Configuring Nd Snooping; Establishing The Configuration Task - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Figure 11-1 ND snooping enabled on the S3700 of the Layer 2 network
Untrusted

11.3 Configuring ND Snooping

This section describes the basic concepts of ND snooping and the procedure for configuring ND
snooping, and provides configuration examples of ND snooping.

11.3.1 Establishing the Configuration Task

Before configuring ND snooping, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This helps you complete the
configuration task quickly and accurately.
Applicable Environment
When a bogus ND server exists on the network, it sends the incorrect information such as the
incorrect gateway address, incorrect DNS server, and incorrect IP address to ND clients. As a
result, ND clients cannot access the destination network.
To protect the S3700 against attacks of the bogus ND server, you can configure ND snooping
on the S3700, configure the network-side interface as the trusted interface, and configure user-
side interfaces as untrusted interfaces. The RA messages received from untrusted interfaces are
discarded.
Based on the RA messages received from the trusted interface, the S3700 establishes the prefix
management table. The prefix management table saves information about prefixes allocated by
the ND server to the S3700, and is used by the S3700 to manage client addresses.
According to information about prefixes in the ND snooping prefix management table, clients
automatically generate IPv6 addresses and send NS messages to detect whether the IPv6
addresses conflict. In this process, the S3700 generates the ND dynamic binding table based on
Issue 01 (2011-07-15)
Trusted
Switch
L2
Router
network
(ND Server)
User
network
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
L3
network
11 ND Snooping Configuration
253