Savi Configuration In Dhcpv6+Slaac Address Assignment Scenario - HP 3600 v2 Series Security Configuration Manual

SAVI configuration in DHCPv6+SLAAC address
assignment scenario
Network requirements
Figure 146 Network diagram
Switch A
Gateway
Eth1/0/2
Eth1/0/3
DHCPv6
client
As shown in
connects to the DHCPv6 client through interface Ethernet 1/0/3. Host A and Host B access Gateway
(Switch A) through Switch B. Interfaces Ethernet 1/0/1 through Ethernet 1/0/5 on Switch B belong to
VLAN 2. The hosts can obtain IP addresses through DHCPv6 or SLAAC. Configure SAVI on Switch B to
permit only packets from addresses assigned through DHCPv6 and the bound addresses assigned
through SLAAC.
Configuration considerations
Configure Switch B as follows:
Enable SAVI.
•
• Enable DHCPv6 snooping. For more information about DHCPv6 snooping, see Layer 3—IP
Services Configuration Guide.
Enable global unicast address ND snooping and link-local address ND snooping. For more
•
information about ND snooping, see Layer 3—IP Services Configuration Guide.
• Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information
about ND detection, see the chapter "ND attack defense configuration."
Configure a static IPv6 source guard binding entry on each interface connected to a host. This step
•
is optional. If this step is not performed, SAVI does not check packets against static binding entries.
For more information about static IPv6 source guard binding entries, see the chapter "IP source
guard configuration."
Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more
•
information about dynamic IPv6 source guard binding, see the chapter "IP source guard
configuration."
Switch C
DHCPv6
Eth1/0/1
Switch B
Eth1/0/4 Eth1/0/5
Host A
Figure 146, Switch B connects to the DHCPv6 server through interface Ethernet 1/0/1 and
server
Host B
377