Savi Configuration In Slaac-Only Address Assignment Scenario - HP 5120 SI Series Security Configuration Manual

[SwitchB-GigabitEthernet1/0/3] ip check source ipv6 ip-address mac-address
[SwitchB-GigabitEthernet1/0/3] quit
SAVI configuration in SLAAC-only address
assignment scenario
Network requirements
Figure 114 Network diagram
Switch A
Switch B
Host A
10::5
0001-0203-0405
As shown in
can obtain IPv6 addresses only through SLAAC. Configure SAVI on Switch B to bind the addresses
assigned through SLAAC and permit only packets from the bound addresses.
Configuration considerations
Configure Switch B as follows:
Enable SAVI.
•
Enable global unicast address ND snooping and link-local address ND snooping. For more
•
information about ND snooping, see Layer 3—IP Services Configuration Guide.
• Enable ND detection in VLAN 10 to check the ND packets arrived on the ports. For more
information about ND detection, see the chapter "ND attack defense configuration."
Configure a static IPv6 source guard binding entry on each interface connected to a host. This step
•
is optional. If this step is not performed, SAVI does not check packets against static binding entries.
For more information about static IPv6 source guard binding entries, see the chapter "IP source
guard configuration."
Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more
•
information about dynamic IPv6 source guard binding, see the chapter "IP source guard
configuration."
Internet
Gateway
GE1/0/3
Vlan-int10
10::1
VLAN 10
GE1/0/3
GE1/0/1 GE1/0/2
0001-0203-0607
Figure 1 19, Switch A serves as the gateway. Switch B connects Host A and Host B. The hosts
Host B
10::6
328