Configuring IPv6 IMPB

CHAPTERS

1. IPv6 IMPB

2. IPv6-MAC Binding Configuration

3. ND Detection Configuration

4. IPv6 Source Guard Configuration

5. Configuration Examples

6. Appendix: Default Parameters

This guide applies to:

T1500G-8T v2 or above, T1500G-10PS v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3 or above, T1600G-18TS v2 or above, T1600G-28PS v3 or above, T1600G-28TS v3 or above, T1600G-52TS v3 or above, T1600G-52PS v3 or above, T1700X-16TS v3 or above, T1700G-28TQ v3 or above, T2500G-10TS v2 or above, T2600G-18TS v2 or above, T2600G-28TS v3 or above, T2600G-28MPS v3 or above, T2600G-28SQ v1 or above, T2600G-52TS v3 or above.

1IPv6 IMPB

1.1Overview

IPv6 IMPB (IP-MAC-Port Binding) is used to bind the IPv6 address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent ND attacks with the ND Detection feature and filter the packets that don’t match the binding entries with the IPv6 Source Guard feature.

1.2Supported Features

IPv6-MAC Binding

This feature is used to add binding entries. The binding entries can be manually configured, or learned by ND Snooping or DHCPv6 snooping. The features ND Detection and IPv6 Source Guard are based on the IPv6-MAC Binding entries.

ND Detection

Because of the absence of security mechanism, IPv6 ND (Neighbor Discovery) protocol is easy to be exploited by attackers. ND detection feature uses the entries in the IPv6-MAC binding table to filter the forged ND packets and prevent the ND attacks.

The application topology of ND Detection is as the following figure shows. The port that is connected to the gateway should be configured as trusted port, and other ports should be configured as untrusted ports. The forwarding principles of ND packets are as follows:

All ND packets received on the trusted port will be forwarded without checked.

RS (Router Solicitation) and NS (Neighbor Solicitation) packets with their source IPv6 addresses unspecified, such as the RS packet for IPv6 address request and the NS packet for duplicate address detection, will not be checked on both kinds of ports.

RA (Router Advertisement) and RR (Router Redirect) packets received on the untrusted port will be discarded directly, and other ND packets will be checked: The switch will use the IPv6-MAC binding table to compare the IPv6 address, MAC address, VLAN ID and receiving port between the entry and the ND packet. If a match is found, the ND packet is considered legal and will be forwarded; if no match is found, the ND packet is considered illegal and will be discarded.

Figure 1-1 Network Topology of ND Detection

IPv6 Source Guard

IPv6 Source Guard is used to filter the IPv6 packets based on the IPv6-MAC Binding table. Only the packets that match the binding rules are forwarded.

2IPv6-MAC Binding Configuration

You can add IPv6-MAC Binding entries in three ways:

Manual Binding

Via ND Snooping

Via DHCPv6 Snooping

Additionally, you can view, search and edit the entries in the Binding Table.

2.1Using the GUI

2.1.1Binding Entries Manually

You can manually bind the IPv6 address, MAC address, VLAN ID and the Port number together on the condition that you have got the detailed information of the hosts.

Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > Manual Binding and click to load the following page.

Figure 2-1 Manual Binding

Follow these steps to manually create an IPv6-MAC Binding entry:

1)Enter the following information to specify a host.

Host Name

Enter the host name for identification.

IPv6 Address

Enter the IPv6 address.

MAC Address

Enter the MAC address.

VLAN ID

Enter the VLAN ID.

2)Select protect type for the entry.

Protect Type

Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided:

None: This entry will not be applied to any feature.

ND Detection: This entry will be applied to the ND Detection feature.

IPv6 Source Guard: This entry will be applied to the IPv6 Source Guard feature.

Both: This entry will be applied to both of the features.

3)Enter or select the port that is connected to this host.

4)Click Apply.

2.1.2Binding Entries via ND Snooping

With ND Snooping, the switch monitors the ND packets, and records the IPv6 addresses, MAC addresses, VLAN IDs and the connected port numbers of the IPv6 hosts. You can bind these entries conveniently.

Note:

Before using this feature, make sure that your network is safe and the hosts are not suffering from ND attacks at present; otherwise, you may obtain incorrect IPv6-MAC Binding entries. If your network is being attacked, it’s recommended to bind the entries manually.

Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > ND Snooping to load the following page.

