Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-63
---- -------- ----------- -------------
*1 Gi0/1 0000.0000.0001 110
2 Gi0/2 0000.0000.2222 61
Total:2 host(s)
DES-7200# show nfpp dhcpv6-guard hosts vlan 1 interface g 0/1 0000.0000.0001
If column 1 shows '*', it means "hardware failed to isolate host".
VLAN interface MAC address remain-time(s)
---- -------- ----------- -------------
*1 Gi0/1 0000.0000.0001 110
Total:1 host(s)
12.8 ND-guard
12.8.1 ND-guard
Overview
ND, the abbreviation of “Neighbor Discovery”, is responsible for the address resolution、router
discovery、prefix discovery and the redirection. ND uses the following 5 types of the ND
packets: Neighbor Solicitation 、 Neighbor Advertisement 、 Router Solicitation 、 Router
Advertisement and Redirect, which are abbreviated as the NS、NA、RS and RA.
ND Snooping monitors the ND packets in the network, filters the illegal ND packets and
associates the monitored IPv6 users with the interface to prevent the IPv6 address from being
stolen. ND Snooping shall send the ND packets to the CPU at the configured rate-limit to
implement the ND-guard function, for sending the ND packets at the high rate leads to the
CPU attack.
ND-guard classifies the ND packets into the following three types: 1) NS-NA: the Neighbor
Solicitation and the Neighbor Advertisement, used for the address resolution; 2) RS: the
Router Solicitation, used for the gateway discovery by the host; 3) RA and Redirect: the Router
Advertisement and Redirect, used to advertise the gateway and prefix, and the better
next-hop.
At present, only the port-based ND packet attack detection is implemented. You may configure
the rate-limit threshold and the attack threshold for the ND packets.
When the ND packet rate on a port exceeds the limit, the ND packets are dropped. When the
ND packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP
packets are sent.