< Home

nd snooping check enable

Function

The nd snooping check enable command enables ND protocol packet validity check.

The undo nd snooping check enable command disables ND protocol packet validity check.

By default, ND protocol packet validity check is disabled.

Format

nd snooping check { na | ns | rs } enable

undo nd snooping check { na | ns | rs } enable

Parameters

Parameter

Description

Value

na

Enables validity check for Neighbor Advertisement (NA) packets.

-

ns

Enables validity check for Neighbor Solicitation (NS) packets.

-

rs

Enables validity check for Router Solicitation (RS) packets.

-

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view, BD view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ND packet validity check prevents forged NA/NS/RS packets.

After ND packet validity check is enabled, the device verifies the NA/NS/RS packets received by untrusted interfaces against the ND snooping binding table, to determine whether the NA/NS/RS packets are sent from valid users in the VLAN on the interface. The device forwards the ND packets from valid users and drops invalid ND packets.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Example

# Enable NA packet validity check on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping check na enable
Parent Topic: ND Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >