No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ND Snooping Configuration Commands

ND Snooping Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display nd snooping configuration

Function

The display nd snooping configuration command displays the ND snooping configuration.

Format

display nd snooping configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

ND snooping configuration includes whether ND snooping is enabled or disabled and information about ND snooping trusted interfaces.

To view ND snooping configuration, run the display nd snooping configuration command.

Example

# Display ND snooping configuration.

<HUAWEI> display nd snooping configuration
#
nd snooping enable
#
interface GigabitEthernet0/0/0
 nd snooping trusted
#
interface Wlan-Bss0
 nd snooping enable
#
interface Wlan-Capwap0
 nd snooping trusted
#

display nd snooping prefix

Function

The display nd snooping prefix command displays prefix management entries of users.

Format

display nd snooping [ static | dynamic ] prefix [ verbose ]

Parameters

Parameter

Description

Value

static Displays statically configured prefix management entries.

-

dynamic Displays dynamically generated prefix management entries.

-

verbose

Displays details about prefix management entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

A device can establish a prefix management table which can be used to implement duplicate address detection for users with IPv6 addresses and establish a dynamic ND snooping binding table. A prefix management entry can be statically configured or dynamically generated.
  • Dynamic generation: The device obtains an RA packet received from an ND snooping trusted interface and automatically generates a prefix management entry based on the RA packet.
  • Static configuration: When a gateway device does not send RA packets, you can run the nd snooping static-prefix command to configure a static prefix management entry.
You can run the display nd snooping prefix command to check prefix management entries.

Example

# Display prefix management entries of users.

<HUAWEI> display nd snooping prefix 
prefix-table:                                                                                                                       
Prefix                             Length   Valid-Time  Vlan(O/I)   Prefix-Type                                                     
--------------------------------------------------------------------------------                                                    
FC00:1::                           64       -           10  /24      static                                                         
FC00:2::                           64       2592000     1   /-       dynamic                                                         
--------------------------------------------------------------------------------                                                    
Prefix table total count:      2          Print count:         2 
Table 14-77  Description of the display nd snooping prefix command output

Item

Description

prefix-table

Prefix management table of users.

Prefix

Prefix. The value is a 32-digit hexadecimal number, in the X:X:X:X:X:X:X:X format.

Length

Prefix length. The value is an integer that ranges from 1 to 128.

Valid-Time

Valid lifetime of a prefix. The value ranges from 0 to 4294967295, in seconds.

Vlan(O/I)

VLAN information in a prefix management entry.

Prefix-Type

Type of a prefix management entry. The value can be:
  • static: The prefix management entry is statically configured.
  • dynamic: The prefix management entry is dynamically generated.

Prefix table total count

Total number of entries in the prefix management table.

Print count

Number of displayed prefix management entries.

# Display prefix management entries of users.

<HUAWEI> display nd snooping prefix verbose
prefix-table:
--------------------------------------------------------------------------------
 Prefix                  : FC00:1::                                                                                                 
 Prefix Length           : 64                                                                                                       
 Valid Lifetime(sec)     : -                                                                                                        
 Preferred Lifetime(sec) : -                                                                                                        
 Interface               : -                                                                                                        
 VLAN ID(Outer/Inner)    : 10/24                                                                                                    
 Prefix Type             : static
--------------------------------------------------------------------------------
 Prefix                  : FC00:2::
 Prefix Length           : 64
 Valid Lifetime(sec)     : 2592000
 Preferred Lifetime(sec) : 2592000
 Interface               : GE1/0/1
 VLAN ID(Outer/Inner)    : 1/-
 Prefix Type             : dynamic
--------------------------------------------------------------------------------
Prefix table total count:      2          Print count:         2     
Table 14-78  Description of the display nd snooping prefix verbose command output

Item

Description

prefix-table

Prefix management table of users.

Prefix

Prefix. The value is a 32-digit hexadecimal number, in the X:X:X:X:X:X:X:X format.

Prefix Length

Prefix length. The value is an integer that ranges from 1 to 128.

Valid Lifetime(sec)

Valid lifetime of a prefix. The value ranges from 0 to 4294967295, in seconds.

Preferred Lifetime(sec)

Preferred lifetime of a prefix. The value ranges from 0 to 4294967295, in seconds.

Interface

Interface information in a prefix management entry.

VLAN ID(Outer/Inner)

VLAN information in a prefix management entry.

Prefix-Type

Type of a prefix management entry. The value can be:
  • static: The prefix management entry is statically configured.
  • dynamic: The prefix management entry is dynamically generated.

Prefix table total count

Total number of entries in the prefix management table.

Print count

Number of printed entries.

display nd snooping statistics

Function

The display nd snooping statistics command displays statistics about the ND snooping packets received, sent, and discarded by the device.

Format

display nd snooping statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After ND snooping is enabled, the device records statistics on the received, sent, and discarded ND snooping packets to facilitate maintenance.

