Configuring an ND Snooping Trusted Interface

Context

ND snooping classifies the interfaces connecting to IPv6 nodes into trusted and untrusted interfaces. The trusted interfaces connect to trusted IPv6 nodes and untrusted interfaces connect to untrusted IPv6 nodes. By default, all interfaces are untrusted.

You must configure the interface connecting to a trusted IPv6 node as a trusted interface so that the device can forward the ND packets received by this interface. In addition, the device creates a prefix management table according to the received RA packet to help network administrators manage IPv6 addresses.
The interface connecting to an untrusted IPv6 node must be configured as an untrusted interface. The device discards the RA packets received by the untrusted interface to prevent RA attacks.

You can configure the trusted interface in the interface, BD, or VLAN view. When the trusted interface is configured in the interface view, the configuration takes effect for the ND packets received by this interface. When the trusted interface is configured in the BD view, the configuration takes effect for the ND packets received by all the interfaces in the BD. When the trusted interface is configured in the VLAN view, the interface must belong to the VLAN, and the configuration takes effect only for the ND packets received by the interface from the VLAN. Therefore, the configuration in the VLAN view is more accurate.

Generally, the interface connecting to the gateway is configured as the trusted interface, and other interfaces are all untrusted interfaces.

Procedure

In the interface view
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run nd snooping trusted
  The interface is configured as the trusted interface.
  
  By default, all interfaces are untrusted interfaces.
In the interface view (DHCPv6 Only)
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run nd snooping trusted dhcpv6 only
  The interface is configured as an ND snooping trusted interface.
  
  By default, all interfaces are untrusted interfaces.
In the VLAN view
1. Run system-view
  The system view is displayed.
2. Run vlan vlan-id
  The VLAN view is displayed.
3. Run nd snooping trusted interface interface-type interface-number
  The interface that belongs to the VLAN is configured as the trusted interface.
  
  By default, all interfaces are untrusted interfaces.
In the VLAN view (DHCPv6 Only)
1. Run system-view
  The system view is displayed.
2. Run vlan vlan-id
  The VLAN view is displayed.
3. Run nd snooping trusted interface interface-type interface-number dhcpv6 only
  The interface added to this VLAN is configured as an ND snooping trusted interface.
  
  By default, all interfaces are untrusted.
In the BD view
1. Run system-view
  The system view is displayed.
2. Run bridge-domain bd-id
  The BD view is displayed.
3. Run nd snooping trusted
  The interfaces added to this BD are configured as ND snooping trusted interfaces.
  
  By default, all interfaces are untrusted interfaces.
In the BD view (DHCPv6 Only)
1. Run system-view
  The system view is displayed.
2. Run bridge-domain bd-id
  The BD view is displayed.
3. Run nd snooping trusted dhcpv6 only
  The interfaces added to this BD are configured as ND snooping trusted interfaces.
  
  By default, all interfaces are untrusted interfaces.