- Table of Contents
-
- H3C Fixed Port Campus Switches Configuration Examples-B70D022-6W100
- 01-Login Management Configuration Examples
- 02-RBAC Configuration Examples
- 03-Software Upgrade Examples
- 04-ISSU Configuration Examples
- 05-Software Patching Examples
- 06-Ethernet Link Aggregation Configuration Examples
- 07-Port Isolation Configuration Examples
- 08-Spanning Tree Configuration Examples
- 09-VLAN Configuration Examples
- 10-VLAN Tagging Configuration Examples
- 11-DHCP Snooping Configuration Examples
- 12-Cross-Subnet Dynamic IP Address Allocation Configuration Examples
- 13-IPv6 over IPv4 Manual Tunneling with OSPFv3 Configuration Examples
- 14-ISATAP Tunnel and 6to4 Tunnel Configuration Examples
- 15-GRE Tunnel Configuration Examples
- 16-GRE with OSPF Configuration Examples
- 17-OSPF Configuration Examples
- 18-IS-IS Configuration Examples
- 19-BGP Configuration Examples
- 20-Policy-Based Routing Configuration Examples
- 21-OSPFv3 Configuration Examples
- 22-IPv6 IS-IS Configuration Examples
- 23-Routing Policy Configuration Examples
- 24-IGMP Snooping Configuration Examples
- 25-IGMP Configuration Examples
- 26-BIDIR-PIM Configuration Examples
- 27-Multicast VPN Configuration Examples
- 28-MLD Snooping Configuration Examples
- 29-IPv6 Multicast VLAN Configuration Examples
- 30-Basic MPLS Configuration Examples
- 31-MPLS L3VPN Configuration Examples
- 32-ACL Configuration Examples
- 33-Control Plane-Based QoS Policy Configuration Examples
- 34-Traffic Policing Configuration Examples
- 35-GTS and Rate Limiting Configuration Examples
- 36-Priority Mapping and Queue Scheduling Configuration Examples
- 37-Traffic Filtering Configuration Examples
- 38-AAA Configuration Examples
- 39-Port Security Configuration Examples
- 40-Portal Configuration Examples
- 41-SSH Configuration Examples
- 42-IP Source Guard Configuration Examples
- 43-Ethernet OAM Configuration Examples
- 44-CFD Configuration Examples
- 45-DLDP Configuration Examples
- 46-VRRP Configuration Examples
- 47-BFD Configuration Examples
- 48-NTP Configuration Examples
- 49-SNMP Configuration Examples
- 50-NQA Configuration Examples
- 51-Mirroring Configuration Examples
- 52-sFlow Configuration Examples
- 53-OpenFlow Configuration Examples
- 54-MAC Address Table Configuration Examples
- 55-Static Multicast MAC Address Entry Configuration Examples
- 56-IP Unnumbered Configuration Examples
- 57-MVRP Configuration Examples
- 58-MCE Configuration Examples
- 59-Congestion Avoidance and Queue Scheduling Configuration Examples
- 60-Attack Protection Configuration Examples
- 61-Smart Link Configuration Examples
- 62-RRPP Configuration Examples
- 63-BGP Route Selection Configuration Examples
- 64-IS-IS Route Summarization Configuration Examples
- 65-IRF Configuration Examples
- 66-MPLS TE Configuration Examples
- 67-VXLAN Configuration Examples
- 68-VCF Fabric Configuration Examples
- Related Documents
-
Title | Size | Download |
---|---|---|
42-IP Source Guard Configuration Examples | 180.14 KB |
Example: Configuring static IPv4SG
Applicable hardware and software versions
Example: Configuring dynamic IPv4SG based on DHCP snooping
Applicable hardware and software versions
Example: Configuring dynamic IPv4SG based on DHCP relay agent
Applicable hardware and software versions
Example: Configuring static IPv6SG and dynamic IPv6SG
Introduction
This document provides IP source guard (IPSG) configuration examples.
