynamic IPv6 source guard using ND snooping

Network requirements

The client is connected to the device through port GigabitEthernet 1/0/1.

Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages.

Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.

Figure 114: Network diagram

Configuration procedure

Configure ND snooping.

# In VLAN 2, enable ND snooping.

<Device> system-view
[Device] vlan 2
[Device-vlan2] ipv6 nd snooping enable
[Device-vlan2] quit

Configure the IPv6 source guard function.

# Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.

[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address
[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display the IPv6 source guard entries generated on port GigabitEthernet 1/0/1.

[Device] display ipv6 source binding
Total entries found: 1
 MAC Address          IP Address        VLAN   Interface      Type
 040a-0000-0001       2001::1           2      GE1/0/1        ND-SNP

# Display the IPv6 ND snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1/0/1.

[Device] display ipv6 nd snooping
IPv6 Address                   MAC Address     VID  Interface      Aging Status
2001::1                        040a-0000-0001  2     GE1/0/1       25    Bound
---- Total entries: 1 ----

The output shows that a dynamic IPv6 source guard entry has generated on port GigabitEthernet 1/0/1 based on the ND snooping entry.

prev	up	next
Dynamic IPv6 source guard using DHCPv6 snooping	home	Global static IP source guard configuration