IPv6 Neighbor Discovery Protocol (NDP)

1. What Is NDP and Why Does IPv6 Need It?

Neighbor Discovery Protocol (NDP) is an IPv6 protocol defined in RFC 4861 that handles several functions essential to IPv6 operation on a local link. NDP uses ICMPv6 messages (Internet Control Message Protocol version 6) and completely replaces the IPv4 Address Resolution Protocol (ARP) as well as absorbing additional functions previously performed by ICMP and IGMP in IPv4 networks.

In IPv4, ARP is a separate Layer 2–3 protocol that broadcasts requests to resolve IP addresses to MAC addresses. IPv6 has no ARP. Instead, NDP performs address resolution using targeted multicast rather than broadcast — a significant efficiency improvement, especially on large segments.

Function	IPv4 Mechanism	IPv6 NDP Replacement
Address resolution (IP → MAC)	ARP (broadcast)	Neighbor Solicitation / Neighbor Advertisement (multicast)
Default gateway discovery	Static config or DHCP option 3	Router Advertisement (RA) — automatic, periodic
Prefix/address autoconfiguration	DHCP	Router Advertisement + SLAAC (stateless)
Duplicate address detection	Gratuitous ARP (optional, not standardised)	DAD via Neighbor Solicitation (mandatory in IPv6)
Router discovery	ICMP Router Discovery (rarely used)	Router Solicitation / Router Advertisement
Redirect	ICMP Redirect	NDP Redirect message (ICMPv6 Type 137)

2. NDP Message Types – Overview

NDP defines five core ICMPv6 message types. Each has a specific type number in the ICMPv6 header and a specific role in link operation.

Message	Abbreviation	ICMPv6 Type	Sent By	Purpose
Router Solicitation	RS	133	Host (client)	Ask routers on the link to immediately send an RA
Router Advertisement	RA	134	Router	Announce presence, prefix(es), default gateway, flags (M/O), and MTU
Neighbor Solicitation	NS	135	Host or router	Resolve an IPv6 address to a MAC address; also used for DAD
Neighbor Advertisement	NA	136	Host or router	Reply to NS — provides the MAC address; also sent unsolicited on link changes
Redirect	—	137	Router	Inform a host of a better first-hop router for a specific destination

Exam tip: The CCNA exam focuses heavily on the four main message types — RS (133), RA (134), NS (135), and NA (136). Know their ICMPv6 type numbers, who sends them, and what address (unicast or multicast) they are sent to.

3. Solicited-Node Multicast Addresses

A key concept underpinning NDP efficiency is the solicited-node multicast address. Rather than broadcasting NS messages to all devices on the link (as IPv4 ARP does), IPv6 sends NS messages to a special multicast address that only the target device (or a very small group of devices) listens to. This drastically reduces unnecessary interrupt processing on uninvolved hosts.

3.1 How a Solicited-Node Multicast Address Is Formed

  Solicited-node multicast prefix:  FF02::1:FF00:0000/104

  Construction:
    Take the last 24 bits (6 hex digits) of the IPv6 unicast address
    Append them to the prefix FF02:0000:0000:0000:0000:0001:FF00::/104

  Example:
    IPv6 unicast address:  2001:DB8:ACAD:1::A1B2:C3D4
    Last 24 bits:                                B2:C3D4
    Solicited-node address: FF02::1:FFB2:C3D4

  Another example:
    IPv6 unicast address:  FE80::1
    Last 24 bits:                  00:00:01
    Solicited-node address: FF02::1:FF00:0001

  Every IPv6-enabled interface automatically joins the solicited-node
  multicast group for each of its unicast/anycast addresses.

