< Home

nd snooping enable dhcpv6 only

Function

The nd snooping enable dhcpv6 only command enables ND snooping in the DHCPv6 Only scenario.

The undo nd snooping enable command disables ND snooping in the DHCPv6 Only scenario.

By default, ND snooping is disabled in the DHCPv6 Only scenario.

Format

nd snooping enable dhcpv6 only

undo nd snooping enable

Parameters

None

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view, BD view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device checks the validity of ND protocol packets against the IPv6 static binding table, DHCPv6 dynamic binding table, and ND snooping binding table. The IPv6 static binding table is manually configured by the administrator, the DHCPv6 dynamic binding table is automatically generated by extracting information from DHCPv6 Reply packets, and the ND snooping binding table is automatically generated by extracting information from DAD NS packets. At the same time, the ND protocol packet validity check function depends on the ND snooping function (including enabling ND snooping and configuring ND snooping trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by users and automatically generated using the PD address prefix are considered as invalid addresses. In this scenario, ND snooping is disabled to prevent ND snooping binding entries from being generated for such invalid addresses. In this case, the ND protocol packet validity check function cannot be performed, so that address spoofing attacks may exist on the network.

To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd snooping trusted dhcpv6 only commands to enable the ND snooping function in the DHCPv6 Only scenario. After the nd snooping enable dhcpv6 only command is configured, no ND snooping binding entry is generated for the IPv6 global unicast addresses that are manually configured by users and automatically generated using the PD address prefixes. The device checks the validity of ND protocol packets against the IPv6 static binding table and DHCPv6 dynamic binding table.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Precautions

  • In the DHCPv6 Only scenario, ND snooping binding entries are generated for the IPv6 link-local addresses that are manually configured by users and automatically generated. To be specific, only records corresponding to the IPv6 link-local addresses exist in the ND snooping binding table in the DHCPv6 Only scenario.
  • IPv6 addresses obtained using DHCPv6 PD also apply to the DHCPv6 Only scenario.

Example

# Enable ND snooping globally and on interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable dhcpv6 only
Parent Topic: ND Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >