Global Static Ip Source Guard Configuration Example - HP 5500 HI Series Configuration Manual

Figure 115 Network diagram
Configuration procedure
1. Configure ND snooping:
# In VLAN 2, enable ND snooping.
<Device> system-view
[Device] vlan 2
[Device-vlan2] ipv6 nd snooping enable
[Device-vlan2] quit
2. Configure the IPv6 source guard function:
# Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on
both the source IP address and MAC address.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Display the IPv6 source guard entries generated on port GigabitEthernet 1/0/1.
[Device] display ipv6 source binding
Total entries found: 1
MAC Address
040a-0000-0001
# Display the IPv6 ND snooping entries to see whether they are consistent with the dynamic IP source
guard entries generated on GigabitEthernet 1/0/1.
[Device] display ipv6 nd snooping
IPv6 Address
2001::1
---- Total entries: 1 ----
The output shows that a dynamic IPv6 source guard entry has generated on port GigabitEthernet 1/0/1
based on the ND snooping entry.

Global static IP source guard configuration example

Network requirements
As shown in
VLAN 10 and Host B in VLAN 20 communicate with each other through Device A.
Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A
•
and Host B.
Configure Device B to forward packets of Host A and Host B normally.
•
IP Address
2001::1
Figure 1 16, Device A is a distribution layer device. Device B is an access device. Host A in
VLAN Interface
2 GE1/0/1
MAC Address VID
040a-0000-0001 2
366
Type
ND-SNP
Interface Aging Status
GE1/0/1 25 Bound