Example

# Display statistics on the ND snooping packets received, sent, and discarded on the device.

<HUAWEI> display nd snooping statistics
Input: total 203 packets, discarded 14 packets                                   
  ns                                             :        178                 
  na                                             :         21                  
  rs                                             :          4                  
  ra                                             :          0                  
  other                                          :          0                  
Drop Packet:                                                                    
  The local link address is incorrect            :          7       
  It does not match the binding table            :          1  
  The destination IP address is incorrect        :          6
Output: total 50 packets 
  ns                                             :          50
Table 14-79  Description of the display nd snooping statistics command output

Item

Description

Input: total n packets, discarded m packets

Number (n) of ND packets received by the device and number (m) of discarded ND packets.

ns

Number of sent or received NS packets on a device.

na

Number of received NA packets.

rs

Number of received RS packets.

ra

Number of received RA packets.

other

Number of received other packets.

Drop Packet

Number of dropped packets.

The displayed information varies according to the packet drop reasons.

The local link address is incorrect

Number of packets dropped due to incorrect link-local address.

It does not match the binding table

Number of packets dropped because the packets do not match the binding entries.

The destination IP address is incorrect

Number of packets dropped due to incorrect destination IP addresses.

Output: total x packets

Number (x) of ND packets sent by a device.

display nd snooping user-bind

Function

The display nd snooping user-bind command displays the ND snooping dynamic binding table.

Format

display nd snooping user-bind all [ verbose ]

display nd snooping user-bind { ipv6-address ipv6-address | mac-address mac-address | interface interface-type interface-number | vlan vlan-id } * [ verbose ]

Parameters

Parameter

Description

Value

all

Displays all ND snooping dynamic binding entries.

-

verbose

Displays detailed information about ND snooping dynamic binding entries.

-

ipv6-address ipv6-address

Displays information about the IPv6 address in the ND snooping dynamic binding table.

The value is a 32-digit hexadecimal number in X:X:X:X:X:X:X:X format.

mac-address mac-address

Displays information about the MAC address in the ND snooping dynamic binding table.

The value is in the format of H-H-H. An H is a hexadecimal number of 1 to 4 digits.

vlan vlan-id

Displays information about the VLAN in the ND snooping dynamic binding table.

The value is an integer ranging from 1 to 4094.

interface interface-type interface-number

Displays interface information in the ND snooping dynamic binding table.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

An ND snooping dynamic binding entry includes the source IPv6 address and source MAC address of a user, and the VLAN that a user belongs to. You can run the display nd snooping user-bind command to view details in the ND snooping dynamic binding table.

Example

# Display all ND snooping dynamic binding entries.

<HUAWEI> display nd snooping user-bind all
ND Dynamic Bind-table:                                                          
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                              
IP Address                      MAC Address     VSI/VLAN(O/I/P) Lease           
--------------------------------------------------------------------------------
FC00:1::2                       00e0-4c7c-af8f  10  /--  /--    2011.05.06-20:09
--------------------------------------------------------------------------------
Print count:           1          Total count:           1          
# Display detailed information about ND snooping dynamic binding entries.
<HUAWEI> display nd snooping user-bind all verbose
ND Dynamic Bind-table:                                                          
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
 IP Address  : FC00:1::2                                                     
 MAC Address : 00e0-4c7c-af8f                                                   
 VSI         : --                                                               
 VLAN(O/I/P) : 10  /--  /--                                                     
 Interface   : GE1/0/1                                                         
 Lease       : 2011.05.06-20:09                                                 
 IPSG Status : ineffective                                                      
 User State  : DETECTION                                                       
--------------------------------------------------------------------------------
Print count:           1          Total count:           1       
Table 14-80  Description of the display nd snooping user-bind command output

Item

Description

ND Dynamic Bind-table

ND snooping dynamic binding table.

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

O indicates the outer VLAN ID; I indicates the inner VLAN ID; P indicates the mapped VLAN ID.

IP Address

IPv6 address of a user.

MAC Address

MAC address of a user.

VSI

VPN instance that a user belongs to.

VLAN(O/I/P)

Inner VLAN ID, outer VLAN ID, or VLAN mapping information of the online user.

NOTE:

The ND snooping binding table does not contain VLAN mapping information. Therefore, no value is displayed in the P field.

Interface

User access interface.

Lease

ND user lease.

IPSG Status

Whether the binding table is effective for IP packet checking after IP packet checking is enabled. The value can be:
  • IPv6 effective slot: <1> indicates that the binding table is effective for IPv6 packet checking in slot 1.
  • ineffective

This field is invalid if IP packet checking is not enabled.