IPSG prevents spoofing attacks by using IPSG bindings to filter incoming packets. IPSG bindings include static bindings that are configured manually and dynamic bindings that are generated based on information from DHCP-related modules. IPSG forwards only the packets that match IPSG bindings.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of IPSG.
Example: Configuring static IPv4SG
Network configuration
As shown in Figure 1, Host A, Host B, and the file server use static IPv4 addresses.
Enable static IPv4SG and configure static IPSG bindings on Device A and Device B to meet the following requirements:
· The interface GigabitEthernet 1/0/1 of Device A allows IP packets from Host A to pass.
· All interfaces of Device A allow IP packets from Host B to pass.
· The interface GigabitEthernet 1/0/1 of Device B allows only IP packets from Host A and Host B to pass.
· The interface GigabitEthernet 1/0/2 of Device B allows only IP packets from the file server to pass.
Analysis
To meet the network requirements, you must perform the following tasks:
· To allow IP packets from Host A to pass through GigabitEthernet 1/0/1 on Device A, configure a static IPSG binding for Host A on the interface.
· To allow IP packets from Host B to pass through all interfaces on Device A, configure a global static IPSG binding for Host B.
· To allow IP packets from both hosts to pass through GigabitEthernet 1/0/1 on Device B, configure static IPSG bindings for the hosts on the interface.
· To allow only IP packets from the file server to pass through GigabitEthernet 1/0/2 on Device B, configure a static IPSG binding for the file server on the interface.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
Hardware |
Software version |
S6520XE-HI switch series |
Supported in Release 11xx |
S5560X-EI switch series |
Supported in Release 111x |
S5500V2-EI switch series |
Supported in Release 111x |
MS4520V2-30F switch |
Supported in Release 111x |
S5560S-EI switch series S5560S-SI switch series |
Supported in Release 612x |
S5130S-HI switch series S5130S-EI switch series S5130S-SI switch series S5130S-LI switch series |
Supported in Release 612x |
S5120V2-SI switch series S5120V2-LI switch series |
Supported in Release 612x |
S3100V3-EI switch series S3100V3-SI switch series |
Supported in Release 612x |
S5110V2 switch series |
Supported in Release 612x |
S5110V2-SI switch series |
Supported in Release 612x |
S5000V3-EI switch series |
Supported in Release 612x |
S5000E-X switch series |
Supported in Release 612x |
WAS6000 switch series |
Supported in Release 612x |
E128C switch E152C switch E500C switch series E500D switch series |
Supported in Release 612x |
MS4520V2 switch series (except the MS4520V2-30F switch) |
Supported in Release 612x |
MS4320V2 switch series MS4300V2 switch series MS4320 switch series MS4200 switch series |
Supported in Release 612x |
WS5850-WiNet switch series |
Supported in Release 612x |
WS5820-WiNet switch series WS5810-WiNet switch series |
Supported in Release 612x |
Procedures
# Create VLAN 10, and assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/2 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 1/0/1 to gigabitethernet 1/0/2
[DeviceA-vlan10] quit
# Create VLAN-interface 10, and assign an IP address to VLAN-interface 10.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] ip address 192.168.0.10 255.255.255.0
[DeviceA-Vlan-interface10] quit
# Enable IPv4SG on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip verify source ip-address mac-address
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip verify source ip-address mac-address
# Configure a static IPSG binding for Host A on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
[DeviceA-GigabitEthernet1/0/1] quit
# Configure a static IPSG binding for Host B.
[DeviceA] ip source binding ip-address 192.168.0.2 mac-address 0001-0203-0402
# Create VLAN 10, and assign GigabitEthernet 1/0/1 to VLAN 10.
<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] port gigabitethernet 1/0/1
[DeviceB-vlan10] quit
# Create VLAN-interface 10, and assign an IP address to VLAN-interface 10.
[DeviceB] interface vlan-interface 10
[DeviceB-Vlan-interface10] ip address 192.168.0.100 255.255.255.0
[DeviceB-Vlan-interface10] quit
# Create VLAN 20, and assign GigabitEthernet 1/0/2 to VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] port gigabitethernet 1/0/2
