About ND attack detection

ND attack detection checks incoming ND messages for user validity to prevent spoofing attacks. It is typically configured on access devices.

ND attack detection defines the following types of interfaces:

• ND trusted interface—The device directly forwards ND messages or data packets received by ND trusted interfaces. It does not perform user validity check.

• ND untrusted interface—The device discards RA and redirect messages received by ND untrusted interfaces. For other types of ND messages received by the ND untrusted interfaces, the device checks the user validity.

ND attack detection compares the source IPv6 address and the source MAC address in an incoming ND message against security entries from other modules.

• If a match is found, the device verifies the user as legal in the receiving VLAN, and it forwards the packet.

• If no match is found, the device verifies the user as illegal, and it discards the ND message.

ND attack detection uses static IPv6 source guard binding entries, ND snooping entries, and DHCPv6 snooping entries for user validity check.

Static IPv6 source guard binding entries are created by using the ipv6 source binding command. For information about IPv6 source guard, see "Configuring IP source guard." For information about DHCPv6 snooping, see Layer 3–IP Services Configuration Guide. For information about ND snooping, see Layer 3–IP Services Configuration Guide.