Figure 2-2 ND Snooping

Follow these steps to configure IPv6-MAC Binding via ND Snooping:

1)In the ND Snooping section, enable ND Snooping and click Apply.

2)In the VLAN Config section, select one or more VLANs and enable ND Snooping. Click Apply.

VLAN ID

Displays the VLAN ID.

Status

Enable or disable ND Snooping on the VLAN.

3)In the Port Config section, configure the maximum number of entries a port can learn via ND snooping. Click Apply.

Port

Displays the port number.

Maximum Entries

Configure the maximum number of binding entries a port can learn via ND snooping.

LAG

Displays the LAG that the port is in.

4)The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv6 IMPB > IPv6-MAC Binding > Binding Table to view or edit the entries.

2.1.3Binding Entries via DHCPv6 Snooping

With DHCPv6 Snooping enabled, the switch can monitor the IP address obtaining process of the host, and record the IPv6 address, MAC address, VLAN ID and the connected port number of the host.

Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > DHCPv6 Snooping to load the following page.

Figure 2-3 DHCPv6 Snooping

Follow these steps to configure IPv6-MAC Binding via DHCPv6 Snooping:

1)In the Global Config section, globally enable DHCPv6 Snooping. Click Apply.

2)In the VLAN Config section, enable DHCPv6 Snooping on a VLAN or range of VLANs. Click Apply.

VLAN ID

Displays the VLAN ID.

Status

Enable or disable DHCPv6 Snooping on the VLAN.

3)In the Port Config section, configure the maximum number of binding entries a port can learn via DHCPv6 snooping. Click Apply.

Port

Displays the port number.

Maximum Entries

Configure the maximum number of binding entries a port can learn via DHCPv6 snooping.

LAG

Displays the LAG that the port is in.

4)The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv6 IMPB > IPv6-MAC Binding > Binding Table to view or edit the entries.

2.1.4Viewing the Binding Entries

In the Binding Table, you can view, search and edit the specified binding entries.

Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > Binding Table to load the following page.

Figure 2-4 Binding Table

You can specify the search criteria to search your desired entries.

Source

Select the source of the entry and click Search.

All: Displays the entries from all sources.

Manual Binding: Displays the manually bound entries.

ND Snooping: Displays the binding entries learned from ND Snooping.

DHCPv6 Snooping: Displays the binding entries learned from DHCP Snooping.

IP

Enter an IP address and click Search to search the specific entry.

Additionally, you select one or more entries to edit the host name and protect type and click Apply.

Host Name

Enter a host name for identification.

IP Address

Displays the IPv6 address.

MAC Address

Displays the MAC address.

VLAN ID

Displays the VLAN ID.

Port

Displays the port number.

Protect Type

Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided:

None: This entry will not be applied to any feature.

ND Detection: This entry will be applied to the ND Detection feature.

IPv6 Source Guard: This entry will be applied to the IP Source Guard feature.

Both: This entry will be applied to both of the features.

Source

Displays the source of the entry.

2.2Using the CLI

The following sections introduce how to bind entries manually and via ND Snooping and DHCP Snooping, and how to view the binding entries.

2.2.1Binding Entries Manually

You can manually bind the IPv6 address, MAC address, VLAN ID and the Port number together on the condition that you have got the detailed information of the hosts.

Follow these steps to manually bind entries:

Step 1

configure

Enter global configuration mode.

Step 2

ipv6 source binding hostname ipv6-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | nd-detection | ipv6-verify-source | both }

Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.

hostname: Specify a name for the host. It contains 20 characters at most.

ipv6-addr: Enter the IPv6 address of the host.

mac-addr: Enter the MAC address of the host, in the format of xx:xx:xx:xx:xx:xx.

vlan-id: Enter the VLAN ID of the host.

port: Enter the number of the port on which the host is connected.

none | nd-detection | ipv6-verify-source | both: Specify the protect type for the entry. None indicates this entry will not be applied to any feature; nd-detection indicates this entry will be applied to ND Detection; ipv6-verify-source indicates this entry will be applied to IP Source Guard; both indicates this entry will be applied to both ND Detection and IP Source Guard.

Step 3

show ip source binding

Verify the binding entry.

Step 4

end

Return to privileged EXEC mode.

Step 5

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to bind an entry with the hostname host1, IPv6 address 2001:0:9d38:90d5::34, MAC address AA-BB-CC-DD-EE-FF, VLAN ID 10, port number 1/0/5, and enable this entry for ND Detection.

