Configuring Nd Snooping - HPE FlexNetwork 10500 Series Configuration Manual

Step
2. Enter interface view.
3. Set the number of attempts
to send an NS message for
DAD.

Configuring ND snooping

About ND snooping
The ND snooping feature is used in Layer 2 switching networks. It learns the source MAC addresses,
source IPv6 addresses, input interfaces, and VLANs of arriving ND messages and data packets to
build ND snooping table. ND snooping entries can be used by ND detection and IPv6 source guard
to prevent spoofing attacks. ND detection processes the ND messages received on ND trusted and
untrusted interfaces as follows:
•
ND detection forwards all ND messages received on an ND trusted interface.
•
ND detection compares all ND messages received on an ND untrusted interface with the ND
snooping entries except for RA and redirect messages.
You can use the ipv6 nd detection trust command to specify a Layer 2 Ethernet or aggregate port
as an ND trusted interface. For more information about the ipv6 nd detection trust command, see
Security Command Reference. For more information about ND detection and IPv6 source guard,
see Security Configuration Guide.
ND snooping provides device liveness tracking so that the ND snooping table can be updated in a
timely manner. After ND snooping is enabled for a VLAN, the device uses the following mechanisms
to create, update, and delete ND snooping entries. The following example uses ND messages for
illustration.
•
Creating an ND snooping entry
Upon receiving an ND message or data packet from an unknown source, the device creates an
ND snooping entry in INVALID status and performs DAD for the source IPv6 address. The
device sends NS messages out of the ND trusted interfaces in the receiving VLAN twice. The
sending interval is set by the ipv6 nd snooping dad retrans-timer command.
If the device does not receive an NA message within the invalid entry lifetime (set by the

ipv6 nd snooping lifetime invalid command), the entry becomes valid.
If the device receives an NA message within the invalid entry lifetime, it deletes this entry.

•
Updating an ND snooping entry
When the ND untrusted interface that receives an ND message is different from that in the entry
for an IPv6 address, the device performs DAD for the entry. It sends NS messages twice. The
sending interval is set by the ipv6 nd snooping dad retrans-timer command.
If the device does not receive an NA message within the invalid entry lifetime, it updates the

entry with the new receiving interface.
If the device receives an NA message within the invalid entry lifetime, the ND snooping entry

remains unchanged.
•
Deleting an ND snooping entry
When an ND trusted interface in the VLAN receives an ND message from the IPv6 address

in a learned ND snooping entry, it performs DAD for the entry. The device sends NS
messages twice. The sending interval is set by the ipv6 nd snooping dad retrans-timer
command.
−
If the device does not receive an NA message within the invalid entry lifetime, it deletes
the entry.
Command
interface interface-type
interface-number
ipv6 nd dad attempts interval
170
Remarks
N/A
The default setting is 1. When the
interval argument is set to 0, DAD
is disabled.