319
Configuring IPv6 source guard on a port
The IPv6 source guard function must be configured on a port before the port can obtain dynamic IPv6
source guard binding entries and use static and dynamic IPv6 source guard entries to filter packets.
• For how to configure a static IPv6 static binding entry, see “Configuring a static IPv6 source guard
bin
ding entry.”
• Cooperating with DHCPv6 snooping, IP source guard dynamically generates IP source guard
entries based on the DHCPv6 snooping entries that are generated during dynamic IP address
allocation.
• Cooperating with ND snooping, IP source guard dynamically generates IP source guard entries
based on dynamic ND snooping entries.
Dynamic IPv6 source guard entries can contain such information as the MAC address, IPv6 address,
VLAN tag, ingress port information and entry type (DHCPv6 snooping or ND snooping), where the MAC
address, IPv6 address, and/or VLAN tag information may not be included depending on your
configuration. IP source guard applies these entries to the port, so that the port can filter packets
accordingly.
Follow these steps to configure the IPv6 source guard function on a port:
To do… Use the command…
Remarks
Enter system view system-view —
Enter Layer 2 Ethernet interface
view, port group view
interface interface-type
interface-number
—
Configure the IPv6 source guard
function on the port
ipv6 verify source { ipv6-address |
ipv6-address mac-address |
mac-address }
Required
Not configured by default
NOTE:
• The keyword specified in the ipv6 verify source command is only for instructing the generation of
dynamic IPv6 source guard binding entries. It does not affect static binding entries. When usin
a static
binding entry, a port does not consider the keyword into consideration.
• If you repeatedly configure the IPv6 source guard binding function, only the last configuration takes
effect.
• To obtain dynamic IPv6 source guard binding entries, make sure that DHCPv6 snooping or ND
snooping is configured and works normally. For DHCPv6 and ND snoopin
confi
uration information,
see
Layer 3—IP Services Configuration Guide
.
• If you configure both ND snooping and DHCPv6 snooping on the device, IPv6 source guard uses the
type of entries that
enerated first. Because DHCPv6 snoopin
entries are usually
enerated first in such
a case, IPv6 source guard usually uses the DHCPv6 snooping entries to filter packets on a port.
• Although dynamic IPv6 source guard binding entries are generated based on DHCPv6 entries, the
number of dynamic IPv6 source guard binding entries is not necessarily the same as that of the DHCPv6
entries.
Configuring a static IPv6 source guard binding entry
Static IPv6 binding entries take effect only on ports configured with the IPv6 source guard function (see
“Configuring the IPv6 source guard function”).
To Next Page
Loading...
Need help?
General