ND attack detection configuration example

Network requirements

As shown in Figure 142, configure ND attack detection on Device B to check user validity for ND messages from Host A and Host B.

Figure 141: Network diagram

Configuration procedure

  1. Configure Device A:

    # Create VLAN 10.

    <DeviceA> system-view
    [DeviceA] vlan 10
    [DeviceA-vlan10] quit
    

    # Configure GigabitEthernet 1/0/3 to trunk VLAN 10.

    [DeviceA] interface gigabitethernet 1/0/3
    [DeviceA-GigabitEthernet1/0/3] port link-type trunk
    [DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 10
    [DeviceA-GigabitEthernet1/0/3] quit
    

    # Assign IPv6 address 10::1/64 to VLAN-interface 10.

    [DeviceA] interface vlan-interface 10
    [DeviceA-Vlan-interface10] ipv6 address 10::1/64
    [DeviceA-Vlan-interface10] quit
    
  2. Configure Device B:

    # Create VLAN 10.

    <DeviceB> system-view
    [DeviceB] vlan 10
    [DeviceB-vlan10] quit
    

    # Configure GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to trunk VLAN 10.

    [DeviceB] interface gigabitethernet 1/0/1
    [DeviceB-GigabitEthernet1/0/1] port link-type access
    [DeviceB-GigabitEthernet1/0/1] port access vlan 10
    [DeviceB-GigabitEthernet1/0/1] quit
    [DeviceB] interface gigabitethernet 1/0/2
    [DeviceB-GigabitEthernet1/0/2] port link-type access
    [DeviceB-GigabitEthernet1/0/2] port access vlan 10
    [DeviceB-GigabitEthernet1/0/2] quit
    [DeviceB] interface gigabitethernet 1/0/3
    [DeviceB-GigabitEthernet1/0/3] port link-type trunk
    [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 10
    [DeviceB-GigabitEthernet1/0/3] quit
    

    # Enable ND attack detection for VLAN 10.

    [DeviceB] vlan 10
    [DeviceB-vlan10] ipv6 nd detection enable
    

    # Enable ND snooping for IPv6 global unicast addresses and ND snooping for IPv6 link-local addresses in VLAN 10.

    [DeviceB-vlan10] ipv6 nd snooping enable global
    [DeviceB-vlan10] ipv6 nd snooping enable link-local
    [DeviceB-vlan10] quit
    

    # Configure GigabitEthernet 1/0/3 as ND trusted interface.

    [DeviceB] interface gigabitethernet 1/0/3
    [DeviceB-GigabitEthernet1/0/3] ipv6 nd detection trust
    

The configuration allows Device B to inspect all ND messages received by GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 based on the ND snooping entries.