ND detection configuration example

Network requirements

As shown in Figure 123, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and MAC address 0001-0203-0607.

Enable ND detection on Switch B to filter out forged ND packets.

Figure 123: Network diagram

Configuration procedure

  • Configure Switch A:

  • # Enable IPv6 forwarding.

    <SwitchA> system-view
    [SwitchA] ipv6
    

    # Create VLAN 10.

    [SwitchA] vlan 10
    [SwitchA-vlan10] quit
    

    # Assign port GigabitEthernet 1/0/3 to VLAN 10.

    [SwitchA] interface gigabitethernet 1/0/3
    [SwitchA-GigabitEthernet1/0/3] port link-type trunk
    [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 10
    [SwitchA-GigabitEthernet1/0/3] quit
    

    # Assign an IPv6 address to VLAN-interface 10.

    [SwitchA] interface vlan-interface 10
    [SwitchA-Vlan-interface10] ipv6 address 10::1/64
    [SwitchA-Vlan-interface10] quit
    
  • Configure Switch B:

  • # Enable IPv6 forwarding.

    <SwitchB> system-view
    [SwitchB] ipv6
    

    # Create VLAN 10.

    [SwitchB] vlan 10
    [SwitchB-vlan10] quit
    

    # Assign ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3 to VLAN 10.

    [SwitchB] interface gigabitethernet 1/0/1
    [SwitchB-GigabitEthernet1/0/1] port link-type trunk
    [SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10
    [SwitchB-GigabitEthernet1/0/1] quit
    [SwitchB] interface gigabitethernet 1/0/2
    [SwitchB-GigabitEthernet1/0/2] port link-type trunk
    [SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 10
    [SwitchB-GigabitEthernet1/0/2] quit
    [SwitchB] interface gigabitethernet 1/0/3
    [SwitchB-GigabitEthernet1/0/3] port link-type trunk
    [SwitchB-GigabitEthernet1/0/3] port trunk permit vlan 10
    [SwitchB-GigabitEthernet1/0/3] quit
    

    # Enable ND snooping based on global unicast address and link local address in VLAN 10.

    [SwitchB] ipv6 nd snooping enable link-local
    [SwitchB] ipv6 nd snooping enable global
    [SwitchB] vlan 10
    [SwitchB-vlan 10] ipv6 nd snooping enable
    

    # Enable ND detection in VLAN 10.

    [SwitchB-vlan 10] ipv6 nd detection enable
    [SwitchB-vlan 10] quit
    

    # Configure the uplink port GigabitEthernet 1/0/3 as an ND-trusted port, and the downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as ND-untrusted ports (the default).

    [SwitchB] interface gigabitethernet 1/0/3
    [SwitchB-GigabitEthernet 1/0/3] ipv6 nd detection trust
    

    The configuration enables Switch B to check all incoming ND packets of ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 based on the ND snooping table.