Configuration Guide
IP Service Configuration
ND Snooping Configuration
9 min
introduction introduction the nd snooping (neighbor discovery snooping) feature is designed for layer 2 switching environments and serves a similar purpose to dhcp snooping in ipv6 networks it records information such as the source ipv6 address, source mac address, and incoming port of packets the entries generated by this feature coexist in the snooping table along with those created by dhcp snooping explanation of principles explanation of principles the device supports learning nd snooping entries through two methods l by listening to duplicate address detection (dad) packets received on interfaces where nd snooping is enabled this process helps establish the nd snooping dynamic binding table l by monitoring the neighbor discovery protocol (ndp) table entries on the device these entries can also be used to update the nd snooping dynamic binding table through the creation of the nd snooping dynamic binding table, the device can filter out unauthorized nd packets received from untrusted interfaces this effectively prevents potential nd attacks nd snooping configuration nd snooping configuration operation command description enter the system configuration view configure terminal enable nd snooping function nd snooping enable enter vlan view vlan id enable nd snooping function nd snooping enable configuration example configuration example network requirements network requirements in order to facilitate the management wish to unify the allocation of ipv6 addresses by means of automatic configuration, it is also required support for obtaining ipv6 addresses through stateful means support for obtaining ipv6 addresses in a stateless manner disable users from accessing the network through statically configured ipv6 addresses procedure procedure create vlan 100 and configure the ip address sonic(config)# vlan 100 sonic(config)# interface ethernet 1 sonic(config if 1)# switchport access vlan 100 sonic(config)# interface ethernet 2 sonic(config if 2)# switchport access vlan 100 sonic(config)# interface vlan 100 sonic(config vlanif 100)# ip address fd00 100 1/64 configure the parameters of ra messages sent by the device sonic(config vlanif 100)# ipv6 nd ra managed flag on sonic(config vlanif 100)# ipv6 nd ra autonomous on sonic(config vlanif 100)# ipv6 nd ra other flag on sonic(config vlanif 100)# ipv6 nd ra prefix fd00 200 1/64 sonic(config vlanif 100)# ipv6 nd ra route information /0 high sonic(config vlanif 100)# ipv6 nd ra route information fd00 100 1/64 sonic(config vlanif 100)# ipv6 nd ra route information fd00 200 1/64 configure the dhcpv6 relay function of the device sonic(config)# dhcp relay test v6 sonic(config dhcp relay test v6)# down link interface vlan 100 sonic(config dhcp relay test v6)# up link interface 5 sonic(config dhcp relay test v6)# server ip fd00 1001 1501 2001 sonic(config dhcp relay test v6)# loopback interface loopback 0 sonic(config dhcp relay test v6)# exit enable dhcp snooping, nd snooping function sonic(config)# dhcp snooping enable sonic(config)# nd snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable sonic(config vlanif 100)# nd snooping enable configure the interface to which the dhcp server is connected as a trusted port sonic(config)# interface ethernet 5 sonic(config if 5)# dhcp snooping enable sonic(config if 5)# dhcp snooping trusted enable the security function to check the legitimacy of user messages sonic(config)# interface vlan 100 sonic(config vlanif 100)# ipv4 source check enable sonic(config vlanif 100)# arp anti attack check enable sonic(config vlanif 100)# ipv6 source check enable sonic(config vlanif 100)# savi enable verify configuration verify configuration view the obtained ip address on the pc c \users\test>ipconfig windows ip configuration ethernet adapters ethernet connect to a specific dns suffix ipv6 address fd00 100 a570 ipv6 address fd00 200 a495\ f96e 6573\ c383 temporary ipv6 address fd00 200 6d18\ d132 77ef 42da local link ipv6 address fe80 a495\ f96e 6573\ c383%12 ipv4 address 192 168 0 144 subnet mask 255 255 240 0 default gateway fe80 201 2ff\ fe03 800 192 168 0 1 use the show snooping table command to view the snooping table entries on the device, the stateful ip addresses and stateless ip addresses have corresponding snooping table entries modify the ip address on the user's pc to a static configuration, ping the external network address and the ipv6 address of the device's svi port, respectively, can not ping through view the packet loss statistics of the security features on the device sonic# show user bind counter interface drop packets \ vlan100 48
