1-7
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IPv6 Unicast Routing
Understanding IPv6
When a port receives a data packet where the binding is unknown, that is, the neighbor is in an
INCOMPLETE state and the link-layer address is not yet known, the switch sends a DAD NS NDP
unicast message to the port from which the data packet was received.
After the host replies with a DAD Neighbor Advertisement (NA) NDP message, the binding table is
updated and a Private VLAN ACL (PVACL) is installed in the hardware for this binding.
If the host does not reply with a DAD NA, after the binding table timer expires, the hardware is notified
and any resources associated with that binding are released.
To enable this feature, configure a policy with data-glean and attach the policy to a target port. To debug
the policy, use the debug ipv6 snooping privileged EXEC command.
IPv6 ND Inspection
IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in L2 neighbor
tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding
table database and IPv6 neighbor discovery messages that do not conform are dropped. An SA ND
message is considered trustworthy if its IPv6-to-Media Access Control (MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as, attacks on
DAD, address resolution, router discovery, and the neighbor cache.
IPv6 Device Tracking
The IPv6 device tracking feature provides IPv6 host liveness tracking so that a neighbor table can be
updated when an IPv6 host disappears. The feature tracks the liveness of the neighbors connected
through the L2 switch on regular basis in order to revoke network access privileges as they become
inactive.
IPv6 Port-Based Access List Support
The IPv6 port-based access lists (PACL) feature provides the ability to provide access control (permit or
deny) on L2 switch ports for IPv6 traffic. IPv6 PACLs are similar to IPv4 PACLs, which provide access
control on L2 switch ports for IPv4 traffic.
With Catalyst 3750-E, 3750X, 3560E, 3560-X, 3750v2, and 3560 v2 switches, this feature is supported
in hardware and only in ingress direction. In a mixed stack scenario where the stack has a switch that
does not support IPv6 FHS, the VLAN target is disabled on the whole switch, for security. Port targets
are allowed on the IPv6 FHS-capable ports of the switch. If a nonsupporting switch becomes the stack
master then the IPv6 FHS functions are still supported on the IPv6 FHS-capable ports of the switch.
Access lists determine which traffic is blocked and which traffic is forwarded at switch interfaces and
allow filtering based on source and destination addresses, inbound and outbound to a specific interface.
Each access list has an implicit deny statement at the end. To configure an IPv6 PACL you have to create
an IPv6 access list and then configure the PACL mode on the specified IPv6 L2 interface.
PACL can filter ingress traffic on L2 interfaces based on L3 and Layer 4 (L4) header information or
non-IP L2 information.
IPv6 Router Advertisement Guard
The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject
unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by
routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus
RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages
are disallowed on the port. The RA guard feature compares configuration information on the L2 device
To Next Page
Loading...
Need help?
General