3.2 Why Solicited-Node Multicast Is Better Than Broadcast

Aspect	IPv4 ARP (Broadcast)	IPv6 NS (Solicited-Node Multicast)
Destination address	FF:FF:FF:FF:FF:FF — all devices interrupted	Multicast derived from target's address — only the target is interrupted
Devices interrupted	Every device on the segment processes the ARP	Only devices sharing the same last 24 bits — typically just one device
Scalability	Degrades on large segments — broadcast storms possible	Scales well — multicast traffic handled efficiently by switches with MLD snooping
VLAN flooding	Flooded to all ports in the VLAN	Flooded only to ports that have joined the relevant multicast group

4. Router Solicitation (RS) and Router Advertisement (RA)

RS and RA work together to allow hosts to discover routers on the link and receive prefix, gateway, and configuration information — without requiring a DHCP server.

4.1 Router Solicitation (RS) — ICMPv6 Type 133

  RS — Sent by a HOST to ask: "Are there any routers on this link?"

  Source address:  Host's link-local address (FE80::x) or ::  (if no addr yet)
  Destination:     FF02::2  (all-routers multicast — only routers listen here)

  Flow:
  [Host boots or interface comes up]
       |
       |── RS (to FF02::2) ──────────────────────→ [All Routers on link]
       |                                                    |
       |←───────────── RA (unicast or FF02::1) ────────────|
       |
  Host receives prefix, gateway, MTU, flags — configures itself

4.2 Router Advertisement (RA) — ICMPv6 Type 134

  RA — Sent PERIODICALLY by routers (every 200 seconds default) and in
       RESPONSE to an RS

  Source address:  Router's link-local address (FE80::router)
  Destination:     FF02::1  (all-nodes multicast) or unicast to RS sender

  Key RA fields:
  ┌─────────────────────────────────────────────────────────────────────┐
  │ Router Lifetime   How long this router is valid as a default gateway│
  │                   (0 = not a default router)                        │
  │ Prefix Info       On-link prefix (e.g. 2001:DB8::/64) + L/A flags  │
  │ M flag (Managed)  1 = use DHCPv6 for addresses (stateful)          │
  │ O flag (Other)    1 = use DHCPv6 for other config (DNS, etc.)      │
  │ MTU option        Link MTU to use                                   │
  │ Hop Limit         Default hop limit for outbound packets            │
  └─────────────────────────────────────────────────────────────────────┘

  Prefix flags inside RA:
  ┌──────────────────────────────────────────────────────────────────────┐
  │ A flag (Autonomous) = 1  → Host may use SLAAC to self-configure     │
  │ L flag (On-Link)    = 1  → Prefix is directly reachable on the link │
  └──────────────────────────────────────────────────────────────────────┘

4.3 RA Flags — M, O, and A

Flag Combination	Meaning	Address Assignment Method
M=0, O=0	Full SLAAC — no DHCPv6 needed	Host generates address from prefix + EUI-64 or random; gets no DNS from DHCPv6
M=0, O=1	SLAAC for address + DHCPv6 for other info	Address via SLAAC; DNS, domain names via stateless DHCPv6
M=1, O=1	Full stateful DHCPv6	Address assigned by DHCPv6 server; all other config from DHCPv6 too

4.4 Cisco IOS — Configuring RA Behaviour

  ! ── Enable IPv6 unicast routing (required for router to send RAs) ──
  Router(config)# ipv6 unicast-routing

  ! ── Configure the interface prefix ──
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# ipv6 address 2001:DB8:ACAD:1::1/64
  Router(config-if)# no shutdown

  ! ── Suppress RAs on a port (e.g., toward end users — RA Guard) ──
  Router(config-if)# ipv6 nd ra suppress

  ! ── Force immediate RA (useful for testing) ──
  Router# clear ipv6 neighbors
  Router(config-if)# ipv6 nd ra interval 10   ! send every 10 seconds (default 200)

  ! ── Set M and O flags to direct hosts to DHCPv6 ──
  Router(config-if)# ipv6 nd managed-config-flag    ! sets M=1
  Router(config-if)# ipv6 nd other-config-flag      ! sets O=1

  Verify:
  Router# show ipv6 interface GigabitEthernet0/0
  Router# debug ipv6 nd

5. Neighbor Solicitation (NS) and Neighbor Advertisement (NA)

NS and NA are the NDP messages that directly replace ARP. They resolve an IPv6 address to a MAC address and maintain the Neighbor Cache — IPv6's equivalent of the ARP table. NS is also the mechanism used for Duplicate Address Detection (DAD).

