No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ND Snooping Configuration Commands

ND Snooping Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display nd snooping configuration

Function

The display nd snooping configuration command displays the ND snooping configuration.

Format

display nd snooping configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

ND snooping configuration includes whether ND snooping is enabled or disabled and information about ND snooping trusted interfaces.

To view ND snooping configuration, run the display nd snooping configuration command.

Example

# Display ND snooping configuration.

<HUAWEI> display nd snooping configuration
#
nd snooping enable
#
interface GigabitEthernet0/0/0
 nd snooping trusted
#
interface Wlan-Bss0
 nd snooping enable
#
interface Wlan-Capwap0
 nd snooping trusted
#

display nd snooping prefix

Function

The display nd snooping prefix command displays prefix management entries of users.

Format

display nd snooping prefix [ verbose ]

Parameters

Parameter

Description

Value

verbose

Displays details about prefix management entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The IPv6 address of a user is automatically generated based on prefix information in an RA packet. After the IPv6 address is generated, the user sends a neighbor solicitation (NS) packet to check whether the IPv6 address is used by another user. To facilitate management of users' IP addresses, a device can establish a prefix management table. After ND snooping is enabled, the device obtains a router advertisement (RA) packet from an ND snooping trusted interface and generates a prefix management entry based on the RA packet. You can run the display nd snooping prefix command to check prefix management entries.

Example

# Display prefix management entries of users.

<HUAWEI> display nd snooping prefix 
prefix-table:                                                                   
Prefix                             Length   Valid-Time  Preferred-Time          
--------------------------------------------------------------------------------
FC00:1::                           64       100000      100000                  
--------------------------------------------------------------------------------
Prefix table total count:      1                                   
Table 14-62  Description of the display nd snooping prefix command output

Item

Description

prefix-table

Prefix management table of users.

Prefix

Prefix. The value is a 32-digit hexadecimal number, in the X:X:X:X:X:X:X:X format.

Length

Prefix length. The value is an integer that ranges from 1 to 128.

Valid-Time

Valid lifetime of a prefix. The value ranges from 0 to 4294967295, in seconds.

Preferred-Time

Preferred lifetime of a prefix. The value ranges from 0 to 4294967295, in seconds.

Prefix table total count

Total number of entries in the prefix management table.

# Display prefix management entries of users.

<HUAWEI> display nd snooping prefix verbose
prefix-table:
--------------------------------------------------------------------------------
 Prefix                  : FC00:1::
 Prefix Length           : 64
 Valid Lifetime(sec)     : 2592000
 Preferred Lifetime(sec) : 604800
 Interface               : Wlan-Capwap0
 VLAN ID(Outer/Inner)    : 101/-
--------------------------------------------------------------------------------
 Prefix                  : FC00:2::
 Prefix Length           : 64
 Valid Lifetime(sec)     : 2592000
 Preferred Lifetime(sec) : 604800
 Interface               : Wlan-Capwap0
 VLAN ID(Outer/Inner)    : 102/-
--------------------------------------------------------------------------------
Prefix table total count:      2     
Table 14-63  Description of the display nd snooping prefix verbose command output

Item

Description

prefix-table

Prefix management table of users.

Prefix

Prefix. The value is a 32-digit hexadecimal number, in the X:X:X:X:X:X:X:X format.

Prefix Length

Prefix length. The value is an integer that ranges from 1 to 128.

Valid Lifetime(sec)

Valid lifetime of a prefix. The value ranges from 0 to 4294967295, in seconds.

Preferred Lifetime(sec)

Preferred lifetime of a prefix. The value ranges from 0 to 4294967295, in seconds.

Interface

Interface information in a prefix management entry.

VLAN ID(Outer/Inner)

VLAN information in a prefix management entry.

Prefix table total count

Total number of entries in the prefix management table.

display nd snooping statistics

Function

The display nd snooping statistics command displays statistics about the ND snooping packets received and discarded by the device.

Format

display nd snooping statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ND snooping is enabled, the device records statistics on the received and discarded ND snooping packets to facilitate maintenance.

