SAVI configuration in SLAAC-only address assignment scenario

Network requirements

As shown inFigure 134, Switch A serves as the gateway. Switch B connects Host A and Host B. The hosts can obtain IPv6 addresses only through SLAAC. Configure SAVI on Switch B to bind the addresses assigned through SLAAC and permit only packets from the bound addresses.

Figure 134: Network diagram

Configuration considerations

Configure Switch B as follows:

Packet check principles

Switch B checks the following packets:

Configuration procedure

# Enable SAVI.

<SwitchB> system-view
[SwitchB] ipv6 savi strict

# Enable IPv6.

[SwitchB] ipv6

# Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 10.

[SwitchB] vlan 10
[SwitchB-vlan10] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3
[SwitchB-vlan10] quit

# Enable global unicast address ND snooping and link-local address ND snooping.

[SwitchB] ipv6 nd snooping enable link-local
[SwitchB] ipv6 nd snooping enable global
[SwitchB] vlan 10
[SwitchB-vlan10] ipv6 nd snooping enable

# Enable ND detection.

[SwitchB-vlan10] ipv6 nd detection enable
[SwitchB-vlan10] quit

# Enable DHCPv6 snooping.

[SwitchB] ipv6 dhcp snooping enable

# Configure uplink port GigabitEthernet 1/0/3 as an ND trusted port.

[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] ipv6 nd detection trust
[SwitchB-GigabitEthernet1/0/3] quit

# Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address
[SwitchB-GigabitEthernet1/0/2] quit