Overview ND Snooping

ND Snooping

ND snooping is a security feature of IPv6 ND (neighbor discovery), which is used in L2 switching network environment. The dynamic binding table of ND snooping is established by listening to neighbor request packet NS (neighbor solicitation) in the process of detecting DAD (duplicate address detection) of users, so as to record the source IPv6 address, source MAC address, VLAN, ingress port and other information of the packet, so as to prevent the subsequent ND packet attack of counterfeited users and gateway.

ND Snooping trust interface/non-trust interface

ND Snooping trust interface: This type of interface is used to connect trustable IPv6 nodes. For the ND packets received from this type of interface, the device forwards normally.

ND Snooping non-trust interface: This type of interface is used to connect un-trustable IPv6 nodes. For RA packets and redirection packets received from this type of interface, the device considers them as illegal packets and drop them directly. For NA/NS/RS packets received, if the VLAN where this interface or interface is located enables the ND packet validity check function, the device will use ND Snooping dynamic binding table to perform the matching check of the binding table for NA/NS/RS packets. When the packet does not conform to the binding table relationship, the packet is regarded as the illegal user packet and dropped directly; for other types of ND packet received, the device forwards normally.

ND Snooping binding table

After the ND snooping function is configured, the device establishes the ND Snooping dynamic binding table by listening to the NS packet used by the user for repeated address detection. The entries include the request IPv6 address, source MAC address, VLAN, ingress interface and other information in the DAD packet. ND snooping dynamic binding table can be used to perform the matching check of the binding table for NA/NS/RS packets received from untrusted interfaces, so as to filter illegal NA/NS/RS packets.