Example

# Display statistics on the ND snooping packets received and discarded on the device.

<HUAWEI> display nd snooping statistics
Input: total 203 packets, discarded 14 packets                                   
  ns                                             :        178                 
  na                                             :         21                  
  rs                                             :          4                  
  ra                                             :          0                  
  other                                          :          0                  
Drop Packet:                                                                    
  The local link address is incorrect            :          7       
  It does not match the binding table            :          1  
  The destination IP address is incorrect        :          6
Table 14-64  Description of the display nd snooping statistics command output

Item

Description

Input: total n packets, discarded m packets

Number (n) of ND packets received by the device and number (m) of discarded ND packets.

ns

Number of received NS packets on a device.

na

Number of received NA packets.

rs

Number of received RS packets.

ra

Number of received RA packets.

other

Number of received other packets.

Drop Packet

Number of dropped packets.

The displayed information varies according to the packet drop reasons.

The local link address is incorrect

Number of packets dropped due to incorrect link-local address.

It does not match the binding table

Number of packets dropped because the packets do not match the binding entries.

The destination IP address is incorrect

Number of packets dropped due to incorrect destination IP addresses.

display nd snooping user-bind

Function

The display nd snooping user-bind command displays the ND snooping dynamic binding table.

Format

display nd snooping user-bind all [ verbose ]

display nd snooping user-bind { ipv6-address ipv6-address | mac-address mac-address | interface interface-type interface-number | vlan vlan-id } * [ verbose ]

Parameters

Parameter

Description

Value

all

Displays all ND snooping dynamic binding entries.

-

verbose

Displays detailed information about ND snooping dynamic binding entries.

-

ipv6-address ipv6-address

Displays information about the IPv6 address in the ND snooping dynamic binding table.

The value is a 32-digit hexadecimal number in X:X:X:X:X:X:X:X format.

mac-address mac-address

Displays information about the MAC address in the ND snooping dynamic binding table.

The value is in the format of H-H-H. An H is a hexadecimal number of 1 to 4 digits.

vlan vlan-id

Displays information about the VLAN in the ND snooping dynamic binding table.

The value is an integer ranging from 1 to 4094.

interface interface-type interface-number

Displays interface information in the ND snooping dynamic binding table.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

An ND snooping dynamic binding entry includes the source IPv6 address and source MAC address of a user, and the VLAN that a user belongs to. You can run the display nd snooping user-bind command to view details in the ND snooping dynamic binding table.

Example

# Display all ND snooping dynamic binding entries.

<HUAWEI> display nd snooping user-bind all
ND Dynamic Bind-table:                                                          
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                              
IP Address                      MAC Address     VSI/VLAN(O/I/P) Lease           
--------------------------------------------------------------------------------
FC00:1::2                       00e0-4c7c-af8f  10  /--  /--    2011.05.06-20:09
--------------------------------------------------------------------------------
Print count:           1          Total count:           1          
# Display detailed information about ND snooping dynamic binding entries.
<HUAWEI> display nd snooping user-bind all verbose
ND Dynamic Bind-table:                                                          
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
 IP Address  : FC00:1::2                                                     
 MAC Address : 00e0-4c7c-af8f                                                   
 VSI         : --                                                               
 VLAN(O/I/P) : 10  /--  /--                                                     
 Interface   : GE0/0/1                                                         
 Lease       : 2011.05.06-20:09                                                 
 IPSG Status : ineffective                                                      
 User State  : DETECTION                                                       
--------------------------------------------------------------------------------
Print count:           1          Total count:           1       
Table 14-65  Description of the display nd snooping user-bind command output

Item

Description

ND Dynamic Bind-table

ND snooping dynamic binding table.

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

O indicates the outer VLAN ID; I indicates the inner VLAN ID; P indicates the mapped VLAN ID.

IP Address

IPv6 address of a user.

MAC Address

MAC address of a user.

VSI

VPN instance that a user belongs to.

