Security: IPv6 First Hop Security
Neighbor Binding Integrity
447 Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
26
Learning Advertised IPv6 Prefixes
NB Integrity learns IPv6 prefixes advertised in RA messages and saves it in the Neighbor
Prefix table. The prefixes are used for verification of assigned global IPv6 addresses.
By default, this validation is disabled. When it is enabled, addresses are validated against the
prefixes in the Neighbor Binding Settings page.
Static prefixes used for the address validation can be added in the Neighbor Prefix Table page.
Validation of Global IPv6 Addresses
NB Integrity performs the following validations:
• If the target address in an NS or NA message is a global IPv6 address, it must belong to
one of the prefixes defined in the RA Prefix table.
• A global IPv6 address provided by a DHCPv6 server must belong to one of the
prefixes defined in the IPv6 Prefix List (in IPv6 Prefixes page).
If a message does not pass this verification, it is dropped and a rate limited SYSLOG message
is sent.
Neighbor Binding Table Overflow
When there is no free space to create a new entry, no entry is created and a SYSLOG message
is sent.
Establishing Binding of Neighbors
An IPv6 First Hop Security switch can discover and record binding information by using the
following methods:
• NBI-NDP Method: Learning IPv6 addresses from the snooped Neighbor Discovery
Protocol messages
• NBI-DHCP method: By learning IPv6 addresses from the snooped DHCPv6
messages
• NBI-Manual Method: By manual configuration
An IPv6 address is bound to a link layer property of the host's network attachment. This
property, called a "binding anchor" consists of the interface identifier (ifIndex) through which
the host is connected to and the host’s MAC address.
To Next Page
Loading...
Need help?
General
