Configuring ND Packet Validity Check

Context

ND packet validity check prevents forged NA, NS, and RS packets.

After ND packet validity check is enabled, the device verifies the NA, NS, and RS packets received by untrusted interfaces against the ND snooping dynamic binding table, DHCPv6 dynamic binding table, or IPv6 static binding table, to determine whether the NA, NS, and RS packets are sent from valid users in the VLAN on the interface. The device forwards the NA, NS, and RS packets of valid users and drops invalid ND packets.

Configuration Precautions

After ND packet validity check is configured, you are advised to run the savi enable command in the system view to enable the SAVI function, so that an ND snooping binding entry can be automatically generated for a link-local address, namely, an IPv6 address with the FE80::/10 prefix. This is because the source IPv6 address of an NA, NS, or RS packet may be a link-local address during the neighbor discovery process of IPv6 hosts. If no ND snooping binding entry is generated for the link-local address, the valid NA, NS, or RS packet will be discarded. As a result, the IPv6 hosts cannot communicate with each other.

Procedure

Enable ND packet validity check.
ND packet validity check can be configured in the interface, BD, or VLAN view. If this function is configured in the interface view, the configuration takes effect for the NA, NS, and RS packets received by the untrusted interface. If this function is configured in the VLAN view, the configuration takes effect for the NA, NS, and RS packets that are received by all untrusted interfaces in the VLAN and belong to the VLAN. If this function is configured in the BD view, the configuration takes effect for the NA, NS, and RS packets received by all untrusted interfaces in the BD.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
  
  Or run vlan vlan-id
  
  The VLAN view is displayed.
  
  Or run bridge-domain bd-id
  
  The BD view is displayed.
3. Run nd snooping check { na | ns | rs } enable
  ND packet validity check is enabled.
  
  By default, ND packet validity check is disabled.
(Optional) Enable the alarm function for checking packets against the ND snooping binding table.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run nd snooping alarm binding-table check enable
  The alarm function for ND snooping binding table check is enabled.
  
  By default, the alarm function for ND snooping binding table check is disabled.
(Optional) Configure the alarm threshold.
- Configure the alarm threshold in the system view.
  1. Run system-view
    The system view is displayed.
  2. Run nd snooping alarm binding-table check threshold threshold
    The alarm threshold for the number of ND snooping-discarded packets is configured.
    
    By default, the global alarm threshold for the number of ND snooping-discarded packets is 100.
- Configure the alarm threshold in the interface view.
  1. Run system-view
    The system view is displayed.
  2. Run interface interface-type interface-number
    The interface view is displayed.
  3. Run nd snooping alarm binding-table check threshold threshold
    The alarm threshold for the number of ND snooping-discarded packets is configured.
    
    By default, the alarm threshold for the number of ND snooping-discarded packets on an interface is the configured value in the system view.