5.1 Neighbor Solicitation (NS) — ICMPv6 Type 135

  NS Use Case 1 — Address Resolution (replacing ARP):

  Host-A (2001:DB8::1, MAC AA:AA:AA:AA:AA:AA) wants to reach
  Host-B (2001:DB8::2) but does not know Host-B's MAC address.

  Source address:  Host-A's link-local: FE80::A
  Destination:     FF02::1:FF00:0002  (solicited-node multicast of Host-B)
  Target address:  2001:DB8::2  (the address being resolved)
  Message:         "Who has 2001:DB8::2? Tell me your MAC."

  ──────────────────────────────────────────────────────────────────
  NS Use Case 2 — Duplicate Address Detection (DAD):

  Host configures a new address: 2001:DB8::A
  Before using it, host sends a DAD NS to check if anyone else has it.

  Source address:  ::  (unspecified — host has not confirmed the address yet)
  Destination:     FF02::1:FF00:000A  (solicited-node multicast of the new addr)
  Target address:  2001:DB8::A
  Message:         "Is anyone using 2001:DB8::A? Reply if so."

  If no NA is received within 1 second → address is unique → host assigns it
  If an NA is received → address is DUPLICATE → host cannot use this address

5.2 Neighbor Advertisement (NA) — ICMPv6 Type 136

  NA — Sent in response to an NS (or unsolicited to announce a MAC change)

  Source address:  Target's link-local address (FE80::B)
  Destination:     Unicast back to the NS sender (solicited) OR
                   FF02::1 all-nodes (unsolicited announcement)

  NA flags:
  ┌──────────────────────────────────────────────────────────────────┐
  │ S (Solicited) = 1  → This NA is a direct response to an NS      │
  │ R (Router)    = 1  → The sender is a router                     │
  │ O (Override)  = 1  → Update the neighbor cache with this MAC    │
  └──────────────────────────────────────────────────────────────────┘

  Completing the address resolution example:

  Host-B receives the NS on its solicited-node multicast group.
  Host-B replies:
  Source:       FE80::B
  Destination:  FE80::A  (unicast directly back to Host-A)
  Content:      "2001:DB8::2 is at MAC BB:BB:BB:BB:BB:BB"
  Flags:        S=1 (solicited reply), O=1 (update your cache)

  Host-A updates its Neighbor Cache:
  2001:DB8::2 → BB:BB:BB:BB:BB:BB → REACHABLE

5.3 The Full Address Resolution Flow

  Host-A                       Switch                        Host-B
  2001:DB8::1                                              2001:DB8::2
  MAC: AA:AA:AA:AA:AA:AA                                  MAC: BB:BB:BB:BB:BB:BB
     |                            |                            |
     |── NS (ICMPv6 Type 135) ──→ |                            |
     |   Dst: FF02::1:FF00:0002   |── multicast fwd ─────────→ |
     |   Target: 2001:DB8::2      |                            |
     |   "Who has ::2? I'm ::1"   |                            |
     |                            |                            |
     |                            |←── NA (ICMPv6 Type 136) ──|
     |←─── NA unicast ────────────|   Dst: FE80::A (unicast)  |
     |   "::2 is at BB:BB:BB..."  |   "I'm BB:BB:BB:BB:BB:BB" |
     |                            |                            |
  [Neighbor Cache updated]
  2001:DB8::2 → BB:BB:BB:BB:BB:BB

6. Duplicate Address Detection (DAD)

Duplicate Address Detection (DAD) is a mandatory process that every IPv6 node must perform before assigning a unicast address to an interface — whether the address was configured manually, via SLAAC, or via DHCPv6. DAD uses NS messages with a special unspecified source address.