VLAN(O/I/P)

Inner VLAN ID, outer VLAN ID, or VLAN mapping information of the online user.

NOTE:

The ND snooping binding table does not contain VLAN mapping information. Therefore, no value is displayed in the P field.

Interface

User access interface.

Lease

ND user lease.

IPSG Status

Whether the binding table is effective for IP packet checking after IP packet checking is enabled. The value can be:
  • effective
  • ineffective

This field is invalid if IP packet checking is not enabled.

User State

Status of an ND snooping dynamic binding entry is as follows:
  • START: The binding entry is being created and is in the initialization state.
  • DETECTION: The system is performing detection for the binding entry to check whether the user is online.
  • BOUND: The binding entry has been successfully created.

nd snooping check enable

Function

The nd snooping check enable command enables ND protocol packet validity check.

The undo nd snooping check enable command disables ND protocol packet validity check.

By default, ND protocol packet validity check is disabled.

Format

nd snooping check { na | ns | rs } enable

undo nd snooping check { na | ns | rs } enable

Parameters

Parameter

Description

Value

na

Enables validity check for Neighbor Advertisement (NA) packets.

-

ns

Enables validity check for Neighbor Solicitation (NS) packets.

-

rs

Enables validity check for Router Solicitation (RS) packets.

-

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ND packet validity check prevents forged NA/NS/RS packets.

After ND packet validity check is enabled, the device verifies the NA/NS/RS packets received by untrusted interfaces against the ND snooping binding table, to determine whether the NA/NS/RS packets are sent from valid users in the VLAN on the interface. The device forwards the ND packets from valid users and drops invalid ND packets.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Example

# Enable NA packet validity check on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping check na enable
Related Topics

nd snooping enable

Function

The nd snooping enable command enables ND snooping.

The undo nd snooping enable command disables ND snooping.

By default, ND snooping is disabled.

Format

nd snooping enable

undo nd snooping enable

Parameters

None

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

ND provides powerful functions but has no security mechanism. Attackers often use ND to attack network devices. Common ND attacks are as follows:
  • An attacker uses the IP address of host A to send NS, NA, or RS packets to host B or the gateway. Host B or the gateway then modifies their ND entries. As a result, all packets sent from host B or the gateway to host A are sent to the attacker.
  • An attacker uses the gateway IP address to send RA packets to hosts. Then the hosts incorrectly set IPv6 parameters and modify their ND entries.

To prevent ND attacks, enable ND snooping on the device. The device detects NS packets in the DAD process to establish an ND snooping dynamic binding table that includes source IPv6 addresses, source MAC addresses, VLANs, and inbound ports. When receiving ND packets, the device checks the validity of ND packets based on the ND snooping binding table and checks whether the user is an authorized user in the VLAN that the port receiving ND packets belongs to. The device forwards valid ND packets and discards invalid ND packets to defend against ND attacks from bogus hosts or gateways.

NOTE:

By default, the system reports a port-Up event 2 seconds after a user-side interface transits from Down to Up state. If ND snooping is enabled before the port-Up event is reported, the system cannot generate the ND snooping entry of the user connected to this interface. To avoid this problem, run the carrier up-hold-time interval command to change the delay in reporting the port-Up event to 0.

Example

# Enable ND snooping globally and on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable

nd snooping enable dhcpv6 only

Function

The nd snooping enable dhcpv6 only command enables ND snooping in the DHCPv6 Only scenario.

The undo nd snooping enable command disables ND snooping in the DHCPv6 Only scenario.

By default, ND snooping is disabled in the DHCPv6 Only scenario.

Format

nd snooping enable dhcpv6 only

undo nd snooping enable

Parameters

None

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device checks the validity of ND protocol packets against the IPv6 static binding table, DHCPv6 dynamic binding table, and ND snooping binding table. The IPv6 static binding table is manually configured by the administrator, the DHCPv6 dynamic binding table is automatically generated by extracting information from DHCPv6 Reply packets, and the ND snooping binding table is automatically generated by extracting information from DAD NS packets. At the same time, the ND protocol packet validity check function depends on the ND snooping function (including enabling ND snooping and configuring ND snooping trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by users and automatically generated using the PD address prefix are considered as invalid addresses. In this scenario, ND snooping is disabled to prevent ND snooping binding entries from being generated for such invalid addresses. In this case, the ND protocol packet validity check function cannot be performed, so that address spoofing attacks may exist on the network.

