SAVI configuration in DHCPv6+SLAAC address assignment scenario
Network requirements
As shown inFigure 135, Switch B connects to the DHCPv6 server through interface GigabitEthernet 1/0/1 and connects to the DHCPv6 client through interface GigabitEthernet 1/0/3. Host A and Host B access Gateway (Switch A) through Switch B. Interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 on Switch B belong to VLAN 2. The hosts can obtain IP addresses through DHCPv6 or SLAAC. Configure SAVI on Switch B to permit only packets from addresses assigned through DHCPv6 and the bound addresses assigned through SLAAC.
Figure 135: Network diagram
Configuration considerations
Configure Switch B as follows:
Enable SAVI.
Enable DHCPv6 snooping. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide.
Enable global unicast address ND snooping and link-local address ND snooping. For more information about ND snooping, see Layer 3—IP Services Configuration Guide.
Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information about ND detection, see "Configuring ND attack defense."
Configure a static IPv6 source guard binding entry on each interface connected to a host. This step is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see "Configuring IP source guard."
Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more information about dynamic IPv6 source guard binding, see "Configuring IP source guard."
Packet check principles
Switch B checks the following packets:
DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries.
ND protocol packets against ND snooping entries, DHCPv6 snooping entries, and static binding entries.
IPv6 data packets from the hosts against dynamic binding entries (including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the hosts and against static binding entries. The items to be examined include MAC address, IPv6 address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
<SwitchB> system-view [SwitchB] ipv6 savi strict
# Enable IPv6.
[SwitchB] ipv6
# Enable DHCPv6 snooping.
[SwitchB] ipv6 dhcp snooping enable
# Assign interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 to VLAN 2.
[SwitchB] vlan 2 [SwitchB-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
# Enable DHCPv6 snooping in VLAN 2.
[SwitchB-vlan2] ipv6 dhcp snooping vlan enable [SwitchB] quit
# Configure interface GigabitEthernet 1/0/1 as a DHCPv6 snooping trusted port.
[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust [SwitchB-GigabitEthernet1/0/1] quit
# Enable ND snooping and ND detection.
[SwitchB] ipv6 nd snooping enable link-local [SwitchB] ipv6 nd snooping enable global [SwitchB] vlan 2 [SwitchB-vlan2] ipv6 nd snooping enable [SwitchB-vlan2] ipv6 nd detection enable [SwitchB-vlan2] quit
# Configure interface GigabitEthernet 1/0/2 as an ND detection trusted port.
[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 nd detection trust [SwitchB-GigabitEthernet1/0/2] quit
# Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/3 through GigabitEthernet 1/0/5.
[SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet 1/0/4 [SwitchB-GigabitEthernet1/0/4] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/4] quit [SwitchB] interface gigabitethernet 1/0/5 [SwitchB-GigabitEthernet1/0/5] ipv6 verify source ipv6-address mac-address