6.1 DAD Process — Step by Step

  Step 1:  Host generates a tentative address (e.g., via SLAAC or manual config)
           The address is marked TENTATIVE — host listens but does not use it yet

  Step 2:  Host joins the solicited-node multicast group for the tentative address

  Step 3:  Host sends a DAD NS:
           Source:      ::  (unspecified — not yet confirmed)
           Destination: FF02::1:FF[last-24-bits-of-tentative-address]
           Target:      The tentative address itself

  Step 4a: NO reply within RetransTimer (default 1 second)
           → No other device is using this address
           → Address transitions from TENTATIVE to PREFERRED
           → Host begins using the address ✓

  Step 4b: An NA is received (another device already has this address)
           → Address transitions from TENTATIVE to DUPLICATE
           → Host does NOT assign the address — manual intervention required
           → Logged: %IPV6-4-DUPLICATE: Duplicate address on interface

6.2 DAD and Link-Local Addresses

DAD is performed not just for global unicast addresses but also for link-local addresses. Since link-local addresses are derived from the MAC address (using EUI-64), duplicates are theoretically impossible — but DAD runs anyway as a safeguard. If a link-local DAD fails (extremely rare — e.g., two NICs with the same MAC), the interface cannot use IPv6 at all until the conflict is resolved.

DAD is mandatory in IPv6. There is no equivalent standard in IPv4 — Gratuitous ARP is optional and inconsistently implemented. IPv6 nodes must complete DAD before an address is considered valid, which prevents IP conflicts at the protocol level.

7. The Neighbor Cache

The Neighbor Cache is IPv6's equivalent of the ARP table. It stores resolved IPv6-to-MAC mappings for on-link neighbours and tracks the reachability state of each entry.

7.1 Neighbor Cache States

State	Meaning
INCOMPLETE	An NS has been sent but no NA has been received yet — resolution in progress
REACHABLE	The neighbour is confirmed reachable — a recent positive confirmation (NA or upper-layer traffic) was received within ReachableTime
STALE	The reachability timer expired — the entry may still be correct but has not been recently confirmed; used until traffic needs to be sent again
DELAY	Traffic was sent using a STALE entry — waiting a short delay for upper-layer protocol confirmation before probing with NS
PROBE	No upper-layer confirmation received — actively sending NS probes to verify the neighbour is still reachable

7.2 Viewing and Clearing the Neighbor Cache

  ! ── View the neighbor cache (equivalent of "show arp" in IPv4) ──
  Router# show ipv6 neighbors

  Sample output:
  IPv6 Address                            Age  Link-layer Addr  State  Interface
  2001:DB8:ACAD:1::A                        0  AA:AA:AA:AA:AA  REACH  Gi0/0
  FE80::A                                   5  AA:AA:AA:AA:AA  STALE  Gi0/0
  2001:DB8:ACAD:1::B                       12  BB:BB:BB:BB:BB  DELAY  Gi0/0

  ! ── Clear all neighbor cache entries ──
  Router# clear ipv6 neighbors

  ! ── Clear a specific entry ──
  Router# clear ipv6 neighbors 2001:DB8:ACAD:1::A

  ! ── View on a host (Windows) ──
  C:\> netsh interface ipv6 show neighbors
  C:\> netsh interface ipv6 show neighbors interface="Ethernet"

8. NDP and SLAAC – How They Work Together

Stateless Address Autoconfiguration (SLAAC) is the IPv6 mechanism by which a host can automatically configure a global unicast address without a DHCP server. NDP — specifically the RA message — is the engine that delivers the prefix information SLAAC needs. The two are inseparable in operation.

