479
Configuration guidelines
Make sure one or more of the following features are configured to prevent ND untrusted interfaces
from dropping all received ND messages:
• IPv6 source guard static bindings.
To make the bindings effective for ND attack detection, you must specify the vlan vlan-id option
in the ipv6 source binding command, and enable ND attack detection for the same VLAN.
• DHCPv6 snooping.
• ND snooping.
Configuration procedure
To configure ND attack detection:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter VLAN view.
vlan
vlan-id N/A
3. Enable ND attack detection.
ipv6 nd detection enable
By default, ND attack detection is
disabled.
4. Return to system view.
quit
N/A
5. Enter Layer 2 Ethernet or
aggregate interface view.
interface
interface-type
interface-number
N/A
6. (Optional.) Configure the
interface as ND trusted
interface.
ipv6 nd detection trust
By default, all interfaces are ND
untrusted interfaces.
Displaying and maintaining ND attack detection
Execute display commands in any view and reset commands in user view.
Task Command
Display statistics for ND messages
dropped by ND attack detection.
display ipv6 nd detection statistics
[
interface
interface-type
interface-number ]
Clear ND attack detection statistics.
reset ipv6 nd detection statistics
[
interface
interface-type
interface-number ]
ND attack detection configuration example
Network requirements
As shown in Figure 137, configure ND attack detection on Device B to check user validity for ND
messages from Host A and Host B.
To Next Page
Loading...
Need help?
General