The nd snooping trusted dhcpv6 only command configures the interfaces in the DHCPv6 Only scenario as ND snooping trusted interfaces.
The undo nd snooping trusted command restores the interfaces to untrusted.
By default, all interfaces are untrusted.
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view, BD view
nd snooping trusted dhcpv6 only
undo nd snooping trusted
VLAN view
nd snooping trusted interface interface-type interface-number dhcpv6 only
undo nd snooping trusted interface interface-type interface-number
Parameter |
Description |
Value |
|---|---|---|
interface interface-type interface-number |
Specifies the type and number of the interface that will be configured as an ND snooping trusted interface in the DHCPv6 Only scenario.
|
- |
VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view, BD view
The device checks the validity of ND protocol packets against the IPv6 static binding table, DHCPv6 dynamic binding table, and ND snooping binding table. The IPv6 static binding table is manually configured by the administrator, the DHCPv6 dynamic binding table is automatically generated by extracting information from DHCPv6 Reply packets, and the ND snooping binding table is automatically generated by extracting information from DAD NS packets. At the same time, the ND protocol packet validity check function depends on the ND snooping function (including enabling ND snooping and configuring ND snooping trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by users and automatically generated using the PD address prefix are considered as invalid addresses. In this scenario, ND snooping is disabled to prevent ND snooping binding entries from being generated for such invalid addresses. In this case, the ND protocol packet validity check function cannot be performed, so that address spoofing attacks may exist on the network.
To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd snooping trusted dhcpv6 only commands to enable the ND snooping function in the DHCPv6 Only scenario. After the nd snooping trusted dhcpv6 only command is configured, no prefix management entry is generated when the trusted interface receives an RA packet, which is different from the nd snooping trusted command. This is because the prefix management entries need to be matched before the corresponding ND snooping binding entries are generated for the IPv6 addresses excluding the IPv6 link-local addresses. However, only records corresponding to the IPv6 link-local addresses exist in the ND snooping binding table in the DHCPv6 Only scenario. Therefore, the prefix management entries do not need to be generated.
# Configure GE0/0/1 as an ND snooping trusted interface.
<HUAWEI> system-view [HUAWEI] nd snooping enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] nd snooping trusted dhcpv6 only
# Configure GE0/0/1 as an ND snooping trusted interface in VLAN 2.
<HUAWEI> system-view [HUAWEI] nd snooping enable [HUAWEI] vlan 2 [HUAWEI-vlan2] nd snooping trusted interface gigabitethernet 0/0/1 dhcpv6 only