166
ND detection processes the ND messages received on ND trusted and untrusted interfaces as
follows:
• ND detection forwards all ND messages received on an ND trusted interface.
• ND detection compares all ND messages received on an ND untrusted interface with the ND
snooping entries except for RA and redirect messages.
You can use the
ipv6 nd detection trust command to specify a Layer 2 Ethernet or
aggregate port as an ND trusted interface. For more information about the
ipv6 nd detection
trust
command, see Security Command Reference.
ND snooping entries can be used by IPv6 source guard to prevent spoofing attacks. For more
information about IPv6 source guard, see Security Configuration Guide.
ND snooping provides device liveness tracking so that the ND snooping table can be updated in a
timely manner. After ND snooping is enabled for a VLAN, the device uses the following mechanisms
to create, update, and delete ND snooping entries. The following example uses ND messages for
illustration.
Creation of ND snooping entries
Upon receiving an ND message or data packet from an unknown source, the device creates an ND
snooping entry in INVALID status and performs DAD for the source IPv6 address. The device sends
NS messages out of the ND trusted interfaces in the receiving VLAN twice. The sending interval is
set by the
ipv6 nd snooping dad retrans-timer command.
• If the device does not receive an NA message within the invalid entry lifetime (set by the
ipv6
nd snooping lifetime invalid
command), the entry becomes valid.
• If the device receives an NA message within the invalid entry lifetime, it deletes this entry.
Updating of ND snooping entries
When the ND untrusted interface that receives an ND message is different from that in the entry for
an IPv6 address, the device performs DAD for the entry. It sends NS messages twice. The sending
interval is set by the
ipv6 nd snooping dad retrans-timer command.
• If the device does not receive an NA message within the invalid entry lifetime, it updates the
entry with the new receiving interface.
• If the device receives an NA message within the invalid entry lifetime, the ND snooping entry
remains unchanged.
Deletion of ND snooping entries
• When an ND trusted interface in the VLAN receives an ND message from the IPv6 address in a
learned ND snooping entry, it performs DAD for the entry. The device sends NS messages
twice. The sending interval is set by the
ipv6 nd snooping dad retrans-timer
command.
{ If the device does not receive an NA message within the invalid entry lifetime, it deletes the
entry.
{ If the device receives an NA message within the invalid entry lifetime, the ND snooping entry
remains unchanged.
• If an ND snooping entry has no matching ND messages within the valid entry lifetime (set by the
ipv6 nd snooping lifetime valid command), the entry becomes invalid. The device
then performs DAD for the entry by sending NS messages out of the interface in the entry twice.
The sending interval is set by the
ipv6 nd snooping dad retrans-timer command.
{ If the device does not receive an NA message within the invalid entry lifetime, it deletes the
entry.
{ If the device receives an NA message within the invalid entry lifetime, the ND snooping entry
remains unchanged and becomes valid.
To Next Page
Loading...
Need help?
General