ND attack detection configuration example
Network requirements
As shown in Figure 142, configure ND attack detection on Device B to check user validity for ND messages from Host A and Host B.
Figure 141: Network diagram
Configuration procedure
Configure Device A:
# Create VLAN 10.
<DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit
# Configure GigabitEthernet 1/0/3 to trunk VLAN 10.
[DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-type trunk [DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceA-GigabitEthernet1/0/3] quit
# Assign IPv6 address 10::1/64 to VLAN-interface 10.
[DeviceA] interface vlan-interface 10 [DeviceA-Vlan-interface10] ipv6 address 10::1/64 [DeviceA-Vlan-interface10] quit
Configure Device B:
# Create VLAN 10.
<DeviceB> system-view [DeviceB] vlan 10 [DeviceB-vlan10] quit
# Configure GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to trunk VLAN 10.
[DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type access [DeviceB-GigabitEthernet1/0/1] port access vlan 10 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type access [DeviceB-GigabitEthernet1/0/2] port access vlan 10 [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceB-GigabitEthernet1/0/3] quit
# Enable ND attack detection for VLAN 10.
[DeviceB] vlan 10 [DeviceB-vlan10] ipv6 nd detection enable
# Enable ND snooping for IPv6 global unicast addresses and ND snooping for IPv6 link-local addresses in VLAN 10.
[DeviceB-vlan10] ipv6 nd snooping enable global [DeviceB-vlan10] ipv6 nd snooping enable link-local [DeviceB-vlan10] quit
# Configure GigabitEthernet 1/0/3 as ND trusted interface.
[DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] ipv6 nd detection trust
The configuration allows Device B to inspect all ND messages received by GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 based on the ND snooping entries.