No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring NS Multicast Suppression on an EVPN MPLS

Configuring NS Multicast Suppression on an EVPN MPLS

When a user accesses an EVPN MPLS through a BD, NS multicast suppression can be configured to reduce or suppress excess NS messages.

Usage Scenario

When a user is connected to an EVPN MPLS through a BD, IPv6 host neighbors are discovered in NS multicast mode. When a device receives an NS message for IPv6 address resolution, the device forwards the NS message in multicast mode in its BD. If a large number of NS messages are received within a specified period, forwarding all these NS messages on the EVPN occupies excessive network resources, which affects service running.

As shown in Figure 12-4, with NS multicast suppression configured on a PE, upon receipt of an NS message, the PE checks whether the request message contains information about the end user. If such information is contained in the request message, the PE simply implements proxy ND or converts multicast streams to unicast streams, thereby reducing or suppressing NS message flooding.

In addition, NS multicast suppression can prevent against ND spoofing attacks. An ND spoofing attack means that an attacker associates its MAC address with the IPv6 address of a host so that any traffic destined for the IPv6 address can be sent to the attacker. With NS multicast suppression enabled, if such an attack is launched, the proxy ND table conflict detection mechanism triggers an IPv6 address conflict alarm, reminding users of the potential ND spoofing attack.

Figure 12-4 NS multicast suppression networking

Pre-configuration Tasks

Before configuring NS multicast suppression, complete the following tasks:

  • Configuring BD-based EVPN Functions.

Procedure

  1. Enable NS multicast suppression.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run ipv6 nd multicast-suppress { proxy-reply [ unknown-options-unicast ] | unicast-forward } [ mismatch-discard ] enable

      NS multicast suppression is enabled.

    4. (Optional) Run ipv6 nd multicast-suppress { host | router }

      The R flag carried in NA messages for proxy ND is configured.

    5. (Optional) Run ipv6 nd multicast-suppress dynamic limit limit-number

      The maximum number of dynamic proxy ND entries that can be learned in a BD is configured.

    6. (Optional) Run ipv6 nd multicast-suppress dynamic expire-time expire-time

      The aging time of dynamic proxy ND entries is configured.

    7. Run commit

      The configuration is committed.

    8. Run quit

      The BD view is exited.

  2. Enable the function to flood ND entries or proxy ND entries through EVPN routes.

    Perform the following operations on a Layer 2 device:

    1. Run bridge-domain bd-id

      The BD view is displayed.

    2. Run ipv6 nd collect host enable

      The device has been enabled to flood proxy ND entries through EVPN routes.

    3. Run commit

      The configuration is committed.

    4. Run quit

      The BD view is exited.

    Perform the following operations on a Layer 3 device:

    1. Run interface vbdif bd-id

      A VBDIF interface is created, and the VBDIF interface view is displayed.

    2. Run ipv6 enable

      IPv6 is enabled on the interface.

    3. Run ipv6 nd collect host enable

      The device has been enabled to flood ND entries through EVPN routes.

    4. Run commit

      The configuration is committed.

    5. Run quit

      The VBDIF interface view is exited.

  3. Configure BGP EVPN to advertise routes.

    1. Run bgp as-number [ instance instance-name ]

      The BGP view or BGP multi-instance view is displayed.

    2. Run l2vpn-family evpn

      The BGP-EVPN address family view or BGP multi-instance EVPN address family view is displayed.

    3. Run peer { ipv4-address | group-name } advertise nd

      The device is configured to advertise ND routes to the BGP EVPN peer.

    4. Run commit

      The configuration is committed.

    5. Run quit

      The BGP-EVPN address family view or BGP multi-instance EVPN address family view is exited.

    6. Run quit

      The BGP view or BGP multi-instance view is exited.

  4. (Optional) Configure performance limit for ND message processing.

    1. Run ipv6 nd { rs | ra | ns | na } anti-attack rate-limit limit-number

      The rate at which ND messages are sent is configured. That is, the number of ND messages allowed to be processed per second is configured.

    2. Run ipv6 nd miss anti-attack rate-limit limit-number

      The rate at which ND Miss messages are sent is configured. That is, the number of ND Miss messages allowed to be processed per second is configured.

    3. Run commit

      The configuration is committed.

Verifying the Configuration

  • Run the display ipv6 nd multicast-suppress bridge-domain bd-id [ verbose ] command to view information about the proxy ND table in a specified BD. If the bd-id parameter is not specified, information about proxy ND tables in all BDs is displayed.

  • Run the display ipv6 nd packet statistics bridge-domain [ bd-id ] command to view ND message statistics in a specified BD. If the bd-id parameter is not specified, statistics about ND messages in all BDs are displayed.

    NOTE:

    In the user view, run the reset ipv6 nd multicast-suppress dynamic bridge-domain [ bd-id ] command to clear dynamic proxy ND entries in a specified BD. If the bd-id parameter is not specified, dynamic ND proxy entries in all BDs are cleared.

    In the user view, run the reset ipv6 nd packet statistics bridge-domain [ bd-id ] command to clear ND message statistics in a specified BD. If the bd-id parameter is not specified, ND message statistics in all BDs are displayed.

Run the display ipv6 nd multicast-suppress bridge-domain bd-id [ verbose ] command to view information about the proxy ND table in a specified BD. If the bd-id parameter is not specified, information about proxy ND tables in all BDs is displayed.
<HUAWEI> display ipv6 nd multicast-suppress bridge-domain
----------------------------------------------------------------------------------
IPv6 Address
MAC Address            BD         LifeTime (S)      Type 
----------------------------------------------------------------------------------
2001:db8::1                                                           
38ba-3047-7f1f         10         -                 Evpn   
-----------------------------------------------------------------------------
Total: 1        Dynamic: 0      Evpn: 1     
Run the display ipv6 nd packet statistics bridge-domain [ bd-id ] command to view ND message statistics in a specified BD. If the bd-id parameter is not specified, ND message statistics in all BDs are displayed.
<HUAWEI> display ipv6 nd packet statistics bridge-domain 10
ND Packets  Received
Total                          : 0                          
ND Pkt Revceive NS Unicast     : 0                          
ND Pkt Revceive NS Multicast   : 0                          
ND Pkt Revceive NA Unicast     : 0                          
ND Pkt Revceive NA Multicast   : 0                           
ND Pkt Discard NS Unicast      : 0                          
ND Pkt Discard NS Multicast    : 0                          
ND Pkt Discard NA              : 0                          
ND Packets Sent
Total                          : 0                          
ND Pkt Send NS Unicast         : 0                          
ND Pkt Send NS Multicast       : 0                          
ND Pkt Send NA Unicast         : 0                          
ND Pkt Send NA Multicast       : 0
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 15863

Downloads: 33

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next