Security: IPv6 First Hop Security
IPv6 Source Guard
Cisco Sx350, SG350X, SG350XG, Sx550X & SG550XG Series Managed Switches, Firmware Release 2.2.5.x 546
25
NBI-NDP supports a lifetime timer. A value of the timer is configurable in the Neighbor
Binding Settings page. The timer is restarted each time that the bound IPv6 address is
confirmed. If the timer expires, the device sends up to 2 DAD-NS messages with short
intervals to validate the neighbor.
NBI-DHCP Method
The NBI-NDP method is based on the SAVI-DHCP method specified in the SAVI Solution for
DHCP, draft-ietf-savi-dhcp-15, September 11, 2012.
Like NBI-NDP, NBI-DHCP provides perimeterical binding for scalability. The following
difference between the NBI-DHCP and NBI-FCFS method exists: NBI-DHCP follows the
state announced in DHCPv6 messages, thus there is no need to distribute the state by NS/NA
messages.
NB Integrity Policy
In the same way that other IPv6 First Hop Security features function, NB Integrity behavior on
an interface is specified by an NB Integrity policy attached to an interface. These policies are
configured in the Neighbor Binding Settings page.
IPv6 Source Guard
If Neighbor Binding Integrity (NB Integrity) is enabled, IPv6 Source Guard validates the
source IPv6 addresses of NDP and DHCPv6 messages, regardless of whether IPv6 Source
Guard is enabled. If IPv6 Source Guard is enabled together with NB Integrity, IPv6 Source
Guard configures the TCAM to specify which IPv6 data frames should be forwarded, dropped,
or trapped to the CPU and validates the source IPv6 addresses of the trapped IPv6 data
messages. If NB Integrity is not enabled, IPv6 Source Guard is not activated regardless of
whether it is enabled or not.
If the TCAM does not have free room to add a new rule, the TCAM overflow counter is
incremented and a rate-limited SYSLOG message containing the interface identifier, host
MAC address, and host IPv6 address is sent.
IPv6 Source Guard validates the source addresses of all received IPv6 messages using the
Neighbor Binding table except for the following messages that are passed without validation:
• RS messages, if the source IPv6 address equals the unspecified IPv6 address.
• NS messages, if the source IPv6 address equals the unspecified IPv6 address.
To Next Page
Loading...