  SLAAC Full Process (M=0, O=0 — pure SLAAC):

  Step 1:  Host interface comes up
           Host generates a link-local address: FE80::[EUI-64 or random]
           DAD NS sent for the link-local address → no conflict → confirmed

  Step 2:  Host sends RS to FF02::2 (all-routers)
           "Is there a router? I need prefix information."

  Step 3:  Router replies with RA to FF02::1 (all-nodes)
           RA contains:
             Prefix: 2001:DB8:ACAD:1::/64  (A flag = 1 → use for SLAAC)
             Router lifetime: 1800 seconds  (I am your default gateway)
             M=0, O=0

  Step 4:  Host creates a global unicast address:
           Prefix from RA:  2001:DB8:ACAD:1::   (/64)
           Interface ID:    Derived from MAC (EUI-64) or random (RFC 7217)
           Example result:  2001:DB8:ACAD:1:AA:AAFF:FEAA:AAAA

  Step 5:  DAD NS sent for the new global unicast address
           No conflict → address is PREFERRED → assigned to interface

  Step 6:  Default gateway = source of the RA (the router's link-local: FE80::1)
           Host is fully configured: address, prefix, default gateway ✓

  ─────────────────────────────────────────────────────────────────────
  Summary: NDP provides the RA → SLAAC uses the prefix → NDP validates
           via DAD → host is operational — no DHCP server required
  ─────────────────────────────────────────────────────────────────────

Default gateway in IPv6: Unlike IPv4 where the default gateway is an IP address in the same subnet, in IPv6 the default gateway stored by SLAAC clients is the router's link-local address (FE80::x) — taken directly from the source address of the RA. This is always a link-local address, not the global unicast address of the router.

9. NDP Security – Threats and Mitigations

Because NDP messages are sent without authentication by default, they are vulnerable to several attacks. Understanding these threats and their mitigations is tested on the CCNA exam.

Attack	How It Works	Mitigation
Rogue RA	An attacker sends fake RA messages advertising itself as the default gateway — all hosts on the link send their traffic through the attacker (man-in-the-middle)	RA Guard (`ipv6 nd ra suppress` on access ports; RA Guard policy on switches) — drops RA messages arriving on untrusted ports
Neighbor Cache Poisoning	An attacker sends unsolicited NA messages (O=1) with a spoofed MAC, poisoning the neighbor cache of other hosts — equivalent to ARP spoofing in IPv4	SEND (Secure Neighbor Discovery) — RFC 3971; uses cryptographic signatures on NDP messages; complex to deploy. Also: Dynamic ND Inspection on enterprise switches
DAD DoS	An attacker responds to every DAD NS with a fake NA, causing all hosts to report duplicate addresses and preventing any host from configuring an IPv6 address	RA Guard + port security; network monitoring for abnormal NA patterns

10. Verification Commands

Command	What It Shows
`show ipv6 neighbors`	The neighbor cache — IPv6 addresses, MAC addresses, state (REACH/STALE/etc.), and interface
`show ipv6 interface <intf>`	IPv6 addresses, link-local address, joined multicast groups (including solicited-node groups), ND timers
`show ipv6 routers`	Default routers learned via RA — lifetime, preference, and advertised prefixes
`show ipv6 interface brief`	Summary of all IPv6-enabled interfaces with addresses and state
`debug ipv6 nd`	Real-time NDP events — RS, RA, NS, NA sent and received; DAD process; cache updates
`clear ipv6 neighbors`	Flushes the entire neighbor cache — forces re-resolution via new NS/NA exchange
`show ipv6 general-prefix`	Delegated prefixes received (relevant for DHCPv6 prefix delegation)

