Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NDP Proxy and DAD Proxy

SUMMARY The Neighbor Discovery Protocol (NDP) proxy functionality enables packet forwarding among the hosts that are in the same subnet and are restricted from communicating directly with each other. The Duplicate Address Detection (DAD) proxy functionality enables a device to respond to DAD queries for a node that is prevented from communicating directly with other nodes in the same subnet.

Configuring NDP Proxy

The Neighbor Discovery Protocol (NDP) proxy functionality enables packet forwarding among the hosts that are in the same subnet and are restricted from communicating directly with each other. This functionality is primarily used in a scenario where the proxy node needs to apply access control and intercept traffic flowing among the hosts. When you configure NDP proxy in an SRX Series device, the device sends Neighbor Discovery (ND) advertisements and responds to ND solicitation requests from devices seeking MAC addresses of IPv6 prefixes assigned to hosts inside the SRX Series device.

To configure neighbor discovery proxy on an interface:

Set ndp proxy restricted to an interface.

To disable NDP proxy for an address that is not present in neighbor cache, execute the following command:

Use the show system statistics icmp6 command to get the statistics of events such as NDP proxy requests, NDP proxy conflicts, NDP proxy duplicates, NDP proxy resolve requests and dropped NDP packets.

Configuring DAD Proxy

The Duplicate Address Detection (DAD) feature detects the usage of duplicate addresses on a local link by using Neighbor Solicitation (NS) messages. The DAD feature is intended for IPv6 address and functions similar to gratuitous ARP in IPv4. The DAD proxy functionality enables an SRX Series device to respond to DAD queries for a node that is prevented from communicating directly with other nodes in the same subnet.

To configure DAD proxy on an interface:

Set dad proxy restricted to an interface.

To disable DAD proxy for an address that is not present in a neighbor cache, execute the following command:

Use the show system statistics icmp6 command to get the statistics of events such as DAD proxy requests, DAD proxy conflicts, DAD proxy duplicates, DAD proxy resolve requests and dropped DAD packets.