nd snooping enable
Function
The nd snooping enable command enables ND snooping.
The undo nd snooping enable command disables ND snooping.
By default, ND snooping is disabled.
Views
System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view, BD view
Usage Guidelines
- An attacker uses the IP address of host A to send NS, NA, or RS packets to host B or the gateway. Host B or the gateway then modifies their ND entries. As a result, all packets sent from host B or the gateway to host A are sent to the attacker.
- An attacker uses the gateway IP address to send RA packets to hosts. Then the hosts incorrectly set IPv6 parameters and modify their ND entries.
To prevent ND attacks, enable ND snooping on the device. The device detects NS packets in the DAD process to establish an ND snooping dynamic binding table that includes source IPv6 addresses, source MAC addresses, VLANs, and inbound ports. When receiving ND packets, the device checks the validity of ND packets based on the ND snooping binding table and checks whether the user is an authorized user in the VLAN that the port receiving ND packets belongs to. The device forwards valid ND packets and discards invalid ND packets to defend against ND attacks from bogus hosts or gateways.
By default, the system reports a port-Up event 2 seconds after a user-side interface transits from Down to Up state. If ND snooping is enabled before the port-Up event is reported, the system cannot generate the ND snooping entry of the user connected to this interface. To avoid this problem, run the carrier up-hold-time interval command to change the delay in reporting the port-Up event to 0.