Configuring ND detection
Use the ND detection function on access devices to verify the source of ND packets. ND packets that come from a spoofing host or gateway are discarded.
The ND detection function operates on a per VLAN basis. In an ND detection-enabled VLAN, a port is either ND-trusted or ND-untrusted:
ND-trusted port—Does not check ND packets for address spoofing.
ND-untrusted port—Checks all ND packets except RA and RR messages in the VLAN for source spoofing. RA and RR messages are considered illegal and are discarded directly.
ND detection verifies an ND packet by looking up the IPv6 static bindings table of the IP source guard function, ND snooping table, and DHCPv6 snooping table in the following steps:
Looks up the IPv6 static bindings table of IP source guard, based on the source IPv6 address and the source MAC address in the Ethernet frame header of the ND packet. If an exact match is found, the ND packet is forwarded. If an entry matches the source IPv6 address but not the source MAC address, the ND packet is discarded. If no entry matches the source IPv6 address, the ND detection function continues to look up the DHCPv6 snooping table and the ND snooping table.
If an exact match is found in either the DHCPv6 snooping or ND snooping table, the ND packet is forwarded. If no match is found in either table, the packet is discarded. If neither the DHCPv6 snooping table nor the ND snooping table is available, the ND packet is discarded.
To create IP source guard static bindings, use the ipv6 source binding command. For more information, see "Configuring IP source guard."
The DHCPv6 snooping module automatically creates the DHCPv6 snooping table. For more information, see Layer 3—IP Services Configuration Guide.
The ND snooping module automatically creates the ND snooping table. For more information, see Layer 3—IP Services Configuration Guide.
To configure ND detection:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VLAN view. | vlan vlan-id | N/A |
3. Enable ND Detection. | ipv6 nd detection enable | Disabled by default. |
4. Quit system view. | quit | N/A |
5. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. | interface interface-type interface-number | N/A |
6. Configure the port as an ND-trusted port. | ipv6 nd detection trust | Optional. A port does not trust sources of ND packets by default. |
ND detection performs source check by using the binding tables of IP source guard, DHCPv6 snooping, and ND snooping. To prevent an ND-untrusted port from discarding legal ND packets in an ND detection-enabled VLAN, make sure at least one of the three functions is available.
When creating a source guard static binding for ND detection in a VLAN, specify the VLAN ID for the binding. Otherwise, no ND packets in the VLAN can match the binding.