Configuration Guide NFPP Configuration
ND-guard
ND-guard Overview
ND, the abbreviation of “Neighbor Discovery”, is responsible for the address
resolution、router discovery、prefix discovery and the redirection. ND uses the
following 5 types of the ND packets: Neighbor Solicitation 、 Neighbor
Advertisement、Router Solicitation、Router Advertisement and Redirect, which
are abbreviated as the NS、NA、RS and RA.
ND Snooping monitors the ND packets in the network, filters the illegal ND
packets and associates the monitored IPv6 users with the interface to prevent
the IPv6 address from being stolen. ND Snooping shall send the ND packets to
the CPU at the configured rate-limit to implement the ND-guard function, for
sending the ND packets at the high rate leads to the CPU attack.
ND-guard classifies the ND packets into the following three types: 1) NS-NA:
the Neighbor Solicitation and the Neighbor Advertisement, used for the address
resolution; 2) RS: the Router Solicitation, used for the gateway discovery by the
host; 3) RA and Redirect: the Router Advertisement and Redirect, used to
advertise the gateway and prefix, and the better next-hop.
At present, only the port-based ND packet attack detection is implemented. You
may configure the rate-limit threshold and the attack threshold for the ND
packets.
When the ND packet rate on a port exceeds the limit, the ND packets are
dropped. When the ND packet rate on a port exceeds the attack threshold limit,
the CLI prompts and the TRAP packets are sent.
ND-guard configuration commands include:
Enabling ND-guard
Port-based rate-limit and attack detection
Showing related dhcpv6-guard information
Enabling ND-guard
You can enable ND-guard in the nfpp configuration mode or in the interface
configuration mode. By default, the ND-guard is enabled.
To Next Page
Loading...
