Security: IPv6 First Hop Security
IPv6 Source Guard
521 Cisco 500 Series Stackable Managed Switch Administration Guide
23
IPv6 Source Guard
If Neighbor Binding Integrity (NB Integrity) is enabled, IPv6 Source Guard validates
the source IPv6 addresses of NDP and DHCPv6 messages, regardless of whether
IPv6 Source Guard is enabled. If IPv6 Source Guard is enabled together with NB
Integrity, IPv6 Source Guard configures the TCAM to specify which IPv6 data
frames should be forwarded, dropped, or trapped to the CPU and validates the
source IPv6 addresses of the trapped IPv6 data messages. If NB Integrity is not
enabled, IPv6 Source Guard is not activated regardless of whether it is enabled or
not.
If the TCAM does not have free room to add a new rule, the TCAM overflow
counter is Incremented and a rate-limited SYSLOG message containing the
interface identifier, host MAC address, and host IPv6 address is sent.
IPv6 Source Guard validates the source addresses of all received IPv6 messages
using the Neighbor Binding table except for the following messages that are
passed without validation:
• RS messages, if the source IPv6 address equals the unspecified IPv6
address.
• NS messages, if the source IPv6 address equals the unspecified IPv6
address.
• NA messages, if the source IPv6 address equals the target address.
IPv6 Source Guard drops all other IPv6 messages whose source IPv6 address
equals the unspecified IPv6 address.
IPv6 Source Guard runs only on untrusted interfaces belonging to the perimeter.
IPv6 Source Guard drops an input IPv6 message if:
• The Neighbor Binding table does not contain the IPv6 address
• The Neighbor Binding table contains the IPv6 address, but it is bound to
another interface.
IPv6 Source Guard initiates the Neighbor Recovery process by sending DAD_NS
messages for the unknown source IPv6 addresses.
To Next Page
Loading...
Need help?
General
