Example: Configuring ND attack detection

Network configuration

As shown in Figure 169, configure ND attack detection on Device B to check user validity for ND messages from Host A and Host B.

Figure 169: Network diagram

Procedure

  1. Configure Device A:

    # Create VLAN 10.

    <DeviceA> system-view
    [DeviceA] vlan 10
    [DeviceA-vlan10] quit
    

    # Configure HundredGigE 1/0/3 to trunk VLAN 10.

    [DeviceA] interface hundredgige 1/0/3
    [DeviceA-HundredGigE1/0/3] port link-type trunk
    [DeviceA-HundredGigE1/0/3] port trunk permit vlan 10
    [DeviceA-HundredGigE1/0/3] quit
    

    # Assign IPv6 address 10::1/64 to VLAN-interface 10.

    [DeviceA] interface vlan-interface 10
    [DeviceA-Vlan-interface10] ipv6 address 10::1/64
    [DeviceA-Vlan-interface10] quit
    
  2. Configure Device B:

    # Create VLAN 10.

    <DeviceB> system-view
    [DeviceB] vlan 10
    [DeviceB-vlan10] quit
    

    # Configure HundredGigE 1/0/1, HundredGigE 1/0/2, and HundredGigE 1/0/3 to trunk VLAN 10.

    [DeviceB] interface hundredgige 1/0/1
    [DeviceB-HundredGigE1/0/1] port link-type access
    [DeviceB-HundredGigE1/0/1] port access vlan 10
    [DeviceB-HundredGigE1/0/1] quit
    [DeviceB] interface hundredgige 1/0/2
    [DeviceB-HundredGigE1/0/2] port link-type access
    [DeviceB-HundredGigE1/0/2] port access vlan 10
    [DeviceB-HundredGigE1/0/2] quit
    [DeviceB] interface hundredgige 1/0/3
    [DeviceB-HundredGigE1/0/3] port link-type trunk
    [DeviceB-HundredGigE1/0/3] port trunk permit vlan 10
    [DeviceB-HundredGigE1/0/3] quit
    

    # Enable ND attack detection for VLAN 10.

    [DeviceB] vlan 10
    [DeviceB-vlan10] ipv6 nd detection enable
    

    # Enable ND snooping for IPv6 global unicast addresses and ND snooping for IPv6 link-local addresses in VLAN 10.

    [DeviceB-vlan10] ipv6 nd snooping enable global
    [DeviceB-vlan10] ipv6 nd snooping enable link-local
    [DeviceB-vlan10] quit
    

    # Configure HundredGigE 1/0/3 as ND trusted interface.

    [DeviceB] interface hundredgige 1/0/3
    [DeviceB-HundredGigE1/0/3] ipv6 nd detection trust
    

Verifying the configuration

Verify that Device B inspects all ND messages received by HundredGigE 1/0/1 and HundredGigE 1/0/2 based on the ND snooping entries. (Details not shown.)