User State

Status of an ND snooping dynamic binding entry is as follows:
  • START: The binding entry is being created and is in the initialization state.
  • DETECTION: The system is performing detection for the binding entry to check whether the user is online.
  • BOUND: The binding entry has been successfully created.

nd snooping alarm binding-table check enable

Function

The nd snooping alarm binding-table check enable command enables the alarm function for checking packets against the ND snooping binding table.

The undo nd snooping alarm binding-table check enable command disables the alarm function for checking packets against the ND snooping binding table.

By default, the alarm function for checking packets against the ND snooping binding table is disabled.

Format

nd snooping alarm binding-table check enable

undo nd snooping alarm binding-table check enable

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After ND protocol packet validity check is enabled using the nd snooping check enable command, the device checks the NA, NS, and RS packets received from untrusted interfaces against the ND snooping binding table and discards the packets that do not match the binding table. If the number of discarded packets exceeds the threshold, the corresponding alarm is generated. The minimum interval for sending alarm messages is 1 minute. You can run the nd snooping alarm binding-table check threshold command to set the alarm threshold.

Prerequisites

ND snooping has been enabled on the device using the nd snooping enable command.

Precautions

To ensure that alarms can be properly reported, you need to run the snmp-agent trap enable feature-name dhcp command to enable the DHCP module to report the corresponding alarm. You can check whether the DHCP module is enabled to report the corresponding alarm using the display snmp-agent trap feature-name dhcp all command.

Example

# Enable the alarm function for checking packets against the ND snooping binding table on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] nd snooping alarm binding-table check enable

nd snooping alarm binding-table check threshold

Function

The nd snooping alarm binding-table check threshold command configures the alarm threshold for the number of ND snooping-discarded packets.

The undo nd snooping alarm binding-table check threshold command restores the default alarm threshold.

By default, the global alarm threshold for the number of ND snooping-discarded packets is 100, and the alarm threshold for the number of ND snooping-discarded packets on an interface is the value configured in the system view.

Format

nd snooping alarm binding-table check threshold threshold

undo nd snooping alarm binding-table check threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold for the number of ND snooping-discarded packets. The value is an integer that ranges from 1 to 1000.

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the alarm function for checking packets against the ND snooping binding table is enabled using the nd snooping alarm binding-table check enable command, you can run the nd snooping alarm binding-table check threshold command to configure the alarm threshold for the number of ND snooping-discarded packets.

Prerequisites

ND snooping has been enabled on the device using the nd snooping enable command.

Precautions

If this command is run in the system view, it takes effect on all the interfaces of the device.

Example

# Set the alarm threshold for the number of ND snooping-discarded packets on GE1/0/1 to 1000.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] nd snooping alarm binding-table check threshold 1000

nd snooping check enable

Function

The nd snooping check enable command enables ND protocol packet validity check.

The undo nd snooping check enable command disables ND protocol packet validity check.

By default, ND protocol packet validity check is disabled.

Format

nd snooping check { na | ns | rs } enable

undo nd snooping check { na | ns | rs } enable

Parameters

Parameter

Description

Value

na

Enables validity check for Neighbor Advertisement (NA) packets.

-

ns

Enables validity check for Neighbor Solicitation (NS) packets.

-

rs

Enables validity check for Router Solicitation (RS) packets.

-

Views

VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ND packet validity check prevents forged NA/NS/RS packets.

After ND packet validity check is enabled, the device verifies the NA/NS/RS packets received by untrusted interfaces against the ND snooping binding table, to determine whether the NA/NS/RS packets are sent from valid users in the VLAN on the interface. The device forwards the ND packets from valid users and drops invalid ND packets.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Example

# Enable NA packet validity check on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] nd snooping check na enable
Related Topics

nd snooping check dad-ns retransmit-rate rate

Function

The nd snooping check dad-ns retransmit-rate rate command configures the maximum retransmission rate of DAD NS packets.

The undo nd snooping check dad-ns retransmit-rate rate command restores the default retransmission rate of DAD NS packets.

By default, the maximum retransmission rate of DAD NS packets is 50 packets per second.

Format

nd snooping check dad-ns retransmit-rate rate rate-value

undo nd snooping check dad-ns retransmit-rate rate

Parameters

Parameter

Description

Value

rate-value

Specifies the maximum retransmission rate of DAD NS packets.

The value is an integer that ranges from 1 to 100, in packet per second. The default value is 50.

Views

System view, VLAN view, Eth-Trunk view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the ND snooping binding entry is not established, an untrusted interface on a device forwards a DAD NS packet after receiving it. After the nd snooping check dad-ns retransmit-rate enable command is configured, the device checks the retransmission rate of DAD NS packets. You can run the nd snooping check dad-ns retransmit-rate rate rate-value command to configure the retransmission rate of DAD NS packets. If the number of DAD NS packets retransmitted per second exceeds the value of the rate-value parameter, the device directly discards excessive packets instead of forwarding these packets.

Prerequisites

ND snooping has been enabled using the nd snooping enable command in the system view.

