IPv6 Neighbor Discovery Protocol (NDP) is the replacement for ARP, ICMP Router Discovery, and DHCP in IPv4. It is essential for IPv6 operation, handling address resolution, router discovery, duplicate address detection, and stateless address autoconfiguration (SLAAC). For the CCNA 200-301 exam (Objective 1.9), you must understand NDP message types, the NDP state machine, and how NDP interacts with SLAAC and DAD. In real networks, misconfigured NDP can cause address conflicts, routing black holes, and security vulnerabilities.
Jump to a section
Imagine an apartment building where every resident has a unique apartment number (IPv6 address). However, to deliver a physical letter, the mail carrier needs to know which mailbox (MAC address) corresponds to that apartment number. NDP is the building's directory and announcement system. When a new resident moves in, they shout 'Is anyone using apartment 3B?' (Duplicate Address Detection) before moving in. If no one answers, they put their name on the directory (Neighbor Solicitation and Advertisement). When someone wants to send a letter, they first check their own address book (Neighbor Cache). If they don't have the mailbox number, they broadcast a message to the entire building: 'Who has apartment 3B? Please tell me your mailbox number.' The resident of 3B replies directly with their mailbox number (Neighbor Advertisement). Separately, the building management periodically sends out a flyer saying 'Here is a list of all apartments and their mailbox numbers' (Router Advertisement) so residents can update their directories. They also send a flyer saying 'If you need internet, here is the router's apartment number and it can assign you an apartment number automatically' (SLAAC). If a resident moves out, they might leave a note saying 'Please forward my mail to this new address' (Redirect). The mail carrier also periodically checks if a mailbox is still active (Neighbor Unreachability Detection) by asking 'Are you still there?' If no reply, they remove the entry from their directory. This entire system ensures that letters reach the right apartment without manual configuration.
What is NDP and Why Was It Created?
IPv6 Neighbor Discovery Protocol (NDP) is defined in RFC 4861. It replaces several IPv4 protocols: ARP (address resolution), ICMP Router Discovery (router discovery and redirect), and parts of DHCP (prefix and default gateway assignment). NDP uses ICMPv6 (type 133-137) messages over link-local scope. It operates at the network layer but relies on link-layer multicast for efficiency. NDP is mandatory for all IPv6 nodes (hosts and routers).
NDP Message Types
NDP defines five ICMPv6 message types:
Router Solicitation (RS) – Type 133: Sent by hosts to request a Router Advertisement immediately (e.g., after booting). Sent to the all-routers multicast address FF02::2.
Router Advertisement (RA) – Type 134: Sent periodically by routers (default every 200 seconds) or in response to an RS. Contains prefixes, default lifetime, MTU, and flags for SLAAC (A flag), DHCPv6 (M and O flags), and hop limit. Sent to the all-nodes multicast address FF02::1.
Neighbor Solicitation (NS) – Type 135: Used for address resolution (similar to ARP request) and Duplicate Address Detection (DAD). Sent to the solicited-node multicast address FF02::1:FFxx:xxxx (derived from the target address) or to a unicast address for reachability probing.
Neighbor Advertisement (NA) – Type 136: Response to an NS, or sent unsolicited to announce a link-layer address change. Contains the target's link-layer address and flags (Router, Solicited, Override).
Redirect – Type 137: Used by routers to inform a host of a better first-hop router for a specific destination.
NDP Address Resolution Process
When host A wants to send an IPv6 packet to host B on the same link, it needs B's MAC address. The process:
Host A checks its Neighbor Cache (equivalent to ARP cache). If no entry exists, it creates an entry in INCOMPLETE state.
Host A sends an NS message to the solicited-node multicast address of host B. The solicited-node address is FF02::1:FF00:0000/104 with the last 24 bits taken from the target's IPv6 address (e.g., for address FE80::2AA:FF:FE28:9C5A, the solicited-node address is FF02::1:FF28:9C5A). This reduces multicast scope compared to IPv4 broadcast.
Host B receives the NS and responds with an NA message sent directly to host A's unicast address (if source address was unicast) or to all-nodes multicast (if source was unspecified). The NA includes B's MAC address and the Solicited flag set.
Host A receives the NA, updates its Neighbor Cache to REACHABLE state, and stores B's MAC address. The packet can now be sent.
Duplicate Address Detection (DAD)
Before assigning an IPv6 address to an interface, a host must verify it is unique on the link. DAD uses NS and NA messages:
The host sends an NS with target address equal to the tentative address, source address set to the unspecified address (::), and destination set to the solicited-node multicast address of the tentative address.
If no NA is received within one second (default RetransTimer), the address is considered unique and can be assigned. The host then sends an unsolicited NA to announce its new address.
If an NA is received, the address is already in use, and the host must not assign it (typically logs an error).
Neighbor Unreachability Detection (NUD)
NDP maintains reachability state for each neighbor. The Neighbor Cache can be in one of five states:
INCOMPLETE: Address resolution is in progress (NS sent, waiting for NA).
REACHABLE: Confirmed reachability within the last ReachableTime (default 30,000 ms).
STALE: Reachability is unknown; no confirmation within ReachableTime. Traffic can still be sent using the cached link-layer address.
DELAY: STALE entry and a packet was sent within the last DELAY_FIRST_PROBE_TIME (5 seconds). Waiting for confirmation before probing.
PROBE: DELAY timeout expired without confirmation; sending unicast NS probes every RetransTimer (default 1000 ms) until a response or maximum number of probes (default 3).
If NUD fails, the entry is removed. This ensures stale entries do not persist.
Router Discovery and SLAAC
Routers send periodic RAs (default every 200 seconds). RAs contain:
One or more prefix information options (Prefix, prefix length, valid lifetime, preferred lifetime, flags).
Default router information (router lifetime – default 1800 seconds).
MTU (optional).
Flags: Managed (M) – use DHCPv6 for addresses; Other (O) – use DHCPv6 for other config; Autonomous (A) – use SLAAC for address assignment.
Hosts process RAs to:
Build a Default Router List (reachable routers).
Build a Prefix List (on-link prefixes).
Autoconfigure IPv6 addresses using SLAAC if the A flag is set. The host combines the prefix with its interface identifier (EUI-64 or randomly generated) to form an address. It then performs DAD on that address.
IOS Verification Commands
show ipv6 neighbors – Displays the Neighbor Cache.
R1# show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::1 0 aaaa.bbbb.cccc REACH Gi0/0
2001:DB8::1 0 aaaa.bbbb.cccc REACH Gi0/0
2001:DB8::100 5 dddd.eeee.ffff STALE Gi0/0debug ipv6 nd – Enables NDP debugging (use with caution in production).
show ipv6 interface – Displays interface IPv6 status, including Neighbor Cache timeout, RA interval, and DAD attempts.
R1# show ipv6 interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8::1, subnet is 2001:DB8::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (default)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.Interaction with Related Protocols
NDP works with ICMPv6 for error reporting (e.g., Destination Unreachable). It also interacts with DHCPv6: if the M flag is set in RA, hosts use DHCPv6 for address assignment; if O flag is set, they use DHCPv6 for other configuration (DNS, domain name). NDP is also used by Mobile IPv6 and for Secure Neighbor Discovery (SEND) using Cryptographically Generated Addresses (CGAs).
Verify Neighbor Cache
Use `show ipv6 neighbors` to display the Neighbor Cache. Examine the state column: REACHABLE means confirmed reachability; STALE means no recent confirmation; INCOMPLETE means resolution is in progress. If you see an entry in INCOMPLETE for a long time, it indicates resolution failure (e.g., no response to NS). Also check the age column; if it exceeds the reachable time (default 30s), the state transitions to STALE. This command is critical for diagnosing layer 2 reachability issues.
Check Interface NDP Configuration
Use `show ipv6 interface [interface]` to verify NDP parameters. Look for 'ND DAD is enabled' and the number of DAD attempts (default 1). Also check 'ND reachable time' (default 30000 ms) and 'ND advertised reachable time' (0 means unspecified, so hosts use base reachable time). The 'ND router advertisements are sent every X seconds' shows RA interval (default 200). If RA is disabled, hosts cannot learn default routers or prefixes via NDP. This step helps identify misconfigured RA intervals or disabled DAD.
Capture NDP Packets
Use a packet capture tool (e.g., Wireshark) or `debug ipv6 nd` on IOS (with caution) to observe NDP messages. Filter for ICMPv6 types 133-137. Look for NS/NA exchanges during address resolution and DAD. For DAD, the NS has source IP :: and destination is solicited-node multicast. If you see an NA response to a DAD NS, the address is duplicate. For router discovery, look for periodic RAs (type 134) from routers. This step is essential for troubleshooting NDP-related issues in a lab or production network.
Test Address Resolution
From a host, try to ping another host on the same link using its IPv6 address. Observe the Neighbor Cache before and after. Initially, there should be no entry. After the ping, an entry appears in REACHABLE state. If the ping fails, check if the destination host is reachable (e.g., check its Neighbor Cache). If the source has an INCOMPLETE entry, it means it sent NS but got no NA. Possible causes: destination is down, firewall blocking ICMPv6, or multicast issues. This step validates basic NDP operation.
Verify Router Advertisement Reception
On a host, use `ipconfig /all` (Windows) or `ifconfig` (Linux) to see if an IPv6 address was autoconfigured via SLAAC. If not, check if the router is sending RAs. On the router, verify with `show ipv6 interface` that 'Hosts use stateless autoconfig for addresses' is displayed. If RA is disabled or the router has no global prefix configured, hosts won't get an address. Also check the A flag in the RA; if it's not set, SLAAC is disabled. This step helps troubleshoot SLAAC failures.
Manually Clear Neighbor Cache
If you suspect stale entries, use `clear ipv6 neighbors [interface]` to flush the Neighbor Cache. This forces fresh resolution. After clearing, the cache will be empty, and the next communication will trigger NS/NA exchanges. This is useful when a host changes its MAC address (e.g., NIC replacement) or when troubleshooting connectivity issues that might be caused by outdated cache entries. Note that this is a disruptive action; it may cause temporary packet loss.
In enterprise networks, NDP is fundamental for IPv6 deployment. Here are three common scenarios:
1. SLAAC-based address assignment in a campus network: A network engineer enables IPv6 on access switches and configures a router to send RAs with the A flag set. Hosts autoconfigure their IPv6 addresses using SLAAC. The engineer must ensure that RA intervals are not too frequent (default 200 seconds is fine for most networks) to avoid excessive multicast traffic. However, on a large broadcast domain with thousands of hosts, RAs can consume bandwidth. To mitigate, engineers often use RA throttling or reduce the number of routers sending RAs. If a rogue device starts sending RAs with a different prefix, hosts might get conflicting addresses, leading to connectivity issues. This is a security concern addressed by RA Guard (RA Guard is not in CCNA scope but good to know).
2. Duplicate Address Detection failure causing address conflict: A server administrator reimages a server and assigns the same IPv6 address that was previously used by another server that is still online. When the new server performs DAD, it receives an NA from the existing server, so it logs an error and does not assign the address. The administrator must manually resolve the conflict. In production, DAD failures are rare but can cause significant downtime. Engineers use tools like show ipv6 neighbors to detect duplicate addresses and then coordinate with other teams to reassign addresses.
