No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ND Protocol Packet Validity Check

Configuring ND Protocol Packet Validity Check

Context

ND protocol packet validity check prevents forged NA/NS/RS packets.

After ND protocol packet validity check is enabled, the device verifies the NA/NS/RS packets received by untrusted interfaces against the ND snooping dynamic binding table, DHCPv6 dynamic binding table, or IPv6 static binding table, to determine whether the NA/NS/RS packets are sent from valid users in the VLAN on the interface. The device forwards the ND protocol packets from valid users and drops invalid ND protocol packets.

Configuration Precautions

After ND protocol packet validity check is configured, you are advised to run the savi enable command in the system view to enable the SAVI function, so that an ND snooping binding entry can be automatically generated for a link-local address, namely, an IPv6 address with the FE80::/10 prefix. This is because the source IPv6 address of an NA/NS/RS packet may be a link-local address during the neighbor discovery process of IPv6 hosts. If no ND snooping binding entry is generated for the link-local address, the valid NA/NS/RS packet will be discarded. As a result, the IPv6 hosts cannot communicate with each other.

Procedure

  1. Enable ND protocol packet validity check.

    ND protocol packet validity check can be configured in the interface view or VLAN view. When this function is configured in the interface view, the function takes effect on all the NA/NS/RS packets received by the specified untrusted interface; when this function is configured in the VLAN view, the function takes effect on all the NA/NS/RS packets sent from this VLAN and received by the untrusted interfaces in this VLAN.

    • Configure ND protocol packet validity check in the interface view.

      1. Run system-view

        The system view is displayed.

      2. Run interface interface-type interface-number

        The interface view is displayed.

      3. Run nd snooping check { na | ns | rs } enable

        ND protocol packet validity check is enabled.

        By default, ND protocol packet validity check is disabled.

    • Configure ND protocol packet validity check in the VLAN view.

      1. Run system-view

        The system view is displayed.

      2. Run vlan vlan-id

        The VLAN view is displayed.

      3. Run nd snooping check { na | ns | rs } enable

        ND protocol packet validity check is enabled.

        By default, ND protocol packet validity check is disabled.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126172

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next