Cisco Sg3008 Manual
Here you can view all the pages of manual Cisco Sg3008 Manual. The Cisco manuals for Switch are available online for free. You can easily download all the documents as PDF.
Page 451
Security: IPV6 First Hop Security First Hop Security Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 413 20 •Neighbor Solicitation (NS) messages •ICMPv6 Redirect messages •Certification Path Advertisement (CPA) messages •Certification Path Solicitation (CPS) messages •DHCPv6 messages Trapped RA, CPA, and ICMPv6 Redirect messages are passed to the RA Guard feature. RA Guard validates these messages, drops illegal message, and legal...
Page 452
Security: IPV6 First Hop Security First Hop Securit Overview 414 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 IPv6 First Hop Security Perimeter IPv6 First Hop Security switches can form a perimeter separating untrusted area from trusted area. All switches inside the perimeter support IPv6 First Hop Security, and hosts and routers inside this perimeter are trusted devices. For example, the links SwitchC-H3, SwitchB-H4, and SwitchA-SwitchD on...
Page 453
Security: IPV6 First Hop Security Router Advertisement Guard Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 415 20 The device-role command in the Neighbor Binding policy configuration screen specifies the perimeter. Each IPv6 First Hop Security switch establishes binding for neighbors partitioned by the edge. In this way, binding entries are distributed on IPv6 First Hop Security devices forming the perimeter. The IPv6 First Hop Security devices...
Page 454
Security: IPV6 First Hop Security DHCPv6 Guard 416 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 •Validation of received Neighbor Discovery protocol messages. •Egress filtering Message Validation ND Inspection validates the Neighbor Discovery protocol messages, based on an ND Inspection policy attached to the interface. This policy can be defined in the ND Inspection Settings page. If a message does not pass the verification defined in the...
Page 455
Security: IPV6 First Hop Security Neighbor Binding Integrity Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 417 20 Neighbor Binding Integrity Neighbor Binding (NB) Integrity establishes binding of neighbors. A separate, independent instance of NB Integrity runs on each VLAN on which the feature is enabled. Learning Advertised IPv6 Prefixes NB Integrity learns IPv6 prefixes advertised in RA messages and saves it in the Neighbor Prefix table. The...
Page 456
Security: IPV6 First Hop Security Neighbor Binding Integrity 418 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 NBI-NDP method The NBI-NDP method used is based on the FCFS- SAVI method specified in RFC6620, with the following differences: •Unlike FCFS-SAVI, which supports only binding for link local IPv6 addresses, NBI-NDP additionally supports binding global IPv6 addresses as well. •NBI-NDP supports IPv6 address binding only for IPv6 addresses...
Page 457
Security: IPV6 First Hop Security Attack Protection Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 419 20 NBI-NDP supports a lifetime timer. A value of the timer is configurable in the Neighbor Binding Settings page. The timer is restarted each time that the bound IPv6 address is confirmed. If the timer expires, the device sends up to 2 DAD-NS messages with short intervals to validate the neighbor. NB Integrity Policy In the same way that other...
Page 458
Security: IPV6 First Hop Security Attack Protection 420 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 •A Neighbor Advertisement (NA) message is dropped if the target IPv6 address is bound with another interface. Protection against IPv6 Duplication Address Detection Spoofing An IPv6 host must perform Duplication Address Detection for each assigned IPv6 address by sending a special NS message (Duplicate Address Detection Neighbor Solicitation...
Page 459
Security: IPV6 First Hop Security Policies, Global Parameters and System Defaults Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 421 20 A malicious host could send IPv6 messages with a different destination IPv6 address for the last hop forwarding, causing overflow of the NBD cache. An embedded mechanism in the NDP implementation, which limits the number of entries allowed in the INCOMPLETE state in the Neighbor Discovery cache, provides...
Page 460
Security: IPV6 First Hop Security Common Tasks 422 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 When a user-defined policy is attached to an interface, the default policy for that interface is detached. If the user-define policy is detached from the interface, the default policy is reattached. Policies do not take effect until: •The feature in the policy is enabled on the VLAN containing the interface •The policy is attached to the interface...