Security: IPv6 First Hop Security
IPv6 First Hop Security Overview
Cisco 500 Series Stackable Managed Switch Administration Guide 514
23
• Neighbor Advertisement (NA) messages
• Neighbor Solicitation (NS) messages
• ICMPv6 Redirect messages
• Certification Path Advertisement (CPA) messages
• Certification Path Solicitation (CPS) messages
• DHCPv6 messages
Trapped RA, CPA, and ICMPv6 Redirect messages are passed to the RA Guard
feature. RA Guard validates these messages, drops illegal message, and legal
messages passes to the ND Inspection feature.
ND Inspection validates these messages and drops illegal message, and legal
messages passes to the IPv6 Source Guard feature.
Trapped DHCPv6 messages are passed to the DHCPv6 Guard feature. DHCPv6
Guard validates these messages, drops illegal message, and legal messages
passes to the IPv6 Source Guard feature.
Trapped data messages are passed to the IPv6 Source Guard feature. IPv6
Source Guard validates received messages (trapped data messages, NDP
messages from ND Inspection, and DHCPv6 messages from DHCPv6 Guard)
using the Neighbor Binding Table, drops illegal messages, and passes legal
messages to forwarding.
Neighbor Binding Integrity learns neighbors from the received messages (NDP
and DHCPv6 messages) and stores them in the Neighbor Binding table.
Additionally, static entries can be added manually. After learning the addresses,
the NBI feature passes the frames for forwarding.
Trapped RS,CPS NS and NA messages are also passed to the ND Inspection
feature. ND Inspection validates these messages, drops illegal messages, and
passes legal messages to the IPv6 Source Guard feature.
To Next Page
Loading...
Need help?
General
