Overview of IPv6 network defense ND snooping and detection

Enabling the ND Snooping feature on your switches prevents ND attacks. ND Snooping does not just snoop but also detect attacks by default. ND Snooping drops invalid ND packets and, together with DIPLDv6, blocks data traffic from invalid hosts.
ND Snooping enabled on a device

ND Snooping provides the following:

  • Drops ND packets if the Ethernet source MAC address is mismatched with the one contained in the ND packet’s link-layer address field.

  • Drops ND packets where the global IPv6 address in the source address field is mismatched with the ND Snooping prefix filter table.

  • Drops ND packets where the global IPv6 address or the link-local IPv6 address in the source IP address field is mismatched with the ND Snooping binding table.

  • Drops the router advertisement on the untrusted ports. This is similar to RA Guard. To block RAs and RRs on a particular port using the RA Guard feature, RA Guard must be enabled on each of those ports. When ND Snooping is enabled with a trusted port configuration, RAs and RRs are dropped on all ports that ND Snooping enabled VLAN, other than the trusted port.

  • Dynamic IPv6 lockdown is performed for ND snooping entries. Based on the DAD NS received from the hosts by the switch, ND Snooping entries are programmed to the SAVI BST and the hardware (as allowed). Hence, data packets from invalid hosts and transit traffic are blocked.

DIPLDV6 is an existing feature that adds a static or a dynamic binding based on the dsnoopv6 database. RA guard is an existing feature that can be configured per port on which the router advertisements and router redirects are blocked. Together with DIPLDv6 and RA guard, NDSnoop provides a high level of Network Defense at the hands of the Network administrator and makes the network more secure.