Configuring ND snooping
About ND snooping
The ND snooping feature is used in Layer 2 switching networks. It learns the source MAC addresses, source IPv6 addresses, input interfaces, and VLANs of arriving ND messages and data packets to build ND snooping table. ND snooping entries can be used by ND detection and IPv6 source guard to prevent spoofing attacks. ND detection processes the ND messages received on ND trusted and untrusted interfaces as follows:
ND detection forwards all ND messages received on an ND trusted interface.
ND detection compares all ND messages received on an ND untrusted interface with the ND snooping entries except for RA and redirect messages.
You can use the ipv6 nd detection trust command to specify a Layer 2 Ethernet or aggregate port as an ND trusted interface. For more information about the ipv6 nd detection trust command, see Security Command Reference. For more information about ND detection and IPv6 source guard, see Security Configuration Guide.
ND snooping provides device liveness tracking so that the ND snooping table can be updated in a timely manner. After ND snooping is enabled for a VLAN, the device uses the following mechanisms to create, update, and delete ND snooping entries. The following example uses ND messages for illustration.
Creating an ND snooping entry
Upon receiving an ND message or data packet from an unknown source, the device creates a ND snooping entry in invalid state and performs DAD for the source IPv6 address. The device sends NS messages out of the ND trusted interfaces in the receiving VLAN twice. The sending interval is set by the ipv6 nd snooping dad retrans-timer command.
If the device does not receive an NA message within the invalid entry lifetime (set by the ipv6 nd snooping lifetime invalid command), the entry becomes valid.
If the device receives an NA message within the invalid entry lifetime, it deletes this entry.
Updating an ND snooping entry
When the ND untrusted interface that receives an ND message is different from that in the entry for an IPv6 address, the device performs DAD for the entry. It sends NS messages twice. The sending interval is set by the ipv6 nd snooping dad retrans-timer command.
If the device does not receive an NA message within the invalid entry lifetime, it updates the entry with the new receiving interface.
If the device receives an NA message within the invalid entry lifetime, the ND snooping entry remains unchanged.
Deleting an ND snooping entry
When an ND trusted interface in the VLAN receives an ND message from the IPv6 address in a learned ND snooping entry, it performs DAD for the entry. The device sends NS messages twice. The sending interval is set by the ipv6 nd snooping dad retrans-timer command.
If the device does not receive an NA message within the invalid entry lifetime, it deletes the entry.
If the device receives an NA message within the invalid entry lifetime, the ND snooping entry remains unchanged.
If an ND snooping entry has no matching ND messages within the valid entry lifetime (set by the ipv6 nd snooping lifetime valid command), the entry becomes invalid. The device then performs DAD for the entry by sending NS messages out of the interface in the entry twice. The sending interval is set by the ipv6 nd snooping dad retrans-timer command
If the device does not receive an NA message within the invalid entry lifetime, it deletes the entry.
If the device receives an NA message within the invalid entry lifetime, the ND snooping entry remains unchanged and becomes valid.
Configuration procedure
To configure ND snooping:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VLAN view. | vlan vlan-id | N/A |
3. Enable ND snooping for IPv6 addresses. |
| You can enable ND snooping for both address types. By default, ND snooping is disabled for IPv6 global unicast addresses and link-local addresses. |
4. (Optional.) Enable ND snooping for data packets from unknown sources. | ipv6 nd snooping glean source | By default, ND snooping is disabled for data packets from unknown sources. |
5. Return to system view. | quit | N/A |
6. Enter Layer 2 Ethernet or aggregate interface view. | interface interface-type interface-number | N/A |
7. (Optional.) Set the maximum number of ND snooping entries that an interface can learn. | ipv6 nd snooping max-learning-num max-number | By default, an interface can learn a maximum of 4096 ND snooping entries. |
8. (Optional.) Configure the interface as an ND snooping uplink port. The uplink port cannot learn ND snooping entries. | ipv6 nd snooping uplink | By default, an interface is not an ND snooping uplink port. After ND snooping is enabled, the interface can learn ND snooping entries. |
9. Return to system view. | quit | N/A |
10. (Optional.) Set the timeout timers for ND snooping entries. | ipv6 nd snooping lifetime { invalid invalid-lifetime | valid valid-lifetime } | The default settings are as follows:
|
11. (Optional.) Set the interval for retransmitting an NS message for DAD. | ipv6 nd snooping dad retrans-timer interval | The default setting is 250 milliseconds. |