ND snooping

Overview

ND (Neighbor Discovery) snooping prevents ND attacks. ND snooping drops invalid ND packets, and together with DIPLDv6 (Dynamic IP Lockdown for IPv6), blocks data traffic from invalid hosts. ND snooping is used in Layer 2 switching networks. ND snooping learns the source MAC addresses, source IPv6 addresses, input interfaces, and VLANs of incoming ND messages and data packets to build IP binding entries.
NOTE:

When DHCPv6 snooping and ND snooping are both enabled, and DHCPv6 clients request and IPv6 address, entries are added to the DHCP snooping table and DHCP snooping takes priority over ND snooping.

ND snooping drops ND packets as follows:
  • If the Ethernet source MAC address is mismatched with the address contained in the ICMPv6 Target link layer address field of the ND packet.

  • If the global IPv6 address in the source address field is mismatched with the ND snooping prefix filter table.

  • If the global IPv6 address or the link-local IPv6 address in the source IP address field is mismatched with the ND snooping binding table.

ND snooping drops RA and RR packets on untrusted ports. To block only RA packets on VLANs with ND snooping enabled, use nd-snooping ra-drop. RA (Router Advertisement) drop is disabled by default on VLANs. When enabled (with nd-snooping ra-drop), ND snooping blocks RA packets on both trusted and untrusted ports. When RA drop is disabled, ND snooping allows RA packets on trusted ports and blocks them on untrusted ports.

Dynamic IPv6 lockdown is performed for ND snooping entries. Based on the DAD NS received from the hosts by the switch, ND snooping entries are programmed into the IP binding table and the hardware (as allowed). And ND Binding table entries are added when NA packets are received from hosts. Therefore, data packets from invalid hosts and transit traffic are blocked.

NOTE:

Statically-configured IP binding information supersedes any information collected dynamically by ND snooping for the same client.