10.1 Sample Output – show ipv6 interface GigabitEthernet0/0

  Router# show ipv6 interface GigabitEthernet0/0
  GigabitEthernet0/0 is up, line protocol is up
    IPv6 is enabled, link-local address is FE80::1
    No Virtual link-local address(es):
    Global unicast address(es):
      2001:DB8:ACAD:1::1, subnet is 2001:DB8:ACAD:1::/64
    Joined group address(es):
      FF02::1     ← all-nodes multicast
      FF02::2     ← all-routers multicast (because this is a router)
      FF02::1:FF00:0001  ← solicited-node multicast for FE80::1
      FF02::1:FF00:0001  ← solicited-node multicast for ::1
    MTU is 1500 bytes
    ICMP error messages limited to one every 100 milliseconds
    ICMP redirects are enabled
    ND DAD is enabled, number of DAD attempts: 1
    ND reachable time is 30000 milliseconds (using 33284)
    ND advertised reachable time is 0 (unspecified)
    ND advertised retransmit interval is 0 (unspecified)
    ND router advertisements are sent every 200 seconds
    ND router advertisements live for 1800 seconds
    ND advertised default router preference is Medium
    Hosts use stateless autoconfig for addresses.

11. Key Terms Quick Reference

Term	Definition
NDP	Neighbor Discovery Protocol — RFC 4861; the IPv6 protocol using ICMPv6 that replaces ARP, performs router discovery, prefix distribution, and DAD
ICMPv6	Internet Control Message Protocol version 6 — the transport for all NDP messages; also carries ping (echo request/reply) in IPv6
Router Solicitation (RS)	ICMPv6 Type 133; sent by a host to FF02::2 to ask routers to send an RA immediately
Router Advertisement (RA)	ICMPv6 Type 134; sent by routers periodically or in response to RS; carries prefix, M/O flags, lifetime, and MTU
Neighbor Solicitation (NS)	ICMPv6 Type 135; sent to resolve an IPv6 address to a MAC; also used for DAD with source address ::
Neighbor Advertisement (NA)	ICMPv6 Type 136; reply to NS providing the MAC address; also sent unsolicited when a MAC changes
Solicited-Node Multicast	A link-scoped multicast address (FF02::1:FF/104 + last 24 bits of unicast) that NDP targets instead of broadcasting — limits interrupt scope to the address owner
DAD (Duplicate Address Detection)	Mandatory IPv6 process using NS (src ::) to verify an address is unique before assigning it; transition states: TENTATIVE → PREFERRED or DUPLICATE
Neighbor Cache	IPv6's equivalent of the ARP table; stores IPv6-to-MAC mappings with states: INCOMPLETE, REACHABLE, STALE, DELAY, PROBE
SLAAC	Stateless Address Autoconfiguration — uses the prefix from RA to self-generate a global unicast address; validated by DAD
M flag	Managed Address Configuration flag in RA — if set (M=1), host should use stateful DHCPv6 for address assignment
O flag	Other Configuration flag in RA — if set (O=1), host should use stateless DHCPv6 for additional config (DNS, domain names)
RA Guard	A switch/router security feature that drops RA messages arriving on untrusted ports, preventing rogue RA attacks
FF02::1	All-nodes link-local multicast — every IPv6-enabled device on the link listens here
FF02::2	All-routers link-local multicast — only IPv6 routers with `ipv6 unicast-routing` enabled listen here

12. IPv6 NDP – Practice Quiz

1. Which IPv6 mechanism completely replaces the function of ARP from IPv4?

A. DHCPv6 — it assigns IPv6 addresses and includes MAC mappings B. Neighbor Solicitation and Neighbor Advertisement messages in NDP — they resolve IPv6 addresses to MAC addresses using solicited-node multicast instead of broadcast C. Router Advertisement — it broadcasts MAC address mappings to all hosts D. ICMPv6 ping — it discovers neighbour MAC addresses automatically

Correct answer is B. In IPv4, ARP uses a Layer 2 broadcast (FF:FF:FF:FF:FF:FF) to ask all devices on the segment for a MAC address. IPv6 has no ARP. Instead, NDP uses Neighbor Solicitation (ICMPv6 Type 135) sent to the target's solicited-node multicast address, and the target replies with a Neighbor Advertisement (Type 136). This achieves the same result — IP-to-MAC resolution — using targeted multicast rather than broadcast.