Example

# Set the retransmission rate of DAD NS packets to 60 packets per second in the system view.

<HUAWEI> system-view
[HUAWEI] nd snooping check dad-ns retransmit-rate rate 60

nd snooping check dad-ns retransmit-rate enable

Function

The nd snooping check dad-ns retransmit-rate enable command enables the function of checking the retransmission rate of DAD NS packets.

The undo nd snooping check dad-ns retransmit-rate enable command disables the function of checking the retransmission rate of DAD NS packets.

By default, the function of checking the retransmission rate of DAD NS packets is disabled.

Format

nd snooping check dad-ns retransmit-rate enable

undo nd snooping check dad-ns retransmit-rate enable

Parameters

None

Views

System view, VLAN view, Eth-Trunk view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an untrusted interface on a device receives a DAD NS packet, the interface forwards the packet for the duplicate address detection and bogus user check. To avoid the situation that the remote interface cannot receive packets forwarded by the local device because of packet loss when the ND snooping binding entry is not established, configure the untrusted interface on the local device to forward a DAD NS packet after receiving it. By default, a device does not control the retransmission rate of DAD NS packets. When excessive packets are received, packet retransmission may affect normal operation of network services. To solve this problem, you can run the nd snooping check dad-ns retransmit-rate enable command to enable the function of checking the retransmission rate of DAD NS packets. After this function is enabled, the device limits the retransmission rate of DAD NS packets.

You can run the nd snooping check dad-ns retransmit-rate rate rate-value command to configure the retransmission rate of DAD NS packets. If the number of DAD NS packets retransmitted per second exceeds the value of the rate-value parameter, the device directly discards excessive packets instead of forwarding these packets.

Prerequisites

ND snooping has been enabled using the nd snooping enable command in the system view.

Example

# Enable the function of checking the retransmission rate of DAD NS packets in the system view.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] nd snooping check dad-ns retransmit-rate enable

nd snooping enable

Function

The nd snooping enable command enables ND snooping.

The undo nd snooping enable command disables ND snooping.

By default, ND snooping is disabled.

Format

nd snooping enable

undo nd snooping enable

Parameters

None

Views

System view, VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

ND provides powerful functions but has no security mechanism. Attackers often use ND to attack network devices. Common ND attacks are as follows:
  • An attacker uses the IP address of host A to send NS, NA, or RS packets to host B or the gateway. Host B or the gateway then modifies their ND entries. As a result, all packets sent from host B or the gateway to host A are sent to the attacker.
  • An attacker uses the gateway IP address to send RA packets to hosts. Then the hosts incorrectly set IPv6 parameters and modify their ND entries.

To prevent ND attacks, enable ND snooping on the device. The device detects NS packets in the DAD process to establish an ND snooping dynamic binding table that includes source IPv6 addresses, source MAC addresses, VLANs, and inbound ports. When receiving ND packets, the device checks the validity of ND packets based on the ND snooping binding table and checks whether the user is an authorized user in the VLAN that the port receiving ND packets belongs to. The device forwards valid ND packets and discards invalid ND packets to defend against ND attacks from bogus hosts or gateways.

Example

# Enable ND snooping globally and on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] nd snooping enable

nd snooping enable dhcpv6 only

Function

The nd snooping enable dhcpv6 only command enables ND snooping in the DHCPv6 Only scenario.

The undo nd snooping enable command disables ND snooping in the DHCPv6 Only scenario.

By default, ND snooping is disabled in the DHCPv6 Only scenario.

Format

nd snooping enable dhcpv6 only

undo nd snooping enable

Parameters

None

Views

VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device checks the validity of ND protocol packets against the IPv6 static binding table, DHCPv6 dynamic binding table, and ND snooping binding table. The IPv6 static binding table is manually configured by the administrator, the DHCPv6 dynamic binding table is automatically generated by extracting information from DHCPv6 Reply packets, and the ND snooping binding table is automatically generated by extracting information from DAD NS packets. At the same time, the ND protocol packet validity check function depends on the ND snooping function (including enabling ND snooping and configuring ND snooping trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by users and automatically generated using the PD address prefix are considered as invalid addresses. In this scenario, ND snooping is disabled to prevent ND snooping binding entries from being generated for such invalid addresses. In this case, the ND protocol packet validity check function cannot be performed, so that address spoofing attacks may exist on the network.

To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd snooping trusted dhcpv6 only commands to enable the ND snooping function in the DHCPv6 Only scenario. After the nd snooping enable dhcpv6 only command is configured, no ND snooping binding entry is generated for the IPv6 global unicast addresses that are manually configured by users and automatically generated using the PD address prefixes. The device checks the validity of ND protocol packets against the IPv6 static binding table and DHCPv6 dynamic binding table.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Precautions

  • In the DHCPv6 Only scenario, ND snooping binding entries are generated for the IPv6 link-local addresses that are manually configured by users and automatically generated. To be specific, only records corresponding to the IPv6 link-local addresses exist in the ND snooping binding table in the DHCPv6 Only scenario.
  • IPv6 addresses obtained using DHCPv6 PD also apply to the DHCPv6 Only scenario.

