HP 5120 SI Series Security Configuration Manual page 313

Enable dynamic IPv6 source guard on port GigabitEthernet 1/0/1 of the device to filter packets based
on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through
DHCP server to pass.
Figure 104 Network diagram
Host
Configuration procedure
1. Configure DHCPv6 snooping
# Enable DHCPv6 snooping globally.
<Device> system-view
[Device] ipv6 dhcp snooping enable
# Enable DHCPv6 snooping in VLAN 2.
[Device] vlan 2
[Device-vlan2] ipv6 dhcp snooping vlan enable
[Device-vlan2] quit
# Configure the port connecting to the DHCP server as a trusted port.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Configure dynamic IPv6 source guard
# Configure dynamic IPv6 source guard on GigabitEthernet 1/0/1 to filter packets based on both the
source IP address and source MAC address of the packets.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address
[Device-GigabitEthernet1/0/1] quit
Verification
# Display IPv6 source guard entries on port GigabitEthernet 1/0/1.
[Device] display ip check source ipv6
Total entries found: 1
MAC Address
040a-0000-0001
# Display DHCPv6 snooping entries on GigabitEthernet 1/0/1.
[Device] display ipv6 dhcp snooping user-binding dynamic
IP Address
============================== ============== ========== ==== ==================
2001::1
--- 1 DHCPv6 snooping item(s) found
The output shows that a dynamic IPv6 source guard entry has been generated on port GigabitEthernet
1/0/1 based on the DHCPv6 snooping entry.
VLAN 2
GE1/0/1 GE1/0/2
Device
DHCPv6 snooping
IP Address
2001::1
MAC Address
040a-0000-0001 286
DHCPv6 server
VLAN Interface
2 GE1/0/1
Lease
---
301
Type
DHCPv6-SNP
VLAN Interface
2 GigabitEthernet1/0/1