Switch#configure

Switch(config)#ipv6 source binding host1 2001:0:9d38:90d5::34 aa:bb:cc:dd:ee:ff vlan 10 interface gigabitEthernet 1/0/5 nd-detection

Switch(config)#show ipv6 source binding

U Host IP-Addr MAC-Addr VID Port ACL Source

- ---- ------- -------- --- ---- --- ------

1 host1 2001:0:9d38:90d5::34 aa:bb:cc:dd:ee:ff 10 Gi1/0/5 ND-D Manual

Switch(config)#end

Switch#copy running-config startup-config

2.2.2Binding Entries via ND Snooping

Follow these steps to bind entries via ND Snooping:

Step 1

configure

Enter global configuration mode.

Step 2

ipv6 nd snooping

Globally enable ND Snooping.

Step 3

ipv6 nd snooping vlan vlan-range

Enable ND Snooping on the specified VLAN.

vlan-range: Enter the vlan range in the format of 1-3, 5.

Step 4

interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list}

Enter interface configuration mode.

Step 5

ipv6 nd snooping max-entries value

Configure the maximum number of ND binding entries a port can learn via ND snooping.

value: Enter the maximum number of ND binding entries a port can learn via ND snooping. The valid values are from 0 to 1024, and the default is 1024.

Step 6

show ipv6 nd snooping

Verify the global configuration of IPv6 ND Snooping

Step 7

show ipv6 nd snooping interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port }

Verify the IPv6 ND Snooping configuration of the specific port.

Step 8

end

Return to privileged EXEC mode.

Step 9

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable ND Snooping globally and on VLAN 1.

Switch#configure

Switch(config)#ipv6 nd snooping

Switch(config)#ipv6 nd snooping vlan 1

Switch(config)#show ipv6 nd snooping

Global Status: Enable

VLAN ID: 1

Switch(config)#end

Switch#copy running-config startup-config

The following example shows how to configure the maximum number of entries that can be learned on port 1/0/1:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#ipv6 nd snooping max-entries 1000

Switch(config-if)#show ipv6 nd snooping interface gigabitEthernet 1/0/1

Interface max-entries LAG

--------- ----------- -----

Gi1/0/1 1000 N/A

Switch(config-if)#end

Switch#copy running-config startup-config

2.2.3Binding Entries via DHCPv6 Snooping

Follow these steps to bind entries via DHCP Snooping:

Step 1

configure

Enter global configuration mode.

Step 2

ipv6 dhcp snooping

Globally enable DHCPv6 Snooping.

Step 3

ipv6 dhcp snooping vlan vlan-range

Enable DHCPv6 Snooping on the specified VLAN.

vlan-range: Enter the vlan range in the format of 1-3, 5.

Step 4

interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list }

Enter interface configuration mode.

Step 5

ipv6 dhcp snooping max-entries value

Configure the maximum number of binding entries the port can learn via DHCPv6 snooping.

value: Enter the value of maximum number of entries. The valid values are from 0 to 512.

Step 6

show ip dhcp snooping

Verify global configuration of DHCPv6 Snooping.

Step 7

end

Return to privileged EXEC mode.

Step 8

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable DHCPv6 Snooping globally and on VLAN 5, and set the maximum number of binding entries port 1/0/1 can learn via DHCPv6 snooping as 100:

Switch#configure

Switch(config)#ipv6 dhcp snooping

Switch(config)#ipv6 dhcp snooping vlan 5

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#ipv6 dhcp snooping max-entries 100

Switch(config-if)#show ipv6 dhcp snooping

Global Status: Enable

VLAN ID: 5

Switch(config-if)#show ipv6 dhcp snooping interface gigabitEthernet 1/0/1

Interface max-entries LAG

--------- ----------- ---

Gi1/0/1 100 N/A

Switch(config-if)#end

Switch#copy running-config startup-config

2.2.4Viewing Binding Entries

On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries:

show ipv6 source binding

View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port number and protect type.

3ND Detection Configuration

To complete ND Detection configuration, follow these steps:

1)Add IPv6-MAC Binding entries.

2)Enable ND Detection.

3)Configure ND Detection on ports.

4)View ND statistics.

3.1Using the GUI

3.1.1Adding IPv6-MAC Binding Entries

The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets. Before configuring ND Detection, complete IPv6-MAC Binding configuration.

