No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ND Snooping

Example for Configuring ND Snooping

Networking Requirements

As shown in Figure 10-3, the Switch is located between hosts and the gateway. No DHCPv6 server is configured on the network, so the hosts obtain IPv6 addresses through stateless address autoconfiguration. If attackers send bogus NA/NS/RS/RA packets to the Switch, security issues may occur. For example, users cannot obtain IPv6 addresses, communication is interrupted, and user accounts and passwords are embezzled.

The network administrator requires that the Switch be able to prevent bogus NA/NS/RS/RA packets, providing secure and stable network service to users. In addition, to manage IPv6 addresses of users, the network administrator needs to know the prefixes allocated by the gateway to the users.

Figure 10-3  Networking diagram for configuring ND snooping

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable the ND snooping function so that the Switch can generate the bindings between addresses, VLANs, and interfaces for ND packet validity check.
  2. Configure the interface connecting to the gateway as the trusted interface. Switch generates a prefix management table based on RA packets received from the trusted interface so that user addresses can be managed flexibly. Interfaces connecting to hosts are untrusted interfaces by default. After ND snooping is enabled, Switch filters out RA packets received from untrusted interfaces to prevent RA attacks.
  3. Enable ND packet validity check so that the Switch can check the NA/NS/RS packets against the binding table and filter out invalid NA/NS/RS packets.
  4. Configure automatic user status detection for users mapping ND snooping dynamic binding entries so that mapping entries can be deleted in time when ND users are offline. This conserves binding entry resources.
  5. Set the maximum number of dynamic ND snooping binding entries allowed by an interface. If the number of entries on an interface is not limited, the Switch will consume a lot of entry resources to process the NS packets when many users go online through this interface. As a result, other users cannot communicate with each other.

Procedure

  1. Create a VLAN and configure interfaces.

    # Create VLAN 10 on the Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 10
    

    # Add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 10.

    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] port link-type access
    [Switch-GigabitEthernet0/0/1] port default vlan 10
    [Switch-GigabitEthernet0/0/1] quit
    [Switch] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] port link-type access
    [Switch-GigabitEthernet0/0/2] port default vlan 10
    [Switch-GigabitEthernet0/0/2] quit
    [Switch] interface gigabitethernet 0/0/3
    [Switch-GigabitEthernet0/0/3] port link-type trunk
    [Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
    [Switch-GigabitEthernet0/0/3] quit
    

  2. Enable ND snooping.

    # Enable ND snooping globally.

    [Switch] nd snooping enable

    # Enable ND snooping for VLAN 10.

    [Switch] vlan 10
    [Switch-vlan10] nd snooping enable
    [Switch-vlan10] quit

  3. # Configure GE0/0/3 as a trusted interface.

    [Switch] interface gigabitethernet 0/0/3
    [Switch-GigabitEthernet0/0/3] nd snooping trusted
    [Switch-GigabitEthernet0/0/3] quit

  4. Enable ND packet validity check.

    [Switch] vlan 10
    [Switch-vlan10] nd snooping check ns enable
    [Switch-vlan10] nd snooping check na enable
    [Switch-vlan10] nd snooping check rs enable
    [Switch-vlan10] quit

  5. Enable automatic user status detection for users mapping ND snooping dynamic binding entries.

    # Enable automatic user status detection for users mapping ND snooping dynamic binding entries and set the number of times and interval for sending NS packets to detect the user status.

    [Switch] nd user-bind detect enable
    [Switch] nd user-bind detect retransmit 5 interval 600
    

  6. Set the maximum number of ND snooping dynamic binding entries to be learned by an interface.

    [Switch] nd snooping max-user-number 200

  7. Verify the configuration.

    Run the display this command in the system view. The command output shows that the ND snooping function and automatic user status detection for users mapping ND snooping dynamic binding entries have been enabled globally. In addition, the maximum number of dynamic ND snooping binding entries allowed by the interface is set.

    [Switch] display this
    ......
     nd snooping enable
     nd user-bind detect enable
     nd user-bind detect retransmit 5 interval 600
     nd snooping max-user-number 200     
    ......
    

    Run the display this command in the VLAN view. The command output shows that ND snooping and ND packet validity check have been enabled in VLAN 10.

    [Switch] vlan 10
    [Switch-vlan10] display this
    #                                                                               
    vlan 10                                                                         
     nd snooping enable                                                             
     nd snooping check ns enable                                                    
     nd snooping check na enable 
     nd snooping check rs enable
    
    #                                                                               
    return   
    [Switch-vlan10] quit
    

    Run the display this command to verify that GE0/0/3 has been configured as the trusted interface.

    [Switch] interface gigabitethernet 0/0/3
    [Switch-GigabitEthernet0/0/3] display this
    #                                                                               
    interface GigabitEthernet0/0/3                                                  
     port link-type trunk                                                           
     port trunk allow-pass vlan 10 
     nd snooping trusted
    #                                                                               
    return 
    [Switch-GigabitEthernet0/0/3] quit
    [Switch] quit

    Run the display nd snooping prefix command to view the prefix management table of ND users.

    <Switch> display nd snooping prefix
    prefix-table:                                                                   
    Prefix                             Length   Valid-Time  Preferred-Time          
    --------------------------------------------------------------------------------
    FC00:1::                           64       100000      100000                  
    --------------------------------------------------------------------------------
    Prefix table total count:      1                       

    Run the display nd snooping user-bind all command to view the ND snooping dynamic binding table.

    <Switch> display nd snooping user-bind all
    ND Dynamic Bind-table:                                                          
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                              
    IP Address                      MAC Address     VSI/VLAN(O/I/P) Lease           
    --------------------------------------------------------------------------------
    FC00:1::E58C:A2E7:AA4C:8E59     00e0-4c7c-af8f  10  /--  /--    2011.05.06-20:09
    --------------------------------------------------------------------------------
    print count:           1          total count:           1          

    If the prefix management table and ND snooping dynamic binding table are generated on Switch, ND snooping is configured successfully.

Configuration Files

Switch configuration file

#
sysname Switch
#                                                                               
vlan batch 10
#
nd snooping enable
nd user-bind detect enable
nd user-bind detect retransmit 5 interval 600
nd snooping max-user-number 200
#
vlan 10                                                                         
 nd snooping enable                                                             
 nd snooping check ns enable                                                    
 nd snooping check na enable 
 nd snooping check rs enable
# 
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#   
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                   
 nd snooping trusted                                                            
#
return
Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 222805

Downloads: 720

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next