Savi Configuration In Dhcpv6+Slaac Address Assignment Scenario - HP 5120 SI Series Security Configuration Manual

SAVI configuration in DHCPv6+SLAAC address
assignment scenario
Network requirements
Figure 115 Network diagram
As shown in
1/0/1 and connects to the DHCPv6 client through interface GigabitEthernet 1/0/3. Host A and Host B
access Gateway (Switch A) through Switch B. Interfaces GigabitEthernet 1/0/1 through GigabitEthernet
1/0/5 on Switch B belong to VLAN 2. The hosts can obtain IP addresses through DHCPv6 or SLAAC.
Configure SAVI on Switch B to permit only packets from addresses assigned through DHCPv6 and the
bound addresses assigned through SLAAC.
Configuration considerations
Configure Switch B as follows:
• Enable SAVI.
Enable DHCPv6 snooping. For more information about DHCPv6 snooping, see Layer 3—IP
•
Services Configuration Guide.
Enable global unicast address ND snooping and link-local address ND snooping. For more
•
information about ND snooping, see Layer 3—IP Services Configuration Guide.
Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information
•
about ND detection, see the chapter "ND attack defense configuration."
Configure a static IPv6 source guard binding entry on each interface connected to a host. This step
•
is optional. If this step is not performed, SAVI does not check packets against static binding entries.
For more information about static IPv6 source guard binding entries, see the chapter "IP source
guard configuration."
• Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more
information about dynamic IPv6 source guard binding, see the chapter "IP source guard
configuration."
Figure 120, Switch B connects to the DHCPv6 server through interface GigabitEthernet
330