Enabling IPv6 Source Address Validation

Source address validation verifies that a packet has been sent from a valid source address. When a packet arrives on an interface, the router performs a routing table lookup using the source address. The result from the routing table lookup is an interface to which packets destined for that address are routed. This interface must match the interface on which the packet arrived. If it does not match, the router drops the packet.

Caution: When the routing table lookup for a source address contains an ECMP route, the router returns a list of interfaces for multiple next-hops. One of the interfaces in this list must match the interface on which the packet arrived or the router drops the packet. If the ECMP route uses indirect next-hops, the returned list of interfaces does not include interfaces that are reachable by those indirect next-hops. For example, if a packet arrives on an interface with source address validation enabled, and the interface is represented only by an indirect next-hop, a match for that interface does not appear in the list of interfaces from the routing table lookup. The router drops the packet.

Note:

You must configure an IPv6 license using the license ipv6 command before using the IPv6 routing protocol configuration commands on the E Series router.
All IPv6 routing protocol configurations are removed from the virtual router when you issue the no ipv6 command.

To enable source address validation for the interface:

Issue the ipv6 sa-validate command in Interface Configuration mode.
host1(config-if)#ipv6 sa-validate
Use the no version to disable source address validation.

Enabling IPv6 Source Address Validation

Related Documentation