Nd Snooping Overview; Nd Snooping Features Supported By The S2700 - Huawei Quidway S2700 Series Configuration Manual

Quidway S2700 Series Ethernet Switches
Configuration Guide - Security

10.1 ND Snooping Overview

This section describes the principle of ND snooping.
Neighbor discovery (ND) is a group of messages and processes that identify relationships
between neighboring nodes. IPv6 ND corresponds to a combination of the Address Resolution
Protocol (ARP), ICMP router discovery, and ICMP Redirect of IPv4. ND snooping provides the
following functions: Detecting address conflicts Resolving the neighboring node address
Determining neighbor reachability Configuring the host address.
l
l
l
l
l
The ND snooping technology is a security feature of ND. By capturing and analyzing the
preceding types of messages, it filters out untrusted messages, and establishes and maintains the
prefix management table and ND dynamic binding table. The prefix management table contains
information about the prefix and the prefix lease. The ND dynamic binding table contains
information about IPv6 addresses, MAC addresses, interfaces, and VLAN IDs.
By maintaining the prefix management table and ND dynamic binding table, the device enabled
with ND snooping allows authorized users to access the network and prevents unauthorized
users from attacking network devices and authorized users.

10.2 ND Snooping Features Supported by the S2700

This section describes ND snooping features supported by the S2700.
When being deployed on a Layer 2 network, the S2700 is located between the ND server (usually
a router) and the user network. To prevent unauthorized users from forging the ND server, you
can configure interfaces as trusted or untrusted interfaces on the S2700.
By maintaining the prefix management table and ND dynamic binding table, the S2700 enabled
with ND snooping allows authorized users to access the network and prevents unauthorized
users from attacking network devices and authorized users.
Figure 10-1
Issue 01 (2011-07-15)
Router Solicitation (RS): After startup, a host sends an RS message to a device, and waits
for the device to respond with a Router Advertisement (RA) message.
Router Advertisement (RA): A device periodically advertises RA messages that contain
prefixes and flag bits.
Neighbor Solicitation (NS): Through NS messages, an IPv6 node obtains the link-layer
address of its neighbor, checks whether the neighbor is reachable, and performs duplicate
address detection.
Neighbor Advertisement (NA): After receiving an NS message, an IPv6 node responds
with an NA message. In addition, the IPv6 node initiatively sends NA messages when the
link layer changes.
Redirect: When finding that the inbound interface and outbound interface of a packet are
the same, a device can send Redirect messages to instruct the host that sends the packet to
choose a better next hop.
shows ND snooping applied to the S2700.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10 ND Snooping Configuration
181