To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd snooping trusted dhcpv6 only commands to enable the ND snooping function in the DHCPv6 Only scenario. After the nd snooping enable dhcpv6 only command is configured, no ND snooping binding entry is generated for the IPv6 global unicast addresses that are manually configured by users and automatically generated using the PD address prefixes. The device checks the validity of ND protocol packets against the IPv6 static binding table and DHCPv6 dynamic binding table.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Precautions

  • In the DHCPv6 Only scenario, ND snooping binding entries are generated for the IPv6 link-local addresses that are manually configured by users and automatically generated. To be specific, only records corresponding to the IPv6 link-local addresses exist in the ND snooping binding table in the DHCPv6 Only scenario.
  • IPv6 addresses obtained using DHCPv6 PD also apply to the DHCPv6 Only scenario.

Example

# Enable ND snooping globally and on interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable dhcpv6 only

nd snooping max-user-number

Function

The nd snooping max-user-number command sets the maximum number of ND snooping dynamic binding entries to be learned by an interface.

The undo nd snooping max-user-number command restores the default maximum number of ND snooping dynamic binding entries to be learned by an interface.

By default, the maximum number of DHCP snooping binding entries that can be learned on an interface is 256 for S1720GFR-TP and S2750EI, 512 for S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, and S2720EI, 1024 for S1720X and S1720X-E, 2048 for S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI and S6720S-SI, and 4096 for other models.

Format

nd snooping max-user-number max-user-number

undo nd snooping max-user-number

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of ND snooping dynamic binding entries to be learned by an interface.

The value is an integer that ranges from 1 to 256 for S1720GFR-TP and S2750EI, from 1 to 512 for S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, and S2720EI, from 1 to 1024 for S1720X and S1720X-E, from 1 to 2048 for S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720I-SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI and S6720S-SI, and from 1 to 4096 for other models.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a lot of users go online through an interface, the device consumes many ND snooping dynamic binding entries to process the NS packets. To prevent this problem, you can set the maximum number of ND snooping dynamic binding entries to be learned by an interface. If the number of the ND snooping dynamic binding entries learned by an interface reaches the maximum number, no entry can be added.

You can set the maximum number ND snooping entries in the system view or interface view. The configuration in the system view is valid for all interfaces. The settings in the interface view only take effect on the specified interface. If the settings are performed in both the interface view and system view, the smaller value is adopted.

Prerequisites

Before setting the maximum number of ND snooping dynamic binding entries to be learned by an interface, ensure that ND snooping has been enabled in the system view using the nd snooping enable command.

Example

# Set the maximum number of ND snooping binding entries to 200 on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping max-user-number 200
Related Topics

nd snooping trusted

Function

The nd snooping trusted command configures the trusted interface.

The undo nd snooping trusted command restores the trusted interface to an untrusted interface.

By default, all interfaces are untrusted interfaces.

Format

Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

nd snooping trusted

undo nd snooping trusted

VLAN view

nd snooping trusted interface interface-type interface-number

undo nd snooping trusted interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of the trusted interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ND snooping classifies interfaces connected to IPv6 nodes into trusted and untrusted interfaces. The trusted interfaces connect to trusted IPv6 nodes and untrusted interfaces connect to untrusted IPv6 nodes. By default, all interfaces are untrusted.

  • You must configure the interface connected to a trusted IPv6 node as a trusted interface so that the device can forward the ND packets received by this interface. In addition, the device creates a prefix management table according to the received RA packet to help network administrators manage IPv6 addresses.

