Security: IPv6 First Hop Security
Neighbor Binding Integrity
Cisco 500 Series Stackable Managed Switch Administration Guide 518
23
Neighbor Binding Integrity
Neighbor Binding (NB) Integrity establishes binding of neighbors.
A separate, independent instance of NB Integrity runs on each VLAN on which the
feature is enabled.
Learning Advertised IPv6 Prefixes
NB Integrity learns IPv6 prefixes advertised in RA messages and saves it in the
Neighbor Prefix table. The prefixes are used for verification of assigned global
IPv6 addresses.
By default, this validation is disabled. When it is enabled, addresses are validated
against the prefixes in the Neighbor Binding Settings page.
Static prefixes used for the address validation can be added in the Neighbor
Prefix Table page.
Validation of Global IPv6 Addresses
NB Integrity performs the following validations:
• If the target address in an NS or NA message is a global IPv6 address, it
must belong to one of the prefixes defined in the RA Prefix table.
• A global IPv6 address provided by a DHCPv6 server must belong to one of
the prefixes defined in the IPv6 Prefix List (in IP Configuration > IPv6 Prefix
List page).
If a message does not pass this verification, it is dropped and a rate limited
SYSLOG message is sent.
Neighbor Binding Table Overflow
When there is no free space to create a new entry, no entry is created and a
SYSLOG message is sent.
To Next Page
Loading...
