Ipv6 filtering configuration example, Network requirements, Configuration procedure – H3C Technologies H3C S3100 Series Switches User Manual

1-28

# Configure the upper port Ethernet 1/0/3 as ND trusted port, while the lower ports Ethernet 1/0/1 and

Ethernet 1/0/2 as the default state, namely ND untrusted ports

[SwitchB] interface ethernet 1/0/3

[SwitchB-Ethernet1/0/3] ipv6 nd detection trust

After the configuration above, check the ND packets received by Ethernet 1/0/1 and Ethernet 1/0/2,

based on the security entry of ND snooping.

IPv6 Filtering Configuration Example

Network requirements

As shown in

Figure 1-11

, Switch A, as a gateway, is connected to the external network through Ethernet

1/0/3 and connected to the DHCPv6 server through Ethernet 1/0/2. Switch B, as an access device, is

connected to Client A, Client B, and Client C. Client A and Client C obtain IPv6 addresses from the

DHCPv6 server. The IPv6 address of Client B is 2001::1/64, and the MAC address of Client B is

0001-0203-0406.

z

Enable DHCPv6 snooping on the switch B, and specify Ethernet 1/0/1 as the DHCPv6 snooping

trusted port.

z

Enable IPv6 filtering on Ethernet 1/0/2, Ethernet 1/0/3, and Ethernet 1/0/4 to prevent attacks to the

gateway from clients using fake source IP addresses.

z

Create IPv6 static binding entries on the Switch B, so that Client B using a fixed IPv6 address can

access external networks.

Figure 1-11 Network diagram for IPv6 filtering configuration

Switch A
Gateway

Eth1/0/1

Eth1/0/2

Eth1/0/3

DHCPv6 server

SwitchB

DHCPv6 snooping

Client A

Client C

IPv6 network

Eth1/0/4

Client B

IPv6: 2001::1/64
MAC: 00-01-02-03-04-06

Eth1/0/1

Eth1/0/2

Eth1/0/3

Configuration procedure

z

Configuration Switch B

# Enable DHCPv6 snooping on the switch.

<SwitchB> system-view

[SwitchB] dhcp-snooping ipv6 enable

# Specify Ethernet 1/0/1 as the trusted port.

[SwitchB] interface Ethernet1/0/1

[SwitchB-Ethernet1/0/1] dhcp-snooping ipv6 trust

[SwitchB-Ethernet1/0/1] quit