3.1.2Enabling ND Detection

Choose the menu SECURITY > IPv6 IMPB > ND Detection > Global Config to load the following page.

Figure 3-1 ND Detection Global Config

Follow these steps to enable ND Detection:

1)In the Global Config section, enable ND Detection and configure the related parameters. Click Apply.

ND Detection

Enable or disable ND Detection globally.

2)In the VLAN Config section, enable ND Detection on the selected VLANs. Click Apply.

VLAN ID

Displays the VLAN ID.

Status

Enable or disable ND Detection on the VLAN.

Log Status

Enable or disable Log feature on the VLAN. With this feature enabled, the switch generates a log when an illegal ND packet is discarded.

3.1.3Configuring ND Detection on Ports

Choose the menu SECURITY > IPv6 IMPB > ND Detection >Port Config to load the following page.

Figure 3-2 ND Detection on Port

Follow these steps to configure ND Detection on ports:

1)Select one or more ports and configure the parameters.

Port

Displays the port number.

Trust Status

Enable or disable this port to be a trusted port. On a trusted port, the ND packets are forwarded directly without checked. The specific ports, such as up-link ports and routing ports are suggested to be set as trusted.

LAG

Displays the LAG that the port is in.

2)Click Apply.

3.1.4Viewing ND Statistics

You can view the number of the illegal ND packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures.

Choose the menu SECURITY > IPv6 IMPB > ND Detection > ND Statistics to load the following page.

Figure 3-3 View ND Statistics

In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed.

In the Illegal ND Packet section, you can view the number of illegal ND packets in each VLAN.

VLAN ID

Displays the VLAN ID.

Forwarded

Displays the number of forwarded ND packets in this VLAN.

Dropped

Displays the number of dropped ND packets in this VLAN.

3.2Using the CLI

3.2.1Adding IPv6-MAC Binding Entries

The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets. Before configuring ND Detection, complete IPv6-MAC Binding configuration.

3.2.2Enabling ND Detection

Follow these steps to enable ND Detection:

Step 1

configure

Enter global configuration mode.

Step 2

ipv6 nd detection

Globally enable the ND Detection feature.

Step 3

ipv6 nd detection vlan vlan-range

Enable ND Detection on the specified VLAN.

vlan-range: Enter the vlan range in the format of 1-3, 5.

Step 5

show ipv6 nd detection

Verify the global ND Detection configuration.

Step 6

end

Return to privileged EXEC mode.

Step 7

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable ND Detection globally and on VLAN 1:

Switch#configure

Switch(config)#ipv6 nd detection

Switch(config)#ipv6 nd detection vlan 1

Switch(config)#show ipv6 nd detection

Global Status: Enable

VLAN ID: 1

Switch(config)#end

Switch#copy running-config startup-config

3.2.3Configuring ND Detection on Ports

Follow these steps to configure ND Detection on ports:

Step 1

configure

Enter global configuration mode.

Step 2

interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }Enter interface configuration mode.

Step 3

ipv6 nd detection trust

Configure the port as a trusted port, on which the ND packets will not be checked. The specific ports, such as up-linked ports and routing ports are suggested to be set as trusted ports.

Step 4

show ipv6 nd detection interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id }

Verify the global ND Detection configuration of the port.

Step 5

end

Return to privileged EXEC mode.

Step 6

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to configure port 1/0/1 as trusted port:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#ipv6 nd detection trust

Switch(config-if)#show ipv6 nd detection interface gigabitEthernet 1/0/1

Interface Trusted LAG

--------- ------- ---

Gi1/0/1 Enable N/A

Switch(config-if)#end

Switch#copy running-config startup-config

3.2.4Viewing ND Statistics

On privileged EXEC mode or any other configuration mode, you can use the following command to view ND statistics:

show ipv6 nd detection statistics

View the ND statistics on each port, including the number of forwarded ND packets and the number of dropped ND packets.

4IPv6 Source Guard Configuration

To complete IPv6 Source Guard configuration, follow these steps:

1)Add IP-MAC Binding entries.

2)Configure IPv6 Source Guard.

4.1Using the GUI

4.1.1Adding IPv6-MAC Binding Entries

The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets. Before configuring ND Detection, complete IPv6-MAC Binding configuration.

