HP 5120 SI Series Security Configuration Manual page 343
Hide thumbs
Also See for 5120 SI Series:
- Command reference manual (395 pages) ,
- Installation manual (48 pages) ,
- Specification (33 pages)
Table of Contents
Advertisement
Packet check principles
Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping
entries; checks ND protocol packets against ND snooping entries, DHCPv6 snooping entries, and static
binding entries; and checks the IPv6 data packets from the hosts against dynamic binding entries
(including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to
the hosts and against static binding entries. The items to be examined include MAC address, IPv6
address, VLAN information, and ingress port.
Configuration procedure
# Enable SAVI.
<SwitchB> system-view
[SwitchB] ipv6 savi strict
# Enable IPv6.
[SwitchB] ipv6
# Enable DHCPv6 snooping.
[SwitchB] ipv6 dhcp snooping enable
# Assign interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 to VLAN 2.
[SwitchB] vlan 2
[SwitchB-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3
gigabitethernet 1/0/4 gigabitethernet 1/0/5
# Enable DHCPv6 snooping in VLAN 2.
[SwitchB-vlan2] ipv6 dhcp snooping vlan enable
[SwitchB] quit
# Configure interface GigabitEthernet 1/0/1 as a DHCPv6 snooping trusted port.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust
[SwitchB-GigabitEthernet1/0/1] quit
# Enable ND snooping and ND detection.
[SwitchB] ipv6 nd snooping enable link-local
[SwitchB] ipv6 nd snooping enable global
[SwitchB] vlan 2
[SwitchB-vlan2] ipv6 nd snooping enable
[SwitchB-vlan2] ipv6 nd detection enable
[SwitchB-vlan2] quit
# Configure interface GigabitEthernet 1/0/2 as an ND detection trusted port.
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] ipv6 nd detection trust
[SwitchB-GigabitEthernet1/0/2] quit
# Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/3
through GigabitEthernet 1/0/5.
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] ip check source ipv6 ip-address mac-address
[SwitchB-GigabitEthernet1/0/3] quit
[SwitchB] interface gigabitethernet 1/0/4
[SwitchB-GigabitEthernet1/0/4] ip check source ipv6 ip-address mac-address
[SwitchB-GigabitEthernet1/0/4] quit
331
Advertisement
Table of Contents
Troubleshooting