  • The interface connected to an untrusted IPv6 node must be configured as an untrusted interface. The device discards the RA packets received by the untrusted interface to prevent RA attacks.

NOTE:

Generally, the interface connecting to the gateway is configured as the trusted interface, and other interfaces are all untrusted interfaces.

Prerequisites

ND snooping has been enabled using the nd snooping enable command in the system view.

Precautions

After the nd snooping trusted command is executed, ND snooping is enabled on the interface.

When you run the nd snooping trusted command in the VLAN view, the specified interface must belong to the VLAN.

Example

# Configure GE0/0/1 as a trusted interface.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping trusted

# Configure GE0/0/1 in VLAN 10 as a trusted interface.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] nd snooping trusted interface gigabitethernet 0/0/1
Related Topics

nd snooping trusted dhcpv6 only

Function

The nd snooping trusted dhcpv6 only command configures the interfaces in the DHCPv6 Only scenario as ND snooping trusted interfaces.

The undo nd snooping trusted command restores the interfaces to untrusted.

By default, all interfaces are untrusted.

Format

Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

nd snooping trusted dhcpv6 only

undo nd snooping trusted

VLAN view

nd snooping trusted interface interface-type interface-number dhcpv6 only

undo nd snooping trusted interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of the interface that will be configured as an ND snooping trusted interface in the DHCPv6 Only scenario.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

The device checks the validity of ND protocol packets against the IPv6 static binding table, DHCPv6 dynamic binding table, and ND snooping binding table. The IPv6 static binding table is manually configured by the administrator, the DHCPv6 dynamic binding table is automatically generated by extracting information from DHCPv6 Reply packets, and the ND snooping binding table is automatically generated by extracting information from DAD NS packets. At the same time, the ND protocol packet validity check function depends on the ND snooping function (including enabling ND snooping and configuring ND snooping trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by users and automatically generated using the PD address prefix are considered as invalid addresses. In this scenario, ND snooping is disabled to prevent ND snooping binding entries from being generated for such invalid addresses. In this case, the ND protocol packet validity check function cannot be performed, so that address spoofing attacks may exist on the network.

To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd snooping trusted dhcpv6 only commands to enable the ND snooping function in the DHCPv6 Only scenario. After the nd snooping trusted dhcpv6 only command is configured, no prefix management entry is generated when the trusted interface receives an RA packet, which is different from the nd snooping trusted command. This is because the prefix management entries need to be matched before the corresponding ND snooping binding entries are generated for the IPv6 addresses excluding the IPv6 link-local addresses. However, only records corresponding to the IPv6 link-local addresses exist in the ND snooping binding table in the DHCPv6 Only scenario. Therefore, the prefix management entries do not need to be generated.

Example

# Configure GE0/0/1 as an ND snooping trusted interface.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping trusted dhcpv6 only

# Configure GE0/0/1 as an ND snooping trusted interface in VLAN 2.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] vlan 2
[HUAWEI-vlan2] nd snooping trusted interface gigabitethernet 0/0/1 dhcpv6 only
Related Topics

nd snooping user-alarm percentage

Function

The nd snooping user-alarm percentage command configures the alarm thresholds for the percentage of ND snooping dynamic binding entries.

The undo nd snooping user-alarm percentage command restores the default alarm thresholds for the percentage of ND snooping dynamic binding entries.

By default, the lower alarm threshold for the percentage of ND snooping dynamic binding entries is 50, and the upper alarm threshold for the percentage of ND snooping dynamic binding entries is 100.

Format

nd snooping user-alarm percentage percent-lower-value percent-upper-value

undo nd snooping user-alarm percentage

Parameters

Parameter Description Value
percent-lower-value

Specifies the lower alarm threshold for the percentage of ND snooping dynamic binding entries.

The value is an integer that ranges from 1 to 100.

percent-upper-value

Specifies the upper alarm threshold for the percentage of ND snooping dynamic binding entries.