[DeviceB-vlan20] quit
# Create VLAN-interface 20, and assign an IP address to VLAN-interface 20.
[DeviceB] interface vlan-interface 20
[DeviceB-Vlan-interface20] ip address 192.168.2.100 255.255.255.0
[DeviceB-Vlan-interface20] quit
# Enable IPv4SG on GigabitEthernet 1/0/1.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip verify source ip-address mac-address
# Configure static IPSG bindings for Host A and Host B on GigabitEthernet 1/0/1.
[DeviceB-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
[DeviceB-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.2 mac-address 0001-0203-0402
[DeviceB-GigabitEthernet1/0/1] quit
# Enable IPSG on GigabitEthernet 1/0/2.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
# Configure a static IPSG binding for the file server on GigabitEthernet 1/0/2.
[DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 192.168.2.3 mac-address 0001-0203-0403
[DeviceB-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify that Host A can ping the IP addresses of GigabitEthernet 1/0/1 on both Device A and Device B. (Details not shown.)
# Verify that Host B can ping the IP addresses of all interfaces of Device A and GigabitEthernet 1/0/1 of Device B. (Details not shown.)
# Verify that the file server can ping the IP address of VLAN-interface 20 of Device B. (Details not shown.)
# Verify that Device A has static IPSG bindings for Host A and Host B.
[DeviceA] display ip source binding static
Total entries found: 2
IP Address MAC Address Interface VLAN Type
192.168.0.2 0001-0203-0402 N/A N/A Static
192.168.0.1 0001-0203-0401 GE1/0/1 N/A Static
# Verify that Device B has static IPSG bindings for Host A, Host B, and the file server.
[DeviceB] display ip source binding static
Total entries found: 3
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0401 GE1/0/1 N/A Static
192.168.0.2 0001-0203-0402 GE1/0/1 N/A Static
192.168.2.3 0001-0203-0403 GE1/0/2 N/A Static
# Verify that Host B can ping Device A when Host B is connected to Device A through GigabitEthernet 1/0/1. (Details not shown.)
# Verify that Host B cannot ping Device A when Host B is assigned an IP address different from 192.168.0.2. (Details not shown.)
# Verify that Host A cannot ping Device A when any of following conditions exist (details not shown):
· Host A is connected to Device A through GigabitEthernet 1/0/2 or GigabitEthernet 1/0/3.
· Host A is assigned an IP address different from 192.168.0.1.
Configuration files
|
IMPORTANT: The port link-mode bridge command is available only on the following switches: · S6520XE-HI switch series. · S5560X-EI switch series. · S5500V2-EI switch series. · MS4520V2-30F switch. |
· Device A:
#
ip source binding ip-address 192.168.0.2 mac-address 0001-0203-0402
#
vlan 10
#
interface Vlan-interface10
ip address 192.168.0.10 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
ip verify source ip-address mac-address
ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 10
ip verify source ip-address mac-address
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
#
· Device B:
#
vlan 10
#
vlan 20
#
interface Vlan-interface10
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.2.100 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
ip verify source ip-address mac-address
ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0401
ip source binding ip-address 192.168.0.2 mac-address 0001-0203-0402
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
ip verify source ip-address mac-address
ip source binding ip-address 192.168.2.3 mac-address 0001-0203-0403
#
Example: Configuring dynamic IPv4SG based on DHCP snooping
Network configuration
As shown in Figure 2, the DHCP clients obtain IP addresses from the DHCP server.
· Enable DHCP snooping on the device to make sure the DHCP clients obtain IP addresses from the authorized DHCP server.
· Enable dynamic IPv4SG on GigabitEthernet 1/0/1 to filter incoming packets by using the IPSG bindings that are generated based on DHCP snooping entries. Only packets from the DHCP clients are allowed to pass.
Analysis
To meet the network requirements, you must perform the following tasks:
· To enable the DHCP clients to obtain IP addresses from the DHCP server, configure GigabitEthernet 1/0/2 as the DHCP trusted port. By default, all ports are untrusted ports after DHCP snooping is enabled.
