364
Figure 113
Network diagram
Configuration procedure
# Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the
source IP address and MAC address.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address
# Configure GigabitEthernet 1/0/1 to allow only IPv6 packets with the source MAC address of
0001-0202-0202 and the source IPv6 address of 2001::1 to pass.
[Device-GigabitEthernet1/0/1] ipv6 source binding ipv6-address 2001::1 mac-address
0001-0202-0202
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# On Device, display the information about static IPv6 source guard entries. The output shows that the
binding entry is configured successfully.
[Device] display ipv6 source binding static
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0202-0202 2001::1 N/A GE1/0/1 Static-IPv6
Dynamic IPv6 source guard using DHCPv6 snooping
configuration example
Network requirements
As shown in
, the host (DHCPv6 client) and the DHCPv6 server are connected to the device
through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively.
Enable DHCPv6 and DHCPv6 snooping on the device, so that the host can obtain an IP address through
the DHCPv6 server and the IPv6 IP address and the MAC address of the host can be recorded in a
DHCPv6 snooping entry.
Enable IPv6 source guard function on the device’s port GigabitEthernet 1/0/1 to filter packets based on
DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the
DHCP server to pass.
Figure 114
Network diagram