4.1.2Configuring IPv6 Source Guard

Before configuring IPv6 Source Guard, you need to configure the SDM template as EnterpriseV6.

Choose the menu SECURITY > IPv6 IMPB > IPv6 Source Guard to load the following page.

Figure 4-1 IPv6 Source Guard Config

Follow these steps to configure IPv6 Source Guard:

1)Select one or more ports and configure the protect type for ports.

Port

Displays the port number.

Security Type

Select Security Type on the port for IPv6 packets. The following options are provided:

Disable: The IP Source Guard feature is disabled on the port.

SIPv6+MAC: Only the packet with its source IPv6 address, source MAC address and port number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.

SIPv6: Only the packet with its source IPv6 address and port number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.

LAG

Displays the LAG that the port is in.

2)Click Apply.

4.2Using the CLI

4.2.1Adding IPv6-MAC Binding Entries

The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets. Before configuring ND Detection, complete IPv6-MAC Binding configuration.

4.2.2Configuring IPv6 Source Guard

Before configuring IPv6 Source Guard, you need to configure the SDM template as EnterpriseV6.

Follow these steps to configure IPv6 Source Guard:

Step 1

configure

Enter global configuration mode.

Step 2

interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }

Enter interface configuration mode.

Step 3

ipv6 verify source { sipv6+mac | sipv6}

Enable IPv6 Source Guard for IPv6 packets.

sipv6+mac: Only the packet with its source IP address, source MAC address and port number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.

sipv6: Only the packet with its source IPv6 address and port number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.

Step 4

show ipv6 verify source [ interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } ]

Verify the IP Source Guard configuration for IPv6 packets.

Step 5

end

Return to privileged EXEC mode.

Step 6

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable IPv6 Source Guard on port 1/0/1:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#ipv6 verify source sipv6+mac

Switch(config-if)#show ipv6 verify source interface gigabitEthernet 1/0/1

Port Security-Type LAG

---- ------------- ----

Gi1/0/1 SIPv6+MAC N/A

Switch(config-if)#end

Switch#copy running-config startup-config

5Configuration Examples

5.1Example for ND Detection

5.1.1Network Requirements

As shown below, User 1 and User 2 are legal IPv6 users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN. Now the network administrator wants to configure Switch A to prevent ND attacks from the LAN.

Figure 5-1 Network Topology

5.1.2Configuration Scheme

To meet the requirement, you can configure ND Detection to prevent the network from ND attacks in the LAN.

The overview of configurations on the switch is as follows:

1)Configure IPv6-MAC Binding. The binding entries for User 1 and User 2 should be manually bound.

2)Configure ND Detection globally.

3)Configure ND Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port.

Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

5.1.3Using the GUI

1)Choose the menu SECURITY > IPv6 IMBP > IPv6-MAC Binding > Manual Binding and click to load the following page. Enter the host name, IPv6 address, MAC address and VLAN ID of User 1, select the protect type as ND Detection, and select port 1/0/1 on the panel. Click Apply.

Figure 5-2 Binding Entry for User 1

2)In the same way, add a binding entry for User 2. Enter the host name, IPv6 address, MAC address and VLAN ID of User 2, select the protect type as ND Detection, and select port 1/0/2 on the panel. Click Apply.

Figure 5-3 Binding Entry for User 2

3)Choose the menu SECURITY > IPv6 IMBP > ND Detection > Global Config to load the following page. Enable ND Detection and click Apply. Select VLAN 1, change Status as Enabled and click Apply.

Figure 5-4 Enable ND Detection

4)Choose the menu SECURITY > IPv6 IMBP > ND Detection > Port Config to load the following page. By default, all ports are enabled with ND Detection. Since port 1/0/3 is connected to the gateway router, configure port 1/0/3 as trusted port. Click Apply.

Figure 5-5 Port Config

5)Click to save the settings.

5.1.4Using the CLI

1)Manually bind the entries for User 1 and User 2.

Switch_A#configure

Switch_A(config)#ipv6 source binding User1 2001::5 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 nd-detection

Switch_A(config)#ip source binding User1 2001::6 88:a9:d4:54:fd:c3 vlan 1 interface gigabitEthernet 1/0/2 nd-detection

2)Enable ND Detection globally and on VLAN 1.

Switch_A(config)#ipv6 nd detection vlan 1

3)Configure port 1/0/3 as trusted port.