· To generate DHCP snooping entries for the DHCP clients, enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1. By default, recording of DHCP snooping entries is disabled.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
Hardware |
Software version |
S6520XE-HI switch series |
Supported in Release 11xx |
S5560X-EI switch series |
Supported in Release 111x |
S5500V2-EI switch series |
Supported in Release 111x |
MS4520V2-30F switch |
Supported in Release 111x |
S5560S-EI switch series S5560S-SI switch series |
Supported in Release 612x |
S5130S-HI switch series S5130S-EI switch series S5130S-SI switch series S5130S-LI switch series |
Supported in Release 612x |
S5120V2-SI switch series S5120V2-LI switch series |
Supported in Release 612x |
S3100V3-EI switch series S3100V3-SI switch series |
Supported in Release 612x |
S5110V2 switch series |
Supported in Release 612x |
S5110V2-SI switch series |
Supported in Release 612x |
S5000V3-EI switch series |
Supported in Release 612x |
S5000E-X switch series |
Supported in Release 612x |
WAS6000 switch series |
Supported in Release 612x |
E128C switch E152C switch E500C switch series E500D switch series |
Supported in Release 612x |
MS4520V2 switch series (except the MS4520V2-30F switch) |
Supported in Release 612x |
MS4320V2 switch series MS4300V2 switch series MS4320 switch series MS4200 switch series |
Supported in Release 612x |
WS5850-WiNet switch series |
Supported in Release 612x |
WS5820-WiNet switch series WS5810-WiNet switch series |
Supported in Release 612x |
Procedures
This example uses an S5560S-EI switch as the DHCP server.
1. Configure the DHCP server:
# Create VLAN-interface 1, and assign an IP address to VLAN-interface 1.
<DHCPserver> system-view
[DHCPserver] interface vlan-interface 1
[DHCPserver-Vlan-interface1] ip address 192.168.0.2 24
# Enable the DHCP server on VLAN-interface 1.
[DHCPserver-Vlan-interface1] dhcp select server
[DHCPserver-Vlan-interface1] quit
# Enable DHCP.
[DHCPserver] dhcp enable
# Create DHCP address pool 1.
[DHCPserver] dhcp server ip-pool 1
# Specify the assignable subnet as 192.168.0.0/24 and the address lease duration as 7 days.
[DHCPserver-dhcp-pool-1] network 192.168.0.0 24
[DHCPserver-dhcp-pool-1] expired day 7
[DHCPserver-dhcp-pool-1] quit
2. Configure the device:
# Enable DHCP snooping.
<Device> system-view
[Device] dhcp snooping enable
# Configure GigabitEthernet 1/0/2 as a trusted port.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] dhcp snooping trust
[Device-GigabitEthernet1/0/2] quit
# Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPv4SG.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip verify source ip-address mac-address
# Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.
[Device-GigabitEthernet1/0/1] dhcp snooping binding record
[Device-GigabitEthernet1/0/1] quit
3. Configure the DHCP clients to use DHCP for IP address acquisition. (Details not shown.)
Verifying the configuration
# Verify that the device has generated dynamic IPSG bindings for the clients based on DHCP snooping entries.
[Device] display ip source binding dhcp-snooping
Total entries found: 4
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0401 GE1/0/1 1 DHCP snooping
192.168.0.3 0001-0203-0403 GE1/0/1 1 DHCP snooping
192.168.0.4 0001-0203-0404 GE1/0/1 1 DHCP snooping
192.168.0.5 0001-0203-0405 GE1/0/1 1 DHCP snooping
# Verify that the DHCP server can be pinged from the clients. (Details not shown.)
# Verify that the DHCP server cannot be pinged from the clients when the clients are assigned IP addresses manually. (Details not shown.)
