Configuring ND snooping

About ND snooping

The ND snooping feature is used in Layer 2 switching networks. It learns the source MAC addresses, source IPv6 addresses, input interfaces, and VLANs of arriving ND messages and data packets to build ND snooping table. ND snooping entries can be used by ND detection and IPv6 source guard to prevent spoofing attacks. ND detection processes the ND messages received on ND trusted and untrusted interfaces as follows:

You can use the ipv6 nd detection trust command to specify a Layer 2 Ethernet or aggregate port as an ND trusted interface. For more information about the ipv6 nd detection trust command, see Security Command Reference. For more information about ND detection and IPv6 source guard, see Security Configuration Guide.

ND snooping provides device liveness tracking so that the ND snooping table can be updated in a timely manner. After ND snooping is enabled for a VLAN, the device uses the following mechanisms to create, update, and delete ND snooping entries. The following example uses ND messages for illustration.

Configuration procedure

To configure ND snooping:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter VLAN view.

vlan vlan-id

N/A

3. Enable ND snooping for IPv6 addresses.

  • For global unicast addresses:ipv6 nd snooping enable global

  • For link-local addresses:ipv6 nd snooping enable link-local

You can enable ND snooping for both address types.

By default, ND snooping is disabled for IPv6 global unicast addresses and link-local addresses.

4. (Optional.) Enable ND snooping for data packets from unknown sources.

ipv6 nd snooping glean source

By default, ND snooping is disabled for data packets from unknown sources.

5. Return to system view.

quit

N/A

6. Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

7. (Optional.) Set the maximum number of ND snooping entries that an interface can learn.

ipv6 nd snooping max-learning-num max-number

By default, an interface can learn a maximum of 4096 ND snooping entries.

8. (Optional.) Configure the interface as an ND snooping uplink port. The uplink port cannot learn ND snooping entries.

ipv6 nd snooping uplink

By default, an interface is not an ND snooping uplink port. After ND snooping is enabled, the interface can learn ND snooping entries.

9. Return to system view.

quit

N/A

10. (Optional.) Set the timeout timers for ND snooping entries.

ipv6 nd snooping lifetime { invalid invalid-lifetime | valid valid-lifetime }

The default settings are as follows:

  • The timeout timer for ND snooping entries in INVALID status (TENTATIVE, TESTING_TPLT, or TESTING_VP) is 500 milliseconds.

  • The timeout timer for ND snooping entries in VALID status is 300 seconds.

11. (Optional.) Set the interval for retransmitting an NS message for DAD.

ipv6 nd snooping dad retrans-timer interval

The default setting is 250 milliseconds.