The value is an integer that ranges from 1 to 100, but must be greater than or equal to the lower alarm threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After you run the nd snooping max-user-number command to set the maximum number of ND snooping dynamic binding entries on an interface, you can run the nd snooping user-alarm percentage command to set the alarm thresholds for the percentage of ND snooping dynamic binding entries.

When the percentage of learned ND snooping dynamic binding entries against the maximum number of ND snooping dynamic entries allowed by the device reaches or exceeds the upper alarm threshold, the device generates an alarm. When the percentage of learned ND snooping dynamic binding entries against the maximum number of ND snooping dynamic entries allowed by the device reaches or falls below the lower alarm threshold later, the device generates a clear alarm. The alarm information helps network administrators monitor the status of ND snooping binding table in real time.

Example

# Set the lower alarm threshold for the percentage of ND snooping dynamic binding entries to 30 and the upper alarm threshold to 80.

<HUAWEI> system-view
[HUAWEI] nd snooping user-alarm percentage 30 80

nd user-bind detect

Function

The nd user-bind detect command configures the number of times and interval for sending NS packets to detect the user status.

The undo nd user-bind detect command restores the default setting.

After automatic user status detection is enabled for users mapping ND snooping dynamic binding entries, the default number of detection times is 2, and the default detection interval is 1000 milliseconds.

Format

nd user-bind detect retransmit retransmit-times interval retransmit-interval

undo nd user-bind detect retransmit interval

Parameters

Parameter

Description

Value

retransmit retransmit-times

Specifies the number of times for sending NS packets to detect the user status.

The value is an integer ranging from 1 to 10. The default value is 2.

interval retransmit-interval

Specifies the interval for sending NS packets to detect the user status.

The value is an integer ranging from 1 to 10000, in milliseconds. The default value is 1000 milliseconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After automatic user status detection for users mapping ND snooping dynamic binding entries is enabled, the device sends NS packets to users based on the configured detection times and interval. If no NA packet is returned from a user after NS packets are sent for configured times, the device considers the user to be offline and deletes the mapping ND snooping dynamic binding entry.

You can run the nd user-bind detect command to change the number of times and interval for sending NS packets to detect the user status. On a small network with good network quality, the user returns an NA packet quickly. In this scenario, you can set the interval for sending NS packets to a small value. On a large network with poor network quality, the user returns an NA packet slowly. You can set the interval to a large value to prevent the device from sending the next NS packet before receiving the NA packet. You can change the interval based on the actual network environment.

Prerequisites

Automatic user status detection for users mapping ND snooping dynamic binding entries has been enabled using the nd user-bind detect enable command.

Precautions

After you run the nd user-bind detect enable command, the device sends an NS packet after a period of time. The maximum value of this period is 20 seconds.

Example

# Set the number of times for sending NS packets to 10, and the interval for sending NS packets to 1000 milliseconds.

<HUAWEI> system-view
[HUAWEI] nd user-bind detect enable
[HUAWEI] nd user-bind detect retransmit 10 interval 1000

nd user-bind detect enable

Function

The nd user-bind detect enable command enables the function for automatically detecting status of users mapping ND snooping dynamic binding entries.

The undo nd user-bind detect enable command disables the function for automatically detecting status of users mapping ND snooping dynamic binding entries.

By default, the function for automatically detecting status of users mapping ND snooping dynamic binding entries is disabled.

Format

nd user-bind detect enable

undo nd user-bind detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After ND snooping is enabled, the device snoops NS packets in the DAD process to establish ND dynamic binding entries. The aging time of an ND snooping dynamic binding table depends on the IPv6 address lease. If the address lease does not expire but the user is offline, the ND snooping dynamic entry mapping the user cannot be deleted, which occupies binding entry resources on the device.

To prevent this problem, you can enable the automatic user status detection for users mapping ND snooping dynamic binding entries on the device. After this function is enabled, the device sends NS packets to the user according to the detection times (n) specified in nd user-bind detect and detection interval. If the device receives no NA packet from the user after sending the NS packets n times, the device considers the user to be offline and deletes the dynamic ND snooping binding entry matching the user.