Example

# Enable ND snooping globally and on interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable dhcpv6 only

nd snooping max-user-number

Function

The nd snooping max-user-number command sets the maximum number of ND snooping dynamic binding entries to be learned by an interface.

The undo nd snooping max-user-number command restores the default maximum number of ND snooping dynamic binding entries to be learned by an interface.

By default, a maximum of 32768 DHCP snooping binding entries can be learned on an interface.

Format

nd snooping max-user-number max-user-number

undo nd snooping max-user-number

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of ND snooping dynamic binding entries to be learned by an interface.

The value is an integer that ranges from 1 to 32768.

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a lot of users go online through an interface, the device consumes many ND snooping dynamic binding entries to process the NS packets. To prevent this problem, you can set the maximum number of ND snooping dynamic binding entries to be learned by an interface. If the number of the ND snooping dynamic binding entries learned by an interface reaches the maximum number, no entry can be added.

You can set the maximum number ND snooping entries in the system view or interface view. The configuration in the system view is valid for all interfaces. The settings in the interface view only take effect on the specified interface. If the settings are performed in both the interface view and system view, the smaller value is adopted.

Prerequisites

Before setting the maximum number of ND snooping dynamic binding entries to be learned by an interface, ensure that ND snooping has been enabled in the system view using the nd snooping enable command.

Example

# Set the maximum number of ND snooping binding entries to 200 on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] nd snooping max-user-number 200
Related Topics

nd snooping static-prefix

Function

The nd snooping static-prefix command configures a static prefix management entry.

The undo nd snooping static-prefix command deletes a configured static prefix management entry.

By default, no static prefix management entry is configured on a device.

Format

nd snooping static-prefix ipv6-address/prefix-length [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

undo nd snooping static-prefix ipv6-address/prefix-length [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

Parameters

Parameter

Description

Value

ipv6-address/prefix-length

Specifies the IPv6 address prefix. Descriptions of each part in this parameter are as follows:
  • ipv6-address: Specifies an IPv6 address.
  • prefix-length: Specifies the IPv6 address prefix length.
  • ipv6-address: The total length of the value is 128 bits. The string is divided into eight groups, each of which consists of four hexadecimal digits. The address is in the X:X:X:X:X:X:X:X format.
  • prefix-length: The value is an integer that ranges from 1 to 128.

vlan vlan-id

Specifies the outer VLAN ID.

NOTE:
By default, the outer VLAN ID is 1 and no inner VLAN is configured.

The value is an integer that ranges from 1 to 4094.

ce-vlan ce-vlan-id

Specifies the inner VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After receiving an NS packet from a user, a device can generate a dynamic ND snooping binding entry only after the value of the Target Address field in the packet matches the user's prefix management entry. The device obtains an RA packet received from an ND snooping trusted interface and automatically generates a prefix management entry based on the RA packet. However, if a gateway device does not send RA packets, the device cannot automatically generate a prefix management entry and then cannot establish a corresponding dynamic ND snooping binding entry, affecting services. In this case, you can run the nd snooping static-prefix ipv6-address/prefix-length [ vlan vlan-id [ ce-vlan ce-vlan-id ] ] command to manually configure a prefix management entry.

Prerequisites

ND snooping has been enabled using the nd snooping enable command in the system view.

Precautions

The total number of statically configured and dynamically generated prefix management entries cannot exceed the maximum number of entries allowed on a device. Otherwise, no prefix management entry can be further statically configured or dynamically generated.

Example

# Configure a static prefix management entry with the IPv6 address prefix FC00:1::/64.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] nd snooping static-prefix fc00:1::/64

nd snooping trusted

Function

The nd snooping trusted command configures the trusted interface.

The undo nd snooping trusted command restores the trusted interface to an untrusted interface.

By default, all interfaces are untrusted interfaces.

Format

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

nd snooping trusted

undo nd snooping trusted

VLAN view

nd snooping trusted interface interface-type interface-number

undo nd snooping trusted interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of the trusted interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ND snooping classifies interfaces connected to IPv6 nodes into trusted and untrusted interfaces. The trusted interfaces connect to trusted IPv6 nodes and untrusted interfaces connect to untrusted IPv6 nodes. By default, all interfaces are untrusted.

  • You must configure the interface connected to a trusted IPv6 node as a trusted interface so that the device can forward the ND packets received by this interface. In addition, the device creates a prefix management table according to the received RA packet to help network administrators manage IPv6 addresses.

