Example for Configuring ND Snooping

Networking Requirements

As shown in Figure 1, the Switch is located between hosts and the gateway. No DHCPv6 server is configured on the network, so the hosts obtain IPv6 addresses through stateless address autoconfiguration. If attackers send bogus NA/NS/RS/RA packets to the Switch, security issues may occur. For example, users cannot obtain IPv6 addresses, communication is interrupted, and user accounts and passwords are embezzled.

The network administrator requires that the Switch be able to prevent bogus NA/NS/RS/RA packets, providing secure and stable network service to users. In addition, to manage IPv6 addresses of users, the network administrator needs to know the prefixes allocated by the gateway to the users.

Figure 1 Networking diagram for configuring ND snooping

Configuration Roadmap

The configuration roadmap is as follows:

Enable the ND snooping function so that the Switch can generate the bindings between addresses, VLANs, and interfaces for ND packet validity check.
Configure the interface connecting to the gateway as the trusted interface. Switch generates a prefix management table based on RA packets received from the trusted interface so that user addresses can be managed flexibly. Interfaces connecting to hosts are untrusted interfaces by default. After ND snooping is enabled, Switch filters out RA packets received from untrusted interfaces to prevent RA attacks.
Enable ND packet validity check so that the Switch can check the NA/NS/RS packets against the binding table and filter out invalid NA/NS/RS packets.
Configure automatic user status detection for users mapping ND snooping dynamic binding entries so that mapping entries can be deleted in time when ND users are offline. This conserves binding entry resources.
Set the maximum number of dynamic ND snooping binding entries allowed by an interface. If the number of entries on an interface is not limited, the Switch will consume a lot of entry resources to process the NS packets when many users go online through this interface. As a result, other users cannot communicate with each other.

Procedure

Create a VLAN and configure interfaces.

# Create VLAN 10 on the Switch.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10

# Add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 10.

[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/3] quit

Enable ND snooping.

# Enable ND snooping globally.

[Switch] nd snooping enable

# Enable ND snooping for VLAN 10.

[Switch] vlan 10
[Switch-vlan10] nd snooping enable
[Switch-vlan10] quit

# Configure GE0/0/3 as a trusted interface.

[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] nd snooping trusted
[Switch-GigabitEthernet0/0/3] quit

Enable ND packet validity check.

[Switch] vlan 10
[Switch-vlan10] nd snooping check ns enable
[Switch-vlan10] nd snooping check na enable
[Switch-vlan10] nd snooping check rs enable
[Switch-vlan10] quit

Enable automatic user status detection for users mapping ND snooping dynamic binding entries.
# Enable automatic user status detection for users mapping ND snooping dynamic binding entries and set the number of times and interval for sending NS packets to detect the user status.
```
[Switch] nd user-bind detect enable
[Switch] nd user-bind detect retransmit 5 interval 600
```
Set the maximum number of ND snooping dynamic binding entries to be learned by an interface.
```
[Switch] nd snooping max-user-number 200
```

Verify the configuration.

Run the display this command in the system view. The command output shows that the ND snooping function and automatic user status detection for users mapping ND snooping dynamic binding entries have been enabled globally. In addition, the maximum number of dynamic ND snooping binding entries allowed by the interface is set.

[Switch] display this
......
 nd snooping enable
 nd user-bind detect enable
 nd user-bind detect retransmit 5 interval 600
 nd snooping max-user-number 200     
......

Run the display this command in the VLAN view. The command output shows that ND snooping and ND packet validity check have been enabled in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] display this
#                                                                               
vlan 10                                                                         
 nd snooping enable                                                             
 nd snooping check ns enable                                                    
 nd snooping check na enable 
 nd snooping check rs enable

#                                                                               
return   
[Switch-vlan10] quit

Run the display this command to verify that GE0/0/3 has been configured as the trusted interface.

[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] display this
#                                                                               
interface GigabitEthernet0/0/3                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 10 
 nd snooping trusted
#                                                                               
return 
[Switch-GigabitEthernet0/0/3] quit
[Switch] quit

Run the display nd snooping prefix command to view the prefix management table of ND users.

<Switch> display nd snooping prefix
prefix-table:                                                                   
Prefix                             Length   Valid-Time  Preferred-Time          
--------------------------------------------------------------------------------
FC00:1::                           64       100000      100000                  
--------------------------------------------------------------------------------
Prefix table total count:      1

Run the display nd snooping user-bind all command to view the ND snooping dynamic binding table.

<Switch> display nd snooping user-bind all
ND Dynamic Bind-table:                                                          
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                              
IP Address                      MAC Address     VSI/VLAN(O/I/P) Lease           
--------------------------------------------------------------------------------
FC00:1::E58C:A2E7:AA4C:8E59     00e0-4c7c-af8f  10  /--  /--    2011.05.06-20:09
--------------------------------------------------------------------------------
print count:           1          total count:           1

If the prefix management table and ND snooping dynamic binding table are generated on Switch, ND snooping is configured successfully.

Configuration Files

Switch configuration file

#
sysname Switch
#                                                                               
vlan batch 10
#
nd snooping enable
nd user-bind detect enable
nd user-bind detect retransmit 5 interval 600
nd snooping max-user-number 200
#
vlan 10                                                                         
 nd snooping enable                                                             
 nd snooping check ns enable                                                    
 nd snooping check na enable 
 nd snooping check rs enable
# 
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#   
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                   
 nd snooping trusted                                                            
#
return