Security: IPv6 First Hop Security
Router Advertisement Guard
Cisco 500 Series Stackable Managed Switch Administration Guide 516
23
The device-role command in the Neighbor Binding policy configuration screen
specifies the perimeter.
Each IPv6 First Hop Security switch establishes binding for neighbors partitioned
by the edge. In this way, binding entries are distributed on IPv6 First Hop Security
devices forming the perimeter. The IPv6 First Hop Security devices can then
provide binding integrity to the inside of the perimeter, without setting up bindings
for all the addresses on each device.
Router Advertisement Guard
Router Advertisement (RA) Guard is the first FHS feature that treats trapped RA
messages. RA Guard supports the following functions:
• Filtering of received RA, CPA, and ICMPv6 redirect messages.
• Validation of received RA messages.
Filtering of Received RA, CPA, and IPCMv6 redirect
Messages
RA Guard discards RA and CPA messages received on interfaces whose role are
not router. The interface role is configured in the Security > IPv6 First Hop Security
> RA Guard Settings page.
Validation of RA messages
RA Guard validates RA messages using the filtering based on the RA Guard policy
attached to the interface. These policies can be configured in the RA Guard
Settings page.
If a message does not pass verification, it is dropped. If the logging packet drop
configuration on the FHS common component is enabled, a rate limited SYSLOG
message is sent.
Neighbor Discovery Inspection
Neighbor Discovery (ND) Inspection supports the following functions:
To Next Page
Loading...