  • The interface connected to an untrusted IPv6 node must be configured as an untrusted interface. The device discards the RA packets received by the untrusted interface to prevent RA attacks.

NOTE:

Generally, the interface connecting to the gateway is configured as the trusted interface, and other interfaces are all untrusted interfaces.

Prerequisites

ND snooping has been enabled using the nd snooping enable command in the system view.

Precautions

After the nd snooping trusted command is executed, ND snooping is enabled on the interface.

When you run the nd snooping trusted command in the VLAN view, the specified interface must belong to the VLAN.

Example

# Configure GE1/0/1 as a trusted interface.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] nd snooping trusted

# Configure GE1/0/1 in VLAN 10 as a trusted interface.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] nd snooping trusted interface gigabitethernet 1/0/1
Related Topics

nd snooping trusted dhcpv6 only

Function

The nd snooping trusted dhcpv6 only command configures the interfaces in the DHCPv6 Only scenario as ND snooping trusted interfaces.

The undo nd snooping trusted command restores the interfaces to untrusted.

By default, all interfaces are untrusted.

Format

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

nd snooping trusted dhcpv6 only

undo nd snooping trusted

VLAN view

nd snooping trusted interface interface-type interface-number dhcpv6 only

undo nd snooping trusted interface interface-type interface-number

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the type and number of the interface that will be configured as an ND snooping trusted interface in the DHCPv6 Only scenario.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

VLAN view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

The device checks the validity of ND protocol packets against the IPv6 static binding table, DHCPv6 dynamic binding table, and ND snooping binding table. The IPv6 static binding table is manually configured by the administrator, the DHCPv6 dynamic binding table is automatically generated by extracting information from DHCPv6 Reply packets, and the ND snooping binding table is automatically generated by extracting information from DAD NS packets. At the same time, the ND protocol packet validity check function depends on the ND snooping function (including enabling ND snooping and configuring ND snooping trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by users and automatically generated using the PD address prefix are considered as invalid addresses. In this scenario, ND snooping is disabled to prevent ND snooping binding entries from being generated for such invalid addresses. In this case, the ND protocol packet validity check function cannot be performed, so that address spoofing attacks may exist on the network.

To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd snooping trusted dhcpv6 only commands to enable the ND snooping function in the DHCPv6 Only scenario. After the nd snooping trusted dhcpv6 only command is configured, no prefix management entry is generated when the trusted interface receives an RA packet, which is different from the nd snooping trusted command. This is because the prefix management entries need to be matched before the corresponding ND snooping binding entries are generated for the IPv6 addresses excluding the IPv6 link-local addresses. However, only records corresponding to the IPv6 link-local addresses exist in the ND snooping binding table in the DHCPv6 Only scenario. Therefore, the prefix management entries do not need to be generated.

Example

# Configure GE0/0/1 as an ND snooping trusted interface.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping trusted dhcpv6 only

# Configure GE0/0/1 as an ND snooping trusted interface in VLAN 2.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] vlan 2
[HUAWEI-vlan2] nd snooping trusted interface gigabitethernet 0/0/1 dhcpv6 only
Related Topics

nd snooping user-alarm percentage

Function

The nd snooping user-alarm percentage command configures the alarm thresholds for the percentage of ND snooping dynamic binding entries.

The undo nd snooping user-alarm percentage command restores the default alarm thresholds for the percentage of ND snooping dynamic binding entries.

By default, the lower alarm threshold for the percentage of ND snooping dynamic binding entries is 50, and the upper alarm threshold for the percentage of ND snooping dynamic binding entries is 100.

Format

nd snooping user-alarm percentage percent-lower-value percent-upper-value

undo nd snooping user-alarm percentage

Parameters

Parameter Description Value
percent-lower-value

Specifies the lower alarm threshold for the percentage of ND snooping dynamic binding entries.

The value is an integer that ranges from 1 to 100.

percent-upper-value

Specifies the upper alarm threshold for the percentage of ND snooping dynamic binding entries.

The value is an integer that ranges from 1 to 100, but must be greater than or equal to the lower alarm threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After you run the nd snooping max-user-number command to set the maximum number of ND snooping dynamic binding entries on an interface, you can run the nd snooping user-alarm percentage command to set the alarm thresholds for the percentage of ND snooping dynamic binding entries.

When the percentage of learned ND snooping dynamic binding entries against the maximum number of ND snooping dynamic entries allowed by the device reaches or exceeds the upper alarm threshold, the device generates an alarm. When the percentage of learned ND snooping dynamic binding entries against the maximum number of ND snooping dynamic entries allowed by the device reaches or falls below the lower alarm threshold later, the device generates a clear alarm. The alarm information helps network administrators monitor the status of ND snooping binding table in real time.

Example

# Set the lower alarm threshold for the percentage of ND snooping dynamic binding entries to 30 and the upper alarm threshold to 80.