2. What is the ICMPv6 type number for a Router Advertisement, and to which address is it normally sent?

A. Type 133, sent to FF02::2 (all-routers) B. Type 135, sent to FF02::1 (all-nodes) C. Type 134, sent to FF02::1 (all-nodes) periodically, or unicast to the RS sender D. Type 136, sent to FF02::2 (all-routers)

Correct answer is C. Router Advertisement is ICMPv6 Type 134. Routers send RAs periodically (every 200 seconds by default) to FF02::1 — the all-nodes multicast address that every IPv6 device listens to. When a host sends a Router Solicitation (Type 133) to FF02::2, the router may reply with a unicast RA directly to the soliciting host. Remember: RS = 133 (host→FF02::2), RA = 134 (router→FF02::1).

3. A host sends a Neighbor Solicitation with source address "::" (unspecified). What process is this NS performing?

A. Duplicate Address Detection (DAD) — the host uses :: because it has not yet confirmed that the tentative address is unique and cannot use it as the source B. Router Solicitation — hosts use :: when they have no link-local address yet C. Address resolution — the :: source indicates the host's MAC is unknown D. A multicast join message for the all-nodes group

Correct answer is A. An NS with source address :: is the unmistakable signature of a DAD probe. The host has generated a tentative address and must verify it is unique before using it. Since the address is only tentative (not confirmed), the host cannot use it as the source — so it uses the unspecified address (::) instead. The target field of the NS contains the tentative address being checked. If any device replies with an NA, the address is a duplicate.

4. What is the solicited-node multicast address for the IPv6 address 2001:DB8::1:2345?

A. FF02::1:FF01:2345 B. FF02::2:FF01:2345 C. FF02::1:FFDB:8001 D. FF02::1:FF01:2345 — take the last 24 bits of the address (01:23:45) and append to FF02::1:FF

Correct answer is D. The solicited-node multicast address is always formed by taking the last 24 bits (6 hex digits) of the unicast address and appending them to the prefix FF02::1:FF. The address 2001:DB8::1:2345 in full hex is 2001:0DB8:0000:0000:0000:0000:0001:2345. The last 24 bits are 01:23:45. Appended to FF02::1:FF gives FF02::1:FF01:2345. Note: option A and D state the same address — the correct solicited-node address in both cases.

5. A Cisco router interface is configured with an IPv6 address. An administrator runs `show ipv6 interface Gi0/0` and sees the router has joined FF02::2. What does this indicate?

A. The interface has an IPv6 address and is receiving Router Solicitations from all hosts B. The router has ipv6 unicast-routing enabled and is participating as an IPv6 router — FF02::2 is the all-routers multicast group that only routers join C. The interface is a host interface — FF02::2 is the all-nodes group that all devices join D. The router is configured for DHCPv6 and is listening for address requests

Correct answer is B. FF02::2 is the all-routers link-local multicast address. Only devices that have ipv6 unicast-routing enabled join this group — end hosts join FF02::1 (all-nodes) but not FF02::2. When a host sends a Router Solicitation to FF02::2, only routers receive and process it. This is how RS/RA works efficiently — RS is targeted only at routers, not all devices.

6. In a Router Advertisement, the M flag is set to 1 and the O flag is set to 1. What does this tell a receiving host?

A. Use SLAAC for the address and contact a DHCPv6 server for DNS only B. The router is mandatory and no other router exists on the link C. Use stateful DHCPv6 for both the IPv6 address assignment and all other configuration parameters (DNS, domain search list) D. The Multicast and Overhead flags indicate QoS requirements for IPv6 traffic

Correct answer is C. The M (Managed) flag set to 1 instructs the host to use a stateful DHCPv6 server to obtain its IPv6 address — SLAAC is not used for address assignment. The O (Other) flag set to 1 instructs the host to also use DHCPv6 for other configuration parameters such as DNS server addresses. M=1/O=1 together = full stateful DHCPv6 operation, equivalent to the standard DHCP model in IPv4.