Switch_A(config)#interface gigabitEthernet 1/0/3

Switch_A(config-if)#ipv6 nd detection trust

Switch_A(config-if)#end

Switch_A#copy running-config startup-config

Verify the Configuration

Verify the IPv6-MAC Binding entries:

Switch_A#show ipv6 source binding

U Host IP-Addr MAC-Addr VID Port ACL SOURCE

- ---- ------- -------- --- ---- --- ------

1 User1 2001::5 74:d3:45:32:b6:8d 1 Gi1/0/1 ND-D Manual

1 User2 2001::6 88:a9:d4:54:fd:c3 1 Gi1/0/2 ND-D Manual

Notice:

1.Here, ‘ND-D’ for ‘ND-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’.

Verify the global configuration of ND Detection:

Switch_A#show ipv6 nd detection

Global Status: Enable

Verify the ND Detection configuration on VLAN:

Switch_A#show ipv6 nd detection vlan

VID Enable status Log Status

---- ------------- ----------

1 Enable Disable

Verify the ND Detection configuration on ports:

Switch_A#show ipv6 nd detection interface

Interface Trusted LAG

--------- ----------- ---

Gi1/0/1 Disable N/A

Gi1/0/2 Disable N/A

Gi1/0/3 Enable N/A

...

5.2Example for IPv6 Source Guard

5.2.1Network Requirements

As shown below, the legal IPv6 host connects to the switch via port 1/0/1 and belongs to the default VLAN 1. It is required that only the legal host can access the network via port 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3.

Figure 5-6 Network Topology

5.2.2Configuration Scheme

To implement this requirement, you can use IPv6-MAC Binding and IPv6 Source Guard to filter out the packets received from the unknown hosts. The overview of configuration on the switch is as follows:

1)Bind the MAC address, IPv6 address, connected port number and VLAN ID of the legal host with IPv6-MAC Binding.

2)Enable IPv6 Source Guard on ports 1/0/1-3.

Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

5.2.3Using the GUI

1)Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > Manual Binding and click to load the following page. Enter the host name, IPv6 address, MAC address and VLAN ID of the legal host, select the protect type as , and select port 1/0/1 on the panel. Click Apply.

Figure 5-7 Manual Binding

2)Choose the menu SECURITY > IPv6 IMPB > IPv6 Source Guard to load the following page. Select ports 1/0/1-3, configure the Security Type as SIP+MAC, and click Apply.

Figure 5-8 IPv6 Source Guard

3)Click to save the settings.

5.2.4Using the CLI

1)Manually bind the IPv6 address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IPv6 Source Guard feature.

Switch#configure

Switch(config)#ipv6 source binding legal-host 2001::5 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 ipv6-verify-source

2)Enable IPv6 Source Guard on ports 1/0/1-3.

Switch(config)# ipv6 verify source

Switch(config)# interface range gigabitEthernet 1/0/1-3

Switch(config-if-range)#ipv6 verify source sipv6+mac

Switch(config-if-range)#end

Switch#copy running-config startup-config

Verify the Configuration

Verify the binding entry:

Switch#show ip source binding

U Host IP-Addr MAC-Addr VID Port ACL SOURCE

- ---- ------- -------- --- ---- --- ------

1 legal-host 2001::5 74:d3:45:32:b6:8d 1 Gi1/0/1 IP-V-S Manual

Notice:

1.Here, ‘ND-D’ for ‘ND-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’.

Verify the configuration of IPv6 Source Guard:

Switch#show ipv6 verify source

Port Security-Type LAG

Gi1/0/1 SIP+MAC N/A

Gi1/0/2 SIP+MAC N/A

Gi1/0/3 SIP+MAC N/A

...

6Appendix: Default Parameters

Default settings of DHCPv6 Snooping are listed in the following table:

Table 6-1DHCPv6 Snooping

Parameter

Default Setting

Global Config

DHCPv6 Snooping

Disable

VLAN Config

Status

Disable

Port Config

Maximum Entry

512

Default settings of ND Detection are listed in the following table:

Table 6-2ND Detection

Parameter

Default Setting

Global Config

ND Detection

Disable

VLAN Config

Status

Disable

Log Status

Disable

Port Config

Trust Status

Disable

Default settings of IPv6 Source Guard are listed in the following table:

Table 6-3IPv6 Source Guard

Parameter

Default Setting

Global Config

Security Type

Disable