Configuration files
|
IMPORTANT: The port link-mode bridge command is available only on the following switches: · S6520XE-HI switch series. · S5560X-EI switch series. · S5500V2-EI switch series. · MS4520V2-30F switch. |
#
vlan 1
#
dhcp snooping enable
#
interface GigabitEthernet1/0/1
port link-mode bridge
ip verify source ip-address mac-address
dhcp snooping binding record
#
interface GigabitEthernet1/0/2
port link-mode bridge
dhcp snooping trust
#
Example: Configuring dynamic IPv4SG based on DHCP relay agent
Network configuration
As shown in Figure 3, DHCP relay is enabled on the device. The DHCP clients obtain IP addresses from the DHCP server through the DHCP relay agent.
Enable dynamic IPv4SG on VLAN-interface 10 to filter incoming packets by using the dynamic IPSG bindings generated based on the DHCP relay entries.
Analysis
To generate DHCP relay entries for the DHCP clients, enable recording of relay entries on the delay agent. By default, the DHCP relay agent does not record client information in relay entries.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
Hardware |
Software version |
S6520XE-HI switch series |
Supported in Release 11xx |
S5560X-EI switch series |
Supported in Release 111x |
S5500V2-EI switch series |
Supported in Release 111x |
MS4520V2-30F switch |
Supported in Release 111x |
S5560S-EI switch series S5560S-SI switch series |
Supported in Release 612x |
S5130S-HI switch series S5130S-EI switch series S5130S-SI switch series S5130S-LI switch series |
Supported in Release 612x |
S5120V2-SI switch series S5120V2-LI switch series |
Supported in Release 612x |
S3100V3-EI switch series S3100V3-SI switch series |
Supported in Release 612x |
S5110V2 switch series |
Supported in Release 612x |
S5110V2-SI switch series |
Not supported. |
S5000V3-EI switch series |
Not supported. |
S5000E-X switch series |
Not supported. |
WAS6000 switch series |
Not supported. |
E128C switch E152C switch E500C switch series E500D switch series |
Supported in Release 612x |
MS4520V2 switch series (except the MS4520V2-30F switch) |
Supported in Release 612x |
MS4320V2 switch series MS4300V2 switch series MS4320 switch series MS4200 switch series |
Supported in Release 612x |
WS5850-WiNet switch series |
Supported in Release 612x |
WS5820-WiNet switch series WS5810-WiNet switch series |
Supported in Release 612x |
Procedures
This example uses an S5560S-EI switch as the DHCP server.
