Security: IPv6 First Hop Security
IPv6 First Hop Security Overview
443 Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
26
• Neighbor Solicitation (NS) messages
• ICMPv6 Redirect messages
• Certification Path Advertisement (CPA) messages
• Certification Path Solicitation (CPS) messages
• DHCPv6 messages
Trapped RA, CPA, and ICMPv6 Redirect messages are passed to the RA Guard feature. RA
Guard validates these messages, drops illegal message, and legal messages passes to the ND
Inspection feature.
ND Inspection validates these messages and drops illegal message, and legal messages passes
to the IPv6 Source Guard feature.
Trapped DHCPv6 messages are passed to the DHCPv6 Guard feature. DHCPv6 Guard
validates these messages, drops illegal message, and legal messages passes to the IPv6 Source
Guard feature.
Trapped data messages are passed to the IPv6 Source Guard feature. IPv6 Source Guard
validates received messages (trapped data messages, NDP messages from ND Inspection, and
DHCPv6 messages from DHCPv6 Guard) using the Neighbor Binding Table, drops illegal
messages, and passes legal messages to forwarding.
Neighbor Binding Integrity learns neighbors from the received messages (NDP and DHCPv6
messages) and stores them in the Neighbor Binding table. Additionally, static entries can be
added manually. After learning the addresses, the NBI feature passes the frames for
forwarding.
Trapped RS,CPS NS and NA messages are also passed to the ND Inspection feature. ND
Inspection validates these messages, drops illegal messages, and passes legal messages to the
IPv6 Source Guard feature.
To Next Page
Loading...