<HUAWEI> system-view
[HUAWEI] nd snooping user-alarm percentage 30 80

nd snooping wait-time life-time

Function

The nd snooping wait-time life-time command configures the wait time for a device to send an NS packet to detect the user status and the lifetime of an ND snooping binding entry when a device detects the user status.

The undo nd snooping wait-time life-time command restores the default settings.

By default, the wait time for a device to send an NS packet to detect the user status is 250 milliseconds and the lifetime of an ND snooping binding entry when a device detects the user status is 500 milliseconds.

Format

nd snooping wait-time wait-time life-time life-time

undo nd snooping wait-time life-time

Parameters

Parameter

Description

Value

wait-time

Specifies the wait time for a device to send an NS packet to detect the user status.

The value is an integer that ranges from 1 to 5000, in milliseconds. The default value is 250 milliseconds.

life-time

Specifies the lifetime of an ND snooping binding entry when a device detects the user status.

The value is an integer that ranges from 1 to 10000, in milliseconds. The default value is 500 milliseconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device updates the ND snooping binding table by detecting the received NA packets. If an ND snooping binding entry exists and the device receives an NA packet with the IP address the same as that in the corresponding entry and inbound port number different from that in the entry, the NA packet conflicts with the entry. The device is then triggered to send an NS packet to detect whether the user corresponding to the entry is online. You can run the nd snooping wait-time wait-time life-time life-time command to configure the wait time for a device to send an NS packet to detect the user status and the lifetime of an ND snooping binding entry when a device detects the user status.

  • If the entry is within the lifetime and the device receives an NA packet from the port corresponding to the entry, the user corresponding to the entry is still online and the device updates the IP address lease in the corresponding entry.
  • If the entry is within the lifetime and the device does not receive an NA packet from the port corresponding to the entry, the user corresponding to the entry is offline and the device updates the user's IP address lease time in the entry and updates the port number in the entry to that in the previously received NA packet.

Prerequisites

ND snooping has been enabled using the nd snooping enable command in the system view.

Precautions

After the device receives an NA packet conflicting with an ND snooping binding entry and user status detection is enabled, periodic user status detection is suspended.

Example

# Set the wait time for a device to send an NS packet to detect the user status to 300 milliseconds and the lifetime of an ND snooping binding entry when a device detects the user status to 2000 milliseconds.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] nd snooping wait-time 300 life-time 2000

nd user-bind detect

Function

The nd user-bind detect command configures the number of times and interval for sending NS packets to detect the user status.

The undo nd user-bind detect command restores the default setting.

After automatic user status detection is enabled for users mapping ND snooping dynamic binding entries, the default number of detection times is 2, and the default detection interval is 1000 milliseconds.

Format

nd user-bind detect retransmit retransmit-times interval retransmit-interval

undo nd user-bind detect retransmit interval

Parameters

Parameter

Description

Value

retransmit retransmit-times

Specifies the number of times for sending NS packets to detect the user status.

The value is an integer ranging from 1 to 10. The default value is 2.

interval retransmit-interval

Specifies the interval for sending NS packets to detect the user status.

The value is an integer ranging from 1 to 10000, in milliseconds. The default value is 1000 milliseconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After automatic user status detection for users mapping ND snooping dynamic binding entries is enabled, the device sends NS packets to users based on the configured detection times and interval. If no NA packet is returned from a user after NS packets are sent for configured times, the device considers the user to be offline and deletes the mapping ND snooping dynamic binding entry.

You can run the nd user-bind detect command to change the number of times and interval for sending NS packets to detect the user status. On a small network with good network quality, the user returns an NA packet quickly. In this scenario, you can set the interval for sending NS packets to a small value. On a large network with poor network quality, the user returns an NA packet slowly. You can set the interval to a large value to prevent the device from sending the next NS packet before receiving the NA packet. You can change the interval based on the actual network environment.

Prerequisites

Automatic user status detection for users mapping ND snooping dynamic binding entries has been enabled using the nd user-bind detect enable command.

Precautions

After you run the nd user-bind detect enable command, the device sends an NS packet after a period of time. The maximum value of this period is 20 seconds.

Example

# Set the number of times for sending NS packets to 10, and the interval for sending NS packets to 1000 milliseconds.

<HUAWEI> system-view
[HUAWEI] nd user-bind detect enable
[HUAWEI] nd user-bind detect retransmit 10 interval 1000

nd user-bind detect enable

Function

The nd user-bind detect enable command enables the function for automatically detecting status of users mapping ND snooping dynamic binding entries.

The undo nd user-bind detect enable command disables the function for automatically detecting status of users mapping ND snooping dynamic binding entries.

By default, the function for automatically detecting status of users mapping ND snooping dynamic binding entries is disabled.

