481
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type access
[DeviceB-Ten-GigabitEthernet1/0/2] port access vlan 10
[DeviceB-Ten-GigabitEthernet1/0/2] quit
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/3] port trunk permit vlan 10
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Enable ND attack detection for VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] ipv6 nd detection enable
# Enable ND snooping for IPv6 global unicast addresses and ND snooping for IPv6 link-local
addresses in VLAN 10.
[DeviceB-vlan10] ipv6 nd snooping enable global
[DeviceB-vlan10] ipv6 nd snooping enable link-local
[DeviceB-vlan10] quit
# Configure Ten-GigabitEthernet 1/0/3 as ND trusted interface.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] ipv6 nd detection trust
The configuration allows Device B to inspect all ND messages received by Ten-GigabitEthernet 1/0/1
and Ten-GigabitEthernet 1/0/2 based on the ND snooping entries.
Configuring RA guard
About RA guard
RA guard allows Layer 2 access devices to analyze and block unwanted and forged RA messages.
Upon receiving an RA message, the device makes the forwarding or dropping decision based on the
role of the attached device or the RA guard policy.
1. If the role of the device attached to the port is router, the device forwards all RA messages
received on the port. If the role is host, the device directly drops all RA messages received on
the port.
2. If no role is set for the port, the device uses the RA guard policy to match the information found
in the RA message.
{ If the RA message content matches every criterion in the policy, the device forwards the
message.
{ If the RA message content is not validated, the device drops the message.
Specifying the role of the attached device
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter Layer 2 Ethernet or
aggregate interface view.
interface
interface-type
interface-number
N/A
3. Specify the role of the device
attached to the port.
ipv6 nd raguard role
{
host
|
router
}
By default, the role of the device
attached to the port is not
specified.
To Next Page
Loading...
Need help?
General