Enabling Source Mac Consistency Check For Nd Packets; Configuring The Nd Detection Function; Introduction To Nd Detection - HP 5500 HI Series Configuration Manual
Security
Hide thumbs
Also See for 5500 HI Series:
- Installation manual (72 pages) ,
- Compliance and safety manual (62 pages) ,
- Quickspecs (35 pages)
Table of Contents
Advertisement
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame
•
header is invalid.
To identify forged ND packets, HP developed the source MAC consistency check and ND detection
features.
Enabling source MAC consistency check for ND
packets
Use source MAC consistency check on a gateway to filter out ND packets that carry different source
MAC addresses in the Ethernet frame header and the source link layer address option.
Follow these guidelines when you enable source MAC consistency check for ND packets:
If VRRP is used, disable source MAC consistency check for ND packets to prevent incorrect dropping of
packets. With VRRP, the NA message always conveys a MAC address different from the Source
Link-Layer Address option.
To enable source MAC consistency check for ND packets:
Step
1.
Enter system view.
2.
Enable source MAC consistency check
for ND packets.
Configuring the ND detection function
Introduction to ND detection
Use the ND detection function on access devices to verify the source of ND packets. If an ND packet
comes from a spoofing host or gateway, it is discarded.
The ND detection function operates on a per VLAN basis. In an ND detection-enabled VLAN, a port is
either ND-trusted or ND-untrusted:
An ND-trusted port does not check ND packets for address spoofing.
•
•
An ND-untrusted port checks all ND packets but RA and RR messages in the VLAN for source
spoofing. RA and RR messages are considered illegal and are discarded directly.
The ND detection function checks an ND packet by looking up the IPv6 static bindings table of the IP
source guard function, ND snooping table, and DHCPv6 snooping table in the following steps:
1.
Looks up the IPv6 static binding table of IP source guard, based on the source IPv6 address and the
source MAC address in the Ethernet frame header of the ND packet. If an exact match is found, the
ND packet is forwarded. If an entry matches the source IPv6 address but not the source MAC
address, the ND packet is discarded. If no entry matches the source IPv6 address, the ND
detection function continues to look up the DHCPv6 snooping table and the ND snooping table.
2.
If an exact match is found in either the DHCPv6 snooping or ND snooping table, the ND packet is
forwarded. If no match is found in either table, the packet is discarded. If neither the DHCPv6
snooping table nor the ND snooping table is available, the ND packet is discarded.
Command
system-view
ipv6 nd mac-check enable
390
Remarks
N/A
Disabled by default
- Quick Links:
- Configuration Guide
- Configuring Aaa
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