1. Configure the DHCP server:
# Create VLAN-interface 20, and assign an IP address to VLAN-interface 20.
<DHCPserver> system-view
[DHCPserver] interface vlan-interface 20
[DHCPserver-Vlan-interface20] ip address 10.10.0.2 24
# Enable the DHCP server on VLAN-interface 20.
[DHCPserver-Vlan-interface20] dhcp select server
[DHCPserver-Vlan-interface20] quit
# Enable DHCP.
[DHCPserver] dhcp enable
# Create DHCP address pool 1.
[DHCPserver] dhcp server ip-pool 1
# Specify the assignable subnet as 192.168.0.0/24 and the address lease duration as 7 days.
[DHCPserver-dhcp-pool-1] network 192.168.0.0 24
[DHCPserver-dhcp-pool-1] expired day 7
[DHCPserver-dhcp-pool-1] quit
# Configure a static route for the subnet where VLAN-interface 10 of the DHCP relay agent resides on the DHCP server.
[DHCPserver] ip route-static 192.168.0.0 24 10.10.0.1
2. Configure the device:
# Create VLAN 10, and assign GigabitEthernet 1/0/1 to VLAN 10.
<Device> system-view
[Device] vlan 10
[Device-vlan10] port gigabitethernet 1/0/1
[Device-vlan10] quit
# Assign an IP address to VLAN-interface 10.
[Device] interface vlan-interface 10
[Device-Vlan-interface10] ip address 192.168.0.1 255.255.255.0
[Device-Vlan-interface10] quit
# Create VLAN 20, and assign GigabitEthernet 1/0/2 to VLAN 20.
[Device] vlan 20
[Device-vlan20] port gigabitethernet 1/0/2
[Device-vlan20] quit
# Assign an IP address to VLAN-interface 20.
[Device] interface vlan-interface 20
[Device-Vlan-interface20] ip address 10.10.0.1 255.255.255.0
[Device-Vlan-interface20] quit
# Enable DHCP.
[Device] dhcp enable
# Enable recording of relay entries on the delay agent.
[Device] dhcp relay client-information record
# Enable the DHCP relay agent on VLAN-interface 10.
[Device] interface vlan-interface 10
[Device-Vlan-interface10] dhcp select relay
# Specify the IP address of the DHCP server on the relay agent.
[Device-Vlan-interface10] dhcp relay server-address 10.10.0.2
[Device-Vlan-interface10] quit
# Enable IPv4SG on VLAN-interface 10 and verify the source IP address and MAC address for dynamic IPSG.
[Device] interface vlan-interface 10
[Device-Vlan-interface10] ip verify source ip-address mac-address
[Device-Vlan-interface10] quit
3. Configure the DHCP clients to use DHCP for IP address acquisition. (Details not shown.)
Verifying the configuration
# Verify that the device has generated dynamic IPSG bindings for the clients based on DHCP relay entries.
<Device> display ip source binding dhcp-relay
Total entries found: 4
IP Address MAC Address Interface VLAN Type
192.168.0.2 0001-0203-0402 Vlan10 10 DHCP relay
192.168.0.3 0001-0203-0403 Vlan10 10 DHCP relay
192.168.0.4 0001-0203-0404 Vlan10 10 DHCP relay
192.168.0.5 0001-0203-0405 Vlan10 10 DHCP relay
# Verify that the DHCP server can be pinged from the clients. (Details not shown.)
# Verify that the DHCP server cannot be pinged from the clients when the clients are assigned IP addresses manually. (Details not shown.)
Configuration files
|
IMPORTANT: The port link-mode bridge command is available only on the following switches: · S6520XE-HI switch series. · S5560X-EI switch series. · S5500V2-EI switch series. · MS4520V2-30F switch. |
#
dhcp enable
dhcp relay client-information record
#
vlan 10
#
vlan 20
#
interface Vlan-interface10
ip address 192.168.0.1 255.255.255.0
dhcp select relay
dhcp relay server-address 10.10.0.2
ip verify source ip-address mac-address
#
interface Vlan-interface20
ip address 10.10.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
#
Example: Configuring static IPv6SG and dynamic IPv6SG
Network configuration
As shown in Figure 4, the file server uses static IPv6 address 2001::1. Host A and Host B obtain IP addresses from the DHCPv6 server.
Configure IPv6SG on the device to meet the following requirements:
· The interface GigabitEthernet 1/0/1 allows only packets from the file server to pass.
· The interface GigabitEthernet 1/0/2 allows only packets from Host A to pass.
· The interface GigabitEthernet 1/0/3 allows only packets from Host B to pass.
Analysis
To meet the network requirements, you must perform the following tasks:
· To enable Host A and Host B to obtain IP addresses from the DHCPv6 server, configure GigabitEthernet 1/0/4 as the DHCP trusted port. By default, all ports are untrusted ports after DHCPv6 snooping is enabled.
· To allow only incoming packets from the file server on GigabitEthernet 1/0/1, configure a static IPSG binding for the file server.