Precautions

After you run the nd user-bind detect enable command, the device sends an NS packet after a period of time. The maximum value of this period is 20 seconds.

Example

# Enable the function for automatically detecting status of users mapping ND snooping dynamic binding entries.

<HUAWEI> system-view
[HUAWEI] nd user-bind detect enable
Related Topics

reset nd snooping prefix

Function

The reset nd snooping prefix command clears prefix management entries of users.

Format

reset nd snooping prefix [ ipv6-address/prefix-length ]

Parameters

Parameter

Description

Value

ipv6-address

Specifies an IPv6 address.

The value is a 32-digit hexadecimal number in X:X:X:X:X:X:X:X format.

prefix-length

Specifies the prefix length.

The value is an integer ranging from 1 to 128.

If the global unicast address needs to be set in EUI-64 format, the value of prefix-length ranges from 1 to 64.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The ND server that functions as the gateway router sends RA packets periodically to instruct users to update prefixes. The switch that functions as the access device establishes prefix management entries based on RA packets to maintain and manage user prefixes.

Generally, do not delete prefix management entries of users manually. Run the reset nd snooping prefix command to delete prefix management entries of users if the following requirements are met:

  • The user lease does not expire and the prefix management table cannot age automatically.
  • The user is no longer connected to the network.

Precautions

After a prefix management entry is deleted, the switch cannot establish the ND snooping dynamic binding table for new users with the prefix management entry.

Example

# Delete the prefix management entry with the prefix address being fc00:1::1 and the prefix length being 64.

<HUAWEI> reset nd snooping prefix fc00:1::1/64 

reset nd snooping statistics

Function

The reset nd snooping statistics command deletes statistics on ND snooping packets.

Format

reset nd snooping statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Use Scenario

After ND snooping is enabled, the device records statistics on the sent and received ND packets. This command deletes the statistics on ND packets.

Precautions

Deleted statistics cannot be restored. Exercise caution.

Example

# Delete statistics on ND snooping packets.

<HUAWEI> reset nd snooping statistics

reset nd snooping user-bind

Function

The reset nd snooping user-bind command clears ND snooping dynamic binding entries on the device.

Format

reset nd snooping user-bind [ interface interface-type interface-number | ipv6-address ipv6-address | mac-address mac-address | vlan vlan-id ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the interface in the ND snooping dynamic binding entry to be cleared.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ipv6-address ipv6-address

Specifies the IPv6 address in the ND snooping dynamic binding entry to be cleared.

The value is a 32-digit hexadecimal number in X:X:X:X:X:X:X:X format.

mac-address mac-address

Specifies the MAC address in the ND snooping dynamic binding entry to be cleared.

The value is in the format of H-H-H. An H is a hexadecimal number of 1 to 4 digits.

vlan vlan-id

Specifies the VLAN ID in the ND snooping dynamic binding entry to be cleared.

The value is an integer ranging from 1 to 4094.

Views

User view

Default Level

3: Management level

Usage Guidelines

You need to manually delete ND snooping dynamic binding entries if the following requirements are met:

  • The ND snooping dynamic binding entry does not reach the aging time, so the entry cannot age automatically.
  • The user is no longer connected to the network.
  • The user VLAN or interface information changes.

The networking environment change may lead to the change in the VLAN or interface information, while the ND snooping dynamic binding entry mapping a user does not age out and cannot update in real time. As a result, the device discards valid ND packets that do not match the old ND snooping dynamic binding entries. Before changing the networking environment, clear all ND snooping dynamic binding entries manually so that a device generates a new ND snooping dynamic binding table based on the new networking environment.

Example

# Delete the ND snooping dynamic binding entry that contains the IPv6 address being fc00:1::1.

<HUAWEI> reset nd snooping user-bind ipv6-address fc00:1::1

# Delete the ND snooping dynamic binding entry that contains the MAC address being 00e0-1111-2222.

<HUAWEI> reset nd snooping user-bind mac-address 00e0-1111-2222
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 41809

Downloads: 1101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next