ND detection configuration example
Network requirements
As shown in Figure 123, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and MAC address 0001-0203-0607.
Enable ND detection on Switch B to filter out forged ND packets.
Figure 123: Network diagram
Configuration procedure
Configure Switch A:
# Enable IPv6 forwarding.
<SwitchA> system-view [SwitchA] ipv6
# Create VLAN 10.
[SwitchA] vlan 10 [SwitchA-vlan10] quit
# Assign port GigabitEthernet 1/0/3 to VLAN 10.
[SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 10 [SwitchA-GigabitEthernet1/0/3] quit
# Assign an IPv6 address to VLAN-interface 10.
[SwitchA] interface vlan-interface 10 [SwitchA-Vlan-interface10] ipv6 address 10::1/64 [SwitchA-Vlan-interface10] quit
Configure Switch B:
# Enable IPv6 forwarding.
<SwitchB> system-view [SwitchB] ipv6
# Create VLAN 10.
[SwitchB] vlan 10 [SwitchB-vlan10] quit
# Assign ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3 to VLAN 10.
[SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type trunk [SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 10 [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type trunk [SwitchB-GigabitEthernet1/0/3] port trunk permit vlan 10 [SwitchB-GigabitEthernet1/0/3] quit
# Enable ND snooping based on global unicast address and link local address in VLAN 10.
[SwitchB] ipv6 nd snooping enable link-local [SwitchB] ipv6 nd snooping enable global [SwitchB] vlan 10 [SwitchB-vlan 10] ipv6 nd snooping enable
# Enable ND detection in VLAN 10.
[SwitchB-vlan 10] ipv6 nd detection enable [SwitchB-vlan 10] quit
# Configure the uplink port GigabitEthernet 1/0/3 as an ND-trusted port, and the downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as ND-untrusted ports (the default).
[SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet 1/0/3] ipv6 nd detection trust
The configuration enables Switch B to check all incoming ND packets of ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 based on the ND snooping table.