SAVI configuration in SLAAC-only address assignment scenario
Network requirements
As shown inFigure 134, Switch A serves as the gateway. Switch B connects Host A and Host B. The hosts can obtain IPv6 addresses only through SLAAC. Configure SAVI on Switch B to bind the addresses assigned through SLAAC and permit only packets from the bound addresses.
Figure 134: Network diagram
Configuration considerations
Configure Switch B as follows:
Enable SAVI.
Enable global unicast address ND snooping and link-local address ND snooping. For more information about ND snooping, see Layer 3—IP Services Configuration Guide.
Enable ND detection in VLAN 10 to check the ND packets arrived on the ports. For more information about ND detection, see "Configuring ND attack defense."
Configure a static IPv6 source guard binding entry on each interface connected to a host. This step is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see "Configuring IP source guard."
Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more information about dynamic IPv6 source guard binding, see "Configuring IP source guard."
Enable DHCPv6 snooping and leave the interface connected to the gateway as its default status (non-trusted port) so that the hosts cannot obtain IP addresses through DHCPv6. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide.
Packet check principles
Switch B checks the following packets:
ND protocol packets against ND snooping entries and static binding entries.
IPv6 data packets from the hosts against dynamic binding entries (including ND snooping entries) applied on the interfaces connected to the hosts and against static binding entries. The items to be examined include MAC address, IPv6 address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
<SwitchB> system-view [SwitchB] ipv6 savi strict
# Enable IPv6.
[SwitchB] ipv6
# Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 10.
[SwitchB] vlan 10 [SwitchB-vlan10] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 [SwitchB-vlan10] quit
# Enable global unicast address ND snooping and link-local address ND snooping.
[SwitchB] ipv6 nd snooping enable link-local [SwitchB] ipv6 nd snooping enable global [SwitchB] vlan 10 [SwitchB-vlan10] ipv6 nd snooping enable
# Enable ND detection.
[SwitchB-vlan10] ipv6 nd detection enable [SwitchB-vlan10] quit
# Enable DHCPv6 snooping.
[SwitchB] ipv6 dhcp snooping enable
# Configure uplink port GigabitEthernet 1/0/3 as an ND trusted port.
[SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 nd detection trust [SwitchB-GigabitEthernet1/0/3] quit
# Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/2] quit