< Home

Understanding ND Snooping

ND snooping listens on the ICMPv6-based ND packets to create the prefix management table and dynamic ND snooping binding table. The ND snooping enabled device manages IPv6 addresses of access users through the prefix management table and filters out invalid ND packets received by untrusted interfaces through the dynamic ND snooping binding table.

ICMPv6-based ND packets

ND packets are carried by ICMP packets, and are classified into five types:
  • Neighbor solicitation (NS): An IPv6 node (a host or network device running IPv6) sends NS packets to obtain the link-layer addresses of its neighbors and to detect neighbor reachability and duplicate addresses.
  • Neighbor advertisement (NA): An IPv6 host sends an NA packet in response to an NS packet. An IPv6 node also sends NA packets when the link-layer topology changes.
  • Router solicitation (RS): When an IPv6 node starts, it sends an RS packet to a router to request prefixes and other configuration information, and waits for the router to respond with an RA packet.
  • Router advertisement (RA): A router periodically advertises RA packets, including network configurations such as network prefix to IPv6 nodes. The router also returns RA packets as the responses to RS packets.
  • Redirect (RR): When detecting that the inbound interface and outbound interface of a packet are the same, a router sends a Redirect packet to request the IPv6 node to select a better next hop address.

ND Snooping Trusted and Untrusted Interfaces

ND snooping classifies the interfaces connecting to IPv6 nodes into trusted and untrusted interfaces. The trusted interfaces connect to trusted IPv6 nodes and untrusted interfaces connect to untrusted IPv6 nodes.
  • ND snooping trusted interface: connects to trusted IPv6 nodes. The device forwards the ND packets sent from a trusted interface, and generates a prefix management table according to the received RA packets.
  • ND snooping untrusted interface: connects to untrusted IPv6 nodes. When receiving an RA packet from an untrusted interface, the device considers the RA packet invalid and discards it. When receiving an NA/NS/RS packet from an untrusted interface, if ND packet validity check has been enabled on the interface or VLAN where the interface is located, the device checks validity of the packet against the dynamic ND snooping binding table. Then the device discards the packet if the packet matches no entries in the table. When receiving the ND packets of other types from untrusted interfaces, the device directly forwards the packets.

Prefix Management Table

For a host that obtains an IPv6 address through stateless address autoconfiguration, the IPv6 address is generated based on the prefix in an RA packet. After ND snooping is enabled on a device, the device captures RA packets sent from the trusted interface and generates a prefix management table based on the RA packets. An entry in the prefix management table contains IPv6 address information, including the prefix, prefix length, and prefix lease. The information helps network administrators manage IPv6 addresses easily.

Dynamic ND Snooping Binding Table

A dynamic ND snooping binding entry contains the source IPv6 address, source MAC address, VLAN ID, and inbound port of a packet. A device can check NA, NS, or RS packets against the dynamic ND snooping binding table to filter bogus NA, NS, or RS packets.

Entry Creation and Update Mechanism of the Dynamic ND Snooping Binding Table

After ND snooping is configured, a device creates entries in the dynamic ND snooping binding table by checking DAD NS packets and updates entries in the dynamic ND snooping binding table by checking NS packets (DAD NS and common NS packets) or NA packets.

The device creates and updates entries in the dynamic ND snooping binding table as follows:

Scenario 1: The device receives a DAD NS packet.

The device checks whether the corresponding prefix management entry exists based on the Target Address field in the packet.

Target Address indicates the destination IP address. It can be a link-local address, site-local address, or global address, but cannot be a multicast address.

If no such entry exists, the device discards the NS packet.

If such an entry exists, the device checks whether the corresponding dynamic ND snooping binding entry exists based on the Target Address field.
  • If no such entry exists, the device creates an entry in the dynamic ND snooping binding table and forwards the packet.
  • If such an entry exists, the device checks whether the MAC address, inbound interface, and VLAN information of the DAD NS packet are the same as those in the entry.
    • If the MAC addresses, inbound interfaces, and VLAN information are the same, the device updates the IP address lease in the corresponding entry.
    • If the MAC addresses are the same but other information is different, the device deletes the original entry, creates a new entry, and forwards the packet.
    • If the MAC addresses are different, the device retains the entry and forwards the packet.

Scenario 2: The device receives a common NS packet.

The device checks whether the corresponding dynamic ND snooping binding entry exists based on the Source Address field in the packet.

If no such entry exists, the device checks whether ND packet validity check is enabled. If so, the device discards the packet. If not, the device forwards the packet.

If such an entry exists, the device checks whether the MAC address, inbound interface, and VLAN information of the NS packet are the same as those in the entry.
  • If the MAC addresses, inbound interfaces, and VLAN information are the same, the device updates the IP address lease in the corresponding entry.
  • If the MAC addresses, inbound interfaces, and VLAN information are different, the device checks whether ND packet validity check is enabled. If so, the device discards the packet. If not, the device forwards the packet.

Scenario 3: The device receives an NA packet.

Check whether the interface that receives the NA packet is one of the following interfaces: interface that has the dhcp snooping disable command configured, interface that has the dhcp snooping trust or nd snooping trust command configured, and interface that does not have the nd snooping check na enable command configured.

If so, the device forwards the NA packet.

If not, the device checks whether the corresponding dynamic ND snooping binding entry exists based on the source address and destination address of the packet.
  • If no such entry exists, the device discards the NA packet.
  • If such an entry exists, the device checks whether port information in the NA packet is the same as that in the entry.
    • If port information in the NA packet is the same as that in the entry, the device updates the user's IP address lease time in the entry.
    • If port information in the NA packet is different from that in the entry, the NA packet conflicts with the existing entry. The device is then triggered to send an NS packet to detect whether the user corresponding to the entry is online. If the entry is within the lifetime and the device receives an NA packet from the port corresponding to the entry, the user corresponding to the entry is still online and the device updates the IP address lease in the corresponding entry. If the entry is within the lifetime and the device does not receive an NA packet from the port corresponding to the entry, the user corresponding to the entry is offline and the device updates the user's IP address lease time in the entry and updates the port number in the entry to that in the previously received NA packet.

      After the device receives an NA packet conflicting with an ND snooping binding entry and user status detection is enabled, periodic user status detection is suspended.

Aging Mechanism of Dynamic ND Snooping Binding Entries

The aging mechanism of dynamic ND snooping binding entries is as follows:

The aging time of a dynamic ND snooping binding entry depends on the address lease time.

  • If the address lease expires, the matching binding entry automatically ages out.

  • Before address lease expires, the matching binding entry may be deleted in the following situations:
    • After receiving a DAD NS packet, the device creates or updates a dynamic ND snooping binding entry. If the device receives an NA packet indicating that the IPv6 address has been used by another user, the device deletes the binding entry.
    • When a user goes offline, the device does not immediately delete the matching binding entry. If the device is enabled to automatically detect online status of users matching dynamic ND snooping binding entries, the device sends a specified number of NS packets to the user at a specified interval. If the device does not receive an NA packet from the user after sending a specified number of NS packets, the device considers the user to be offline and deletes the dynamic ND snooping binding entry corresponding to the user.
Parent Topic: ND Snooping Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >