D-Link NetDefendOS User Manual page 164

• When NetDefendOS is about to send a packet to a neighbor, an entry is created.
• When NetDefendOS receives neighbor solicitations containing source link-layer address
options, an entry is created.
• When static entries are added by the administrator. These are regarded as always being in
the REACHABLE state.
The key advanced settings for neighbor discovery are found in the ARPNDSettings object and
include the following properties:
• NDMatchEnetSender
Check if the Ethernet sender address does not match the sender Ethernet address derived
from the source/target link-layer address option in a packet. This can be a sign of address
spoofing and the default is to have this setting enabled so that non-matching packets are
dropped. In some situations it might be desirable to skip this check.
• NDValSenderIP
When enabled, NetDefendOS requires that the non-link local source address of neighbor
discovery packets match the routing table routes. If they do not, the packets are dropped.
When no such matching routes have been configured, this setting needs to be disabled if the
neighbor discovery packets are to be processed.
• NDChanges
If occasional loss of connectivity to certain hosts is being experienced, this setting should be
given the value AcceptLog. This can help identify if the cause is the same IPv6 address moving
between hardware Ethernet addresses.
• NDCacheSize
The neighbor discovery cache provides higher traffic throughput speeds by reducing
neighbor discovery traffic and the time required to process this traffic. The size of the cache
can be adjusted with this setting to suit particular scenarios with different network sizes.
A larger cache means a greater allocation of physical memory. However, if the cache is too
small, items may be discarded because they cannot fit and this will lead to higher latency
times and more neighbor discovery traffic.
•
Timing Settings
There are a number of timing settings associated with neighbor discovery:
NDMulticastSolicit
NDMaxUnicastSolicit
NDBaseReachableTime
NDDelayFirstProbeTime
NDRetransTimer
Lower values for these means that the cache is better able to deal with stray hosts that only
communicate for a short period but it also leads to an increase in neighbor discovery traffic.
In order to increase the time an entry stays in the cache before triggering a time-out or
sending probes, it is recommended to increase the value of NDBaseReachableTime.
All settings relevant to neighbor discovery can be found in the separate NetDefendOS CLI
Reference Guide under the object name ARPNDSettings.
164
Chapter 3: Fundamentals