7. What is the primary advantage of using solicited-node multicast in NDP compared to the broadcast used by IPv4 ARP?

A. Only the target device (or a very small group sharing the same last 24 address bits) is interrupted — all other devices on the link are unaffected, dramatically reducing unnecessary CPU interrupts at scale B. Multicast packets travel faster than broadcasts across the network C. Solicited-node multicast uses encryption to protect MAC address resolution D. Multicast is routable between subnets, so NDP works across Layer 3 boundaries without a relay

Correct answer is A. In IPv4, every ARP request is a Layer 2 broadcast — every device on the VLAN receives and must process it, regardless of whether it is the target. On a segment with 1,000 hosts, all 1,000 are interrupted by every ARP. IPv6 NS is sent to the target's solicited-node multicast address — only devices that have joined that group (typically just one) process the message. This is a fundamental scalability improvement of IPv6 over IPv4 on large segments.

8. A host configures IPv6 address 2001:DB8::10 via SLAAC. Before it can use the address, what must happen?

A. The host must register the address with the DHCPv6 server B. The host must send a Gratuitous ARP to announce the new address C. The host must receive confirmation from the router that the address is in the valid range D. The host must perform Duplicate Address Detection (DAD) — sending a Neighbor Solicitation with source :: to verify no other device is already using 2001:DB8::10

Correct answer is D. DAD is mandatory in IPv6 for every unicast address before it can be used, regardless of how the address was obtained (SLAAC, DHCPv6, or manual). The host marks the address TENTATIVE, sends a DAD NS with source :: targeting the solicited-node multicast of the new address, and waits one retransmission interval. If no NA is received, the address is confirmed unique and transitions to PREFERRED. IPv4 has no mandatory equivalent — Gratuitous ARP is optional and not universally implemented.

9. Which neighbor cache state indicates that a neighbour's reachability timer has expired and the entry has not been recently confirmed, but the cached MAC address may still be correct?

A. INCOMPLETE B. STALE C. PROBE D. DUPLICATE

Correct answer is B. STALE means the entry exists in the neighbor cache but its ReachableTime has expired — the switch or host has not received a recent confirmation that this neighbour is still at the recorded MAC. A STALE entry is still used to forward traffic (the MAC may still be correct), but the next packet sent triggers the DELAY state, then PROBE (where an NS is actually sent to verify). INCOMPLETE = resolution in progress; PROBE = actively sending NS to check; DUPLICATE = DAD failed.

10. An attacker on a local segment sends continuous unsolicited Neighbor Advertisement messages with the Override flag (O=1) set, advertising the router's IPv6 address with the attacker's MAC. What attack is this, and what is the recommended mitigation?

A. DHCP starvation — mitigated by DHCP Snooping B. DAD flooding — mitigated by rate limiting NS messages on access ports C. Neighbor Cache Poisoning (IPv6 equivalent of ARP spoofing) — mitigated by Dynamic ND Inspection on the switch or SEND (Secure Neighbor Discovery) with cryptographic verification of NDP messages D. Rogue RA attack — mitigated by RA Guard on access ports

Correct answer is C. Sending unsolicited NA messages with O=1 (Override) and a spoofed MAC is the IPv6 equivalent of ARP spoofing/ poisoning. The O flag instructs receiving hosts to overwrite their existing neighbor cache entry with the new MAC — so all hosts update their cache to point the router's IPv6 address to the attacker's MAC. All traffic intended for the router now flows through the attacker (man-in-the-middle). Mitigation options include Dynamic ND Inspection (similar to DAI for IPv4), SEND (RFC 3971 — cryptographic signatures on NDP messages), or physical port security to prevent unauthorised devices. Note: a rogue RA (option D) is a related but distinct attack — that involves sending fake RA messages, not NA messages.

← Back to Home