Ipv6 Filtering Configuration Example - H3C S3100 Series Operation Manual

# Configure the upper port Ethernet 1/0/3 as ND trusted port, while the lower ports Ethernet 1/0/1 and
Ethernet 1/0/2 as the default state, namely ND untrusted ports
[SwitchB] interface ethernet 1/0/3
[SwitchB-Ethernet1/0/3] ipv6 nd detection trust
After the configuration above, check the ND packets received by Ethernet 1/0/1 and Ethernet 1/0/2,
based on the security entry of ND snooping.

IPv6 Filtering Configuration Example

Network requirements
As shown in Figure
1/0/3 and connected to the DHCPv6 server through Ethernet 1/0/2. Switch B, as an access device, is
connected to Client A, Client B, and Client C. Client A and Client C obtain IPv6 addresses from the
DHCPv6 server. The IPv6 address of Client B is 2001::1/64, and the MAC address of Client B is
0001-0203-0406.
Enable DHCPv6 snooping on the switch B, and specify Ethernet 1/0/1 as the DHCPv6 snooping
trusted port.
Enable IPv6 filtering on Ethernet 1/0/2, Ethernet 1/0/3, and Ethernet 1/0/4 to prevent attacks to the
gateway from clients using fake source IP addresses.
Create IPv6 static binding entries on the Switch B, so that Client B using a fixed IPv6 address can
access external networks.
Figure 1-11 Network diagram for IPv6 filtering configuration
IPv6 network
Eth1/0/3
Switch A
Gateway
Eth1/0/1
Eth1/0/2
Eth1/0/3
Client A
Client B
IPv6: 2001::1/64
MAC: 00-01-02-03-04-06
Configuration procedure
Configuration Switch B
# Enable DHCPv6 snooping on the switch.
<SwitchB> system-view
[SwitchB] dhcp-snooping ipv6 enable
# Specify Ethernet 1/0/1 as the trusted port.
[SwitchB] interface Ethernet1/0/1
[SwitchB-Ethernet1/0/1] dhcp-snooping ipv6 trust
[SwitchB-Ethernet1/0/1] quit
1-11, Switch A, as a gateway, is connected to the external network through Ethernet
Eth1/0/2
DHCPv6 server
Eth1/0/1
SwitchB
DHCPv6 snooping
Eth1/0/4
Client C
1-28