3. Neighbor Unreachability Detection causing intermittent connectivity: A router's Neighbor Cache entry for a next-hop router becomes STALE, and NUD probes are sent. If the probes are lost (e.g., due to congestion or firewall), the entry is removed, causing traffic to be dropped until a new NS/NA exchange occurs. This can manifest as periodic packet loss. To troubleshoot, engineers check show ipv6 neighbors for entries in PROBE state. They may adjust the RetransTimer or ReachableTime to be more aggressive, or ensure that ICMPv6 is not filtered between neighbors. In high-availability designs, using a virtual IP (HSRPv6/VRRPv6) reduces NUD issues because the virtual MAC is constant.
The CCNA 200-301 exam (Objective 1.9) tests your understanding of IPv6 NDP concepts, message types, and states. Here is what you need to know:
1. Exam focus: You must be able to identify NDP message types (RS, RA, NS, NA, Redirect) and their purposes. Know the ICMPv6 type numbers (133-137). Understand the Neighbor Cache states (INCOMPLETE, REACHABLE, STALE, DELAY, PROBE) and the transitions. Be familiar with DAD process and SLAAC flags (A, M, O).
2. Common wrong answers: - Confusing NS/NA with RS/RA: NS/NA are for address resolution; RS/RA are for router discovery and prefix assignment. - Thinking NDP uses broadcast: It uses multicast (solicited-node, all-nodes, all-routers). - Believing DAD is optional: It is mandatory for all unicast addresses (including link-local). - Confusing ReachableTime with Router Lifetime: ReachableTime is for Neighbor Cache (default 30s); Router Lifetime is for default router (default 1800s).
3. Specific values: ReachableTime default 30,000 ms; RetransTimer default 1000 ms; Router Advertisement interval default 200 seconds; Router Lifetime 1800 seconds; DAD attempts default 1; DELAY_FIRST_PROBE_TIME 5 seconds.
4. Trap: The exam may show a show ipv6 neighbors output with an entry in STALE state and ask if the entry is usable. The correct answer is yes – STALE entries are still used for forwarding; the entry is simply not confirmed recently. Another trap: they might ask the purpose of the solicited-node multicast address – it reduces multicast scope compared to broadcast.
5. Decision rule: For scenario questions asking which NDP message is used, remember: to resolve a neighbor's MAC address → NS/NA; to find a router → RS/RA; to check for duplicate address → DAD (NS with unspecified source); to inform of a better router → Redirect. For state machine questions, remember the sequence: INCOMPLETE → REACHABLE → STALE → DELAY → PROBE → (remove or back to REACHABLE).
NDP uses five ICMPv6 message types: RS (133), RA (134), NS (135), NA (136), Redirect (137).
Neighbor Cache states: INCOMPLETE, REACHABLE, STALE, DELAY, PROBE.
Default ReachableTime is 30,000 ms; RetransTimer is 1,000 ms; RA interval is 200 seconds; Router Lifetime is 1,800 seconds.
DAD is mandatory for all unicast addresses; uses NS with source :: to solicited-node multicast.
Solicited-node multicast address is FF02::1:FF00:0000/104 with last 24 bits from target address.
SLAAC uses the A flag in RA; M flag forces DHCPv6 for addresses; O flag forces DHCPv6 for other config.
`show ipv6 neighbors` displays the Neighbor Cache; `show ipv6 interface` shows NDP parameters.
NDP replaces ARP, ICMP Router Discovery, and parts of DHCP in IPv4.
These come up on the exam all the time. Here's how to tell them apart.
IPv4 ARP
Uses broadcast (FF:FF:FF:FF:FF:FF).
Single message pair: Request/Reply.
No built-in reachability confirmation.
No Duplicate Address Detection (uses Gratuitous ARP optionally).
Operates at Layer 2/3 boundary (protocol type 0x0806).
IPv6 NDP
Uses multicast (solicited-node).
Five message types (RS, RA, NS, NA, Redirect).
Neighbor Unreachability Detection (NUD) with state machine.
