No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding ND Snooping

Understanding ND Snooping

ND snooping listens on the ICMPv6-based ND packets to create the prefix management table and dynamic ND snooping binding table. The ND snooping enabled device manages IPv6 addresses of access users through the prefix management table and filters out invalid ND packets received by untrusted interfaces through the dynamic ND snooping binding table.

ICMPv6-based ND packets

ND packets are carried by ICMP packets, and are classified into five types:
  • Neighbor solicitation (NS): An IPv6 node (a host or network device running IPv6) sends NS packets to obtain the link-layer addresses of its neighbors and to detect neighbor reachability and duplicate addresses.
  • Neighbor advertisement (NA): An IPv6 host sends an NA packet in response to an NS packet. An IPv6 node also sends NA packets when the link-layer topology changes.
  • Router solicitation (RS): When an IPv6 node starts, it sends an RS packet to a router to request prefixes and other configuration information, and waits for the router to respond with an RA packet.
  • Router advertisement (RA): A router periodically advertises RA packets, including network configurations such as network prefix to IPv6 nodes. The router also returns RA packets as the responses to RS packets.
  • Redirect (RR): When detecting that the inbound interface and outbound interface of a packet are the same, a router sends a Redirect packet to request the IPv6 node to select a better next hop address.

ND Snooping Trusted and Untrusted Interfaces

ND snooping classifies the interfaces connecting to IPv6 nodes into trusted and untrusted interfaces. The trusted interfaces connect to trusted IPv6 nodes and untrusted interfaces connect to untrusted IPv6 nodes.
  • ND snooping trusted interface: connects to trusted IPv6 nodes. The device forwards the ND packets sent from a trusted interface, and generates a prefix management table according to the received RA packets.
  • ND snooping untrusted interface: connects to untrusted IPv6 nodes. When receiving an RA packet from an untrusted interface, the device considers the RA packet invalid and discards it. When receiving an NA/NS/RS packet from an untrusted interface, if ND packet validity check has been enabled on the interface or VLAN where the interface is located, the device checks validity of the packet against the dynamic ND snooping binding table. Then the device discards the packet if the packet matches no entries in the table. When receiving the ND packets of other types from untrusted interfaces, the device directly forwards the packets.

Prefix Management Table

For a host that obtains an IPv6 address through stateless address autoconfiguration, the IPv6 address is generated based on the prefix in an RA packet. After ND snooping is enabled on a device, the device captures RA packets sent from the trusted interface and generates a prefix management table based on the RA packets. An entry in the prefix management table contains IPv6 address information, including the prefix, prefix length, and prefix lease. The information helps network administrators manage IPv6 addresses easily.

Dynamic ND Snooping Binding Table

A dynamic ND snooping binding entry contains the source IPv6 address, source MAC address, VLAN ID, and inbound port of a packet. A device can check NA, NS, or RS packets against the dynamic ND snooping binding table to filter bogus NA, NS, or RS packets.

Entry Creation and Update Mechanism of the Dynamic ND Snooping Binding Table

After ND snooping is configured, a device creates entries in the dynamic ND snooping binding table by checking NS packets and updates entries in the dynamic ND snooping binding table by checking NS or NA packets.

The device creates and updates entries in the dynamic ND snooping binding table as follows:

After receiving a DAD NS packet, the device searches for a dynamic ND snooping binding entry based on the target address in the packet.
NOTE:

Target Address indicates the destination IP address, which can be a local link address, a local site address, a global address, but not a multicast address.

  • If no entry is found and the target address of the packet matches a prefix management entry of a user, the device creates a dynamic ND snooping binding entry.
  • If a mapping entry is found, the device checks whether the MAC address and inbound interface of the packet are the same as those in the entry.
    • If the MAC address and inbound interface are the same as those in the entry, the device updates the IP address lease in the corresponding entry.
    • If the MAC address and inbound interface differ from those in the entry, the device updates the mapping dynamic ND snooping binding entry based on the NS packet.
After receiving an NA packet, the device searches for a dynamic ND snooping binding entry based on the IP address in the packet.
  • If no corresponding dynamic ND snooping binding entry is found, the device discards the NA packet.
  • If a corresponding dynamic ND snooping binding entry is found, the device checks whether port information in the NA packet is the same as that in the entry.
    • If port information in the NA packet is the same as that in the entry, the device updates the user's IP address lease time in the entry.
    • If port information in the NA packet is different from that in the entry, the device discards the packet.

Aging Mechanism of Dynamic ND Snooping Binding Entries

The aging mechanism of dynamic ND snooping binding entries is as follows:

The aging time of a dynamic ND snooping binding entry depends on the address lease time.
  • If the address lease expires, the matching binding entry automatically ages out.

  • Before address lease expires, the matching binding entry may be deleted in the following situations:
    • After receiving a DAD NS packet, the device creates or updates a dynamic ND snooping binding entry. If the device receives an NA packet indicating that the IPv6 address has been used by another user, the device deletes the binding entry.
    • When a user goes offline, the device does not immediately delete the matching binding entry. If the device is enabled to automatically detect online status of users matching dynamic ND snooping binding entries, the device sends a specified number of NS packets to the user at a specified interval. If the device does not receive an NA packet from the user after sending a specified number of NS packets, the device considers the user to be offline and deletes the dynamic ND snooping binding entry corresponding to the user.
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 146575

Downloads: 79

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next