· To allow only packets from Host A to pass through GigabitEthernet 1/0/2 and only packets from Host B to pass through GigabitEthernet 1/0/3, perform the following tasks:
¡ Enable IPv6SG on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
¡ To generate DHCPv6 snooping entries for Host A and Host B, enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. By default, recording of DHCP snooping entries is disabled.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
Hardware |
Software version |
S6520XE-HI switch series |
Supported in Release 11xx |
S5560X-EI switch series |
Supported in Release 111x |
S5500V2-EI switch series |
Supported in Release 111x |
MS4520V2-30F switch |
Supported in Release 111x |
S5560S-EI switch series S5560S-SI switch series |
Supported in Release 612x |
S5130S-HI switch series S5130S-EI switch series S5130S-SI switch series S5130S-LI switch series |
Supported in Release 612x |
S5120V2-SI switch series S5120V2-LI switch series |
Supported in Release 612x |
S3100V3-EI switch series S3100V3-SI switch series |
Supported in Release 612x |
S5110V2 switch series |
Supported in Release 612x |
S5110V2-SI switch series |
Supported in Release 612x |
S5000V3-EI switch series |
Supported in Release 612x |
S5000E-X switch series |
Supported in Release 612x |
WAS6000 switch series |
Supported in Release 612x |
E128C switch E152C switch E500C switch series E500D switch series |
Supported in Release 612x |
MS4520V2 switch series (except the MS4520V2-30F switch) |
Supported in Release 612x |
MS4320V2 switch series MS4300V2 switch series MS4320 switch series MS4200 switch series |
Supported in Release 612x |
WS5850-WiNet switch series |
Supported in Release 612x |
WS5820-WiNet switch series WS5810-WiNet switch series |
Supported in Release 612x |
Procedures
# Configure the DHCPv6 server and the DHCPv6 clients (Host A and Host B). (Details not shown.)
# Enable IPv6SG on GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address
# Configure a static IPSG binding for the file server on GigabitEthernet 1/0/1.
[Device-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0203-0405
[Device-GigabitEthernet1/0/1] quit
# Enable DHCPv6 snooping.
[Device] ipv6 dhcp snooping enable
# Configure GigabitEthernet 1/0/4 as a trusted port.
[Device] interface gigabitethernet 1/0/4
[Device-GigabitEthernet1/0/4] ipv6 dhcp snooping trust
[Device-GigabitEthernet1/0/4] quit
# Enable IPv6SG on GigabitEthernet 1/0/2 and verify the source IPv6 address and MAC address for dynamic IPv6SG.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] ipv6 verify source ip-address mac-address
# Enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/2.
[Device-GigabitEthernet1/0/2] ipv6 dhcp snooping binding record
[Device-GigabitEthernet1/0/2] quit
# Enable IPv6SG on GigabitEthernet 1/0/3 and verify the source IPv6 address and MAC address for dynamic IPv6SG.
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] ipv6 verify source ip-address mac-address
# Enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/3.
[Device-GigabitEthernet1/0/3] ipv6 dhcp snooping binding record
[Device-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify that the file server can ping the DHCPv6 server. (Details not shown.)
# Verify that the device has a static IPSG binding for the file server.
[Device] display ipv6 source binding static
Total entries found: 1
IPv6 Address MAC Address Interface VLAN Type
2001::1 0001-0203-0405 GE1/0/1 N/A Static
# Verify that the device has generated dynamic IPSG bindings for Host A and Host B based on DHCP snooping entries.
[Device] display ipv6 source binding dhcpv6-snooping
Total entries found: 2
IPv6 Address MAC Address Interface VLAN Type
2001::2 0001-0203-0406 GE1/0/2 1 DHCPv6 snooping
2001::3 0001-0203-0407 GE1/0/3 1 DHCPv6 snooping
# Verify that Host A and Host B can ping the DHCPv6 server. (Details not shown.)
# Verify that Host A and Host B cannot ping the DHCPv6 server when they are assigned IPv6 addresses manually. (Details not shown.)
Configuration files
|
IMPORTANT: The port link-mode bridge command is available only on the following switches: · S6520XE-HI switch series. · S5560X-EI switch series. · S5500V2-EI switch series. · MS4520V2-30F switch. |
#
ipv6 dhcp snooping enable
#
interface GigabitEthernet1/0/1
port link-mode bridge
ipv6 verify source ip-address mac-address
ipv6 source binding ip-address 2001::1 mac-address 0001-0203-0405
#
interface GigabitEthernet1/0/2
port link-mode bridge
ipv6 verify source ip-address mac-address
ipv6 dhcp snooping binding record
#
interface GigabitEthernet1/0/3
port link-mode bridge
ipv6 verify source ip-address mac-address
ipv6 dhcp snooping binding record
#
interface GigabitEthernet1/0/4
port link-mode bridge
ipv6 dhcp snooping trust
#