Mandatory Duplicate Address Detection (DAD) for all addresses.
Operates as ICMPv6 (Layer 3) with type 135/136.
Mistake
NDP uses broadcast like ARP in IPv4.
Correct
NDP uses multicast: solicited-node multicast for NS (not broadcast) and all-nodes multicast for RA. This reduces processing on hosts not interested.
Candidates assume IPv6 continues IPv4's broadcast model, but IPv6 eliminated broadcast.
Mistake
A STALE neighbor cache entry means the neighbor is unreachable.
Correct
STALE means reachability has not been confirmed recently, but the entry is still used for forwarding. NUD will confirm reachability if traffic is sent.
The word 'stale' implies unusable, but in NDP it is still valid.
Mistake
Router Advertisements are only sent in response to Router Solicitations.
Correct
Routers send RAs periodically (every 200 seconds by default) regardless of RS. RS can trigger an immediate RA, but periodic RAs are the primary mechanism.
Candidates think RS/RA are like DHCP discover/offer, but RAs are unsolicited.
Mistake
DAD is only performed for global unicast addresses.
Correct
DAD is performed for all unicast addresses, including link-local addresses. Every IPv6 address must be unique on the link.
Candidates think link-local addresses are automatically unique, but DAD is still required.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NDP replaces ARP in IPv6. While ARP uses broadcast and operates at Layer 2, NDP uses multicast and ICMPv6 (Layer 3). NDP provides additional features like DAD, NUD, and router discovery. ARP is simple request/reply; NDP has a state machine with five states. For the exam, remember that NDP is more robust and efficient than ARP.
DAD is performed before assigning any unicast IPv6 address. The host sends a Neighbor Solicitation with the target address set to the tentative address, source set to the unspecified address (::), and destination set to the solicited-node multicast of the tentative address. If no Neighbor Advertisement is received within one second (default RetransTimer), the address is considered unique. If an NA is received, the address is duplicate and must not be assigned.
The states are: INCOMPLETE (resolution in progress), REACHABLE (confirmed reachable), STALE (no confirmation within ReachableTime), DELAY (packet sent while STALE, waiting for confirmation up to 5 seconds), PROBE (sending unicast NS probes every RetransTimer). Transitions: INCOMPLETE→REACHABLE upon NA; REACHABLE→STALE after ReachableTime; STALE→DELAY when a packet is sent; DELAY→PROBE after 5 seconds; PROBE→REACHABLE upon NA or →remove after max probes (default 3).
The solicited-node multicast address is used for efficient address resolution. It is formed by taking the prefix FF02::1:FF00:0000/104 and appending the last 24 bits of the target unicast address. For example, for address 2001:DB8::1:2:3:4, the last 24 bits are 03:04 (from the interface identifier), so the solicited-node address is FF02::1:FF03:0004. This ensures only nodes with that suffix receive the NS, reducing interrupt overhead.
A host learns the default gateway from Router Advertisements sent by routers. The RA includes the router's link-local address and a Router Lifetime (default 1800 seconds). The host adds this router to its Default Router List. The host does not need a global unicast address for the router; it uses the link-local address as the next-hop. The default gateway is not configured manually in most IPv6 networks.
A router sends a Redirect (type 137) to inform a host of a better first-hop router for a specific destination. For example, if a host sends a packet to Router A for a destination that is on the same link as the host but reachable via Router B, Router A sends a Redirect with Router B's link-local address. The host then updates its destination cache and sends future packets directly to Router B.
Use `show ipv6 neighbors` to view the Neighbor Cache. Use `show ipv6 interface [interface]` to see NDP parameters like DAD status, reachable time, RA interval, and advertised prefixes. For debugging, use `debug ipv6 nd` but be cautious in production. Also, you can capture packets with `debug ipv6 packet` or use an external sniffer to see NS/NA/RA messages.
You've just covered IPv6 NDP — Neighbor Discovery Protocol — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?