Format

nd user-bind detect enable

undo nd user-bind detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After ND snooping is enabled, the device snoops NS packets in the DAD process to establish ND dynamic binding entries. The aging time of an ND snooping dynamic binding table depends on the IPv6 address lease. If the address lease does not expire but the user is offline, the ND snooping dynamic entry mapping the user cannot be deleted, which occupies binding entry resources on the device.

To prevent this problem, you can enable the automatic user status detection for users mapping ND snooping dynamic binding entries on the device. After this function is enabled, the device sends NS packets to the user according to the detection times (n) specified in nd user-bind detect and detection interval. If the device receives no NA packet from the user after sending the NS packets n times, the device considers the user to be offline and deletes the dynamic ND snooping binding entry matching the user.

Precautions

After you run the nd user-bind detect enable command, the device sends an NS packet after a period of time. The maximum value of this period is 20 seconds.

Example

# Enable the function for automatically detecting status of users mapping ND snooping dynamic binding entries.

<HUAWEI> system-view
[HUAWEI] nd user-bind detect enable
Related Topics

reset nd snooping prefix

Function

The reset nd snooping prefix command clears prefix management entries of users.

Format

reset nd snooping prefix [ ipv6-address/prefix-length ]

Parameters

Parameter

Description

Value

ipv6-address

Specifies an IPv6 address.

The value is a 32-digit hexadecimal number in X:X:X:X:X:X:X:X format.

prefix-length

Specifies the prefix length.

The value is an integer ranging from 1 to 128.

If the global unicast address needs to be set in EUI-64 format, the value of prefix-length ranges from 1 to 64.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The ND server that functions as the gateway router sends RA packets periodically to instruct users to update prefixes. The switch that functions as the access device establishes prefix management entries based on RA packets to maintain and manage user prefixes.

Generally, do not delete prefix management entries of users manually. Run the reset nd snooping prefix command to delete prefix management entries of users if the following requirements are met:

  • The user lease does not expire and the prefix management table cannot age automatically.
  • The user is no longer connected to the network.

Precautions

After a prefix management entry is deleted, the switch cannot establish the ND snooping dynamic binding table for new users with the prefix management entry.

Example

# Delete the prefix management entry with the prefix address being fc00:1::1 and the prefix length being 64.

<HUAWEI> reset nd snooping prefix fc00:1::1/64 

reset nd snooping statistics

Function

The reset nd snooping statistics command deletes statistics on ND snooping packets.

Format

reset nd snooping statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Use Scenario

After ND snooping is enabled, the device records statistics on the sent and received ND packets. This command deletes the statistics on ND packets.

Precautions

Deleted statistics cannot be restored. Exercise caution.

After you disable ND snooping, statistics on ND snooping packets are also deleted. However, when both ND snooping and SAVI are enabled, the statistics can be deleted only after both the functions are disabled (the SAVI function can be disabled by the undo savi enable command).

Example

# Delete statistics on ND snooping packets.

<HUAWEI> reset nd snooping statistics

reset nd snooping user-bind

Function

The reset nd snooping user-bind command clears ND snooping dynamic binding entries on the device.

Format

reset nd snooping user-bind [ interface interface-type interface-number | ipv6-address ipv6-address | mac-address mac-address | vlan vlan-id ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Specifies the interface in the ND snooping dynamic binding entry to be cleared.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ipv6-address ipv6-address

Specifies the IPv6 address in the ND snooping dynamic binding entry to be cleared.

The value is a 32-digit hexadecimal number in X:X:X:X:X:X:X:X format.

mac-address mac-address

Specifies the MAC address in the ND snooping dynamic binding entry to be cleared.

The value is in the format of H-H-H. An H is a hexadecimal number of 1 to 4 digits.

vlan vlan-id

Specifies the VLAN ID in the ND snooping dynamic binding entry to be cleared.

The value is an integer ranging from 1 to 4094.

Views

User view

Default Level

3: Management level

Usage Guidelines

You need to manually delete ND snooping dynamic binding entries if the following requirements are met:

  • The ND snooping dynamic binding entry does not reach the aging time, so the entry cannot age automatically.
  • The user is no longer connected to the network.
  • The user VLAN or interface information changes.

The networking environment change may lead to the change in the VLAN or interface information, while the ND snooping dynamic binding entry mapping a user does not age out and cannot update in real time. As a result, the device discards valid ND packets that do not match the old ND snooping dynamic binding entries. Before changing the networking environment, clear all ND snooping dynamic binding entries manually so that a device generates a new ND snooping dynamic binding table based on the new networking environment.

Example

# Delete the ND snooping dynamic binding entry that contains the IPv6 address being fc00:1::1.

<HUAWEI> reset nd snooping user-bind ipv6-address fc00:1::1

# Delete the ND snooping dynamic binding entry that contains the MAC address being 00e0-1111-2222.

<HUAWEI> reset nd snooping user-bind mac-address 00e0-1111-2222
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 126567

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next