Configure Port IPv6 Source Guard Function Based on DHCPv6 Snooping Dynamic Entries
Network Requirements
- PC1 and PC2 are connected to IP Network via Device.
- Configure the global DHCPv6 Snooping function.
- Configure the port IPv6 Source Guard function of the port, so that PC1 can access IP Network normally and PC2 cannot access IP Network.
Network Topology
Figure 5–1 Networking of configuring the effective port IPv6 Source Guard function based on DHCPv6 Snooping dynamic entries
Configuration Steps
Step 1: Configure the link type of VLAN and port on Device.
#Create VLAN2.
Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit
|
#Configure the link type of port gigabitethernet 0/1 as Access, permitting the services of VLAN2 to pass.
Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#switchport mode access
Device(config-if-gigabitethernet0/1)#switchport access vlan 2
Device(config-if-gigabitethernet0/1)#exit
|
Step 2: On Device, enable global DHCPv6 Snooping function and configure gigabitethernet0/2 connected to the DHCP Server as the trust port.
Device(config)#ipv6 dhcp snooping enable
Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#ipv6 dhcp snooping trust
Device(config-if-gigabitethernet0/2)#exit
|
Step 3: Configure the address pool of DHCPv6 Server as 2000::2/64. (omitted)
Step 4: On Device, configure the IPv6 Source Guard function of the port.
#On port gigabitethernet0/1, enable port-based IPv6 Source Guard function.
Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#ipv6 verify source
Device(config-if-gigabitethernet0/1)#exit
|
Step 5: Check the result.
#View the configuration information of DHCPv6 Snooping.
Device#show ipv6 dhcp snooping
dhcpv6-snooping configuration information:
dhcpv6-snooping status:enable
dhcpv6-snooping entry aged time:300
dhcpv6-snooping binding agent save delay time:1800
dhcpv6-snooping binding agent save type :FLASH
dhcpv6-snooping binding agent save file :dhcpv6sp_binding.db
dhcpv6-snooping binding agent save pool time:30
dhcpv6-snooping interface information :
----------------------------------------------------------------------
interface trust-status max-learning-num option-policy option18-status option37-status
gi0/1 untrust 1024 keep disable disable
gi0/2 trust 1024 keep disable disable
gi0/3 untrust 1024 keep disable disable
gi0/4 untrust 1024 keep disable disable
gi0/5 untrust 1024 keep disable disable
……
#View the configuration information of IPv6 Source Guard.
Device#show ipv6 source guard
---------------------------------------------
IPv6 source guard interfaces on slot 0 :
Total number of enabled interfaces : 1
-----------------------------------------------------------------
Interface Name Status Verify Type L2 Status Max Entry
-----------------------------------------------------------------
gi0/1 Enabled ip Disabled 536
gi0/2 Disabled ip Disabled 536
gi0/3 Disabled ip Disabled 536
gi0/4 Disabled ip Disabled 536
gi0/5 Disabled ip Disabled 536
……
We can see that the IPv6 Source Guard function is enabled on port gigabitethernet0/1. Verify Type is ip. Therefore, in the above example, the dynamic entries take effect based on IP+VLAN.
#View the port IPv6 Source Guard bound entry.
Device#show ipv6 binding table
--------global Ipv6 and mac binding entry------
total :0
-----------------------------------------------
IPv6 Source Guard binding table on slot 0
Total binding entries : 1
Static binding entries : 0
Static not write entries : 0
Dynamic binding entries : 1
Dynamic not write entries : 0
PCE writing entries : 1
------------------------------------------------------------------------------------
Interface-Name MAC-Address VLAN-ID Type-Flag Writing-Flag L2-Flag IP-Address
------------------------------------------------------------------------------------
gi0/1 0001.0001.0001 2 dynamic Write Not Write 2000::2
#PC1 can access IP Network normally and PC2 cannot access IP Network.