Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example - HPE FlexNetwork 10500 Series Security Configuration Manual

Configuration procedure
# Enable IPv6SG on GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address
# On GigabitEthernet 1/0/1, configure a static IPv6SG binding for the host.
[Device-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address
0001-0202-0202
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify that the static IPv6SG binding is configured successfully on the device.
[Device] display ipv6 source binding static
Total entries found: 1
IPv6 Address
2001::1
Dynamic IPv6SG using DHCPv6 snooping configuration
example
Network requirements
As shown in
Perform the following tasks:
•
Enable DHCPv6 snooping on the device to make sure the DHCPv6 client obtains an IPv6
address from the authorized DHCPv6 server. To generate a DHCPv6 snooping entry for the
DHCPv6 client, enable recording of client information in DHCPv6 snooping entries.
•
Enable dynamic IPv6SG on GigabitEthernet 1/0/1 to filter incoming packets by using the
IPv6SG bindings generated based on DHCPv6 snooping entries. Only packets from the
DHCPv6 client are allowed to pass.
Figure 134 Network diagram
DHCPv6 client
Host
Configuration procedure
1. Configure DHCPv6 snooping:
# Enable DHCPv6 snooping globally.
<Device> system-view
[Device] ipv6 dhcp snooping enable
# Configure GigabitEthernet 1/0/2 as a trusted interface.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Enable IPv6SG:
# Enable IPv6SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address
for dynamic IPv6SG.
MAC Address
0001-0202-0202 GE1/0/1
Figure 134, the host (the DHCPv6 client) obtains an IP address from the DHCPv6 server.
DHCPv6 snooping
GE1/0/1 GE1/0/2
Device
Interface
DHCPv6 server
507
VLAN Type
N/A Static