Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: IPV6 First Hop Security First Hop Security Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 413 20 •Neighbor Solicitation (NS) messages •ICMPv6 Redirect messages •Certification Path Advertisement (CPA) messages •Certification Path Solicitation (CPS) messages •DHCPv6 messages Trapped RA, CPA, and ICMPv6 Redirect messages are passed to the RA Guard feature. RA Guard validates these messages, drops illegal message, and legal messages passes to the ND Inspection feature. ND Inspection validates these messages and drops illegal message, and legal messages passes to the IPv6 Source Guard feature. Trapped DHCPv6 messages are passed to the DHCPv6 Guard feature. DHCPv6 Guard validates these messages, drops illegal message, and legal messages passes to the IPv6 Source Guard feature. Trapped data messages are passed to the IPv6 Source Guard feature. IPv6 Source Guard validates received messages (trapped data messages, NDP messages from ND Inspection, and DHCPv6 messages from DHCPv6 Guard) using the Neighbor Binding Table, drops illegal messages, and passes legal messages to forwarding. Neighbor Binding Integrity learns neighbors from the received messages (NDP and DHCPv6 messages) and stores them in the Neighbor Binding table. Additionally, static entries can be added manually. After learning the addresses, the NBI feature pas s e s the frame s for for warding. Trapped RS,CPS NS and NA messages are also passed to the ND Inspection feature. ND Inspection validates these messages, drops illegal messages, and passes legal messages to the IPv6 Source Guard feature.
Security: IPV6 First Hop Security First Hop Securit Overview 414 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 IPv6 First Hop Security Perimeter IPv6 First Hop Security switches can form a perimeter separating untrusted area from trusted area. All switches inside the perimeter support IPv6 First Hop Security, and hosts and routers inside this perimeter are trusted devices. For example, the links SwitchC-H3, SwitchB-H4, and SwitchA-SwitchD on Figure 7 form the perimeter, while links SwitchA-SwitchB, SwitchB-SwitchC, and SwitchA- R1 are inner links inside the protected area. Figure 7 IPv6 First Hop Security Perimeter H1 H2 Switch D R1 IPv6 FHS Switch A H3 H4 370573 IPv6 FHS Switch B IPv6 FHS Switch C
Security: IPV6 First Hop Security Router Advertisement Guard Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 415 20 The device-role command in the Neighbor Binding policy configuration screen specifies the perimeter. Each IPv6 First Hop Security switch establishes binding for neighbors partitioned by the edge. In this way, binding entries are distributed on IPv6 First Hop Security devices forming the perimeter. The IPv6 First Hop Security devices can then provide binding integrity to the inside of the perimeter, without setting up bindings for all the addresses on each device. Router Advertisement Guard Router Advertisement (RA) Guard is the first FHS feature that treats trapped RA messages. RA Guard supports the following functions: •Filtering of received RA, CPA, and ICMPv6 redirect messages. •Validation of received RA messages. Filtering of Received RA, CPA, and IPCMv6 redirect Messages RA Guard discards RA and CPA messages received on interfaces whose role are not router. The interface role is configured in the Security > IPv6 First Hop Security > RA Guard Settings page. Validation of RA messages RA Guard validates RA messages using the filtering based on the RA Guard policy attached to the interface. These policies can be configured in the RA Guard Settings page. If a message does not pass verification, it is dropped. If the logging packet drop configuration on the FHS common component is enabled, a rate limited SYSLOG message is sent. Neighbor Discovery Inspection Neighbor Discovery (ND) Inspection supports the following functions:
Security: IPV6 First Hop Security DHCPv6 Guard 416 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 •Validation of received Neighbor Discovery protocol messages. •Egress filtering Message Validation ND Inspection validates the Neighbor Discovery protocol messages, based on an ND Inspection policy attached to the interface. This policy can be defined in the ND Inspection Settings page. If a message does not pass the verification defined in the policy, it is dropped and a rate limited SYSLOG message is sent. Egress Filtering ND Inspection blocks forwarding of RS and CPS messages on interfaces configured as host interfaces. DHCPv6 Guard DHCPv6 Guard treats the trapped DHCPv6 messages. DHCPv6 Guard supports the following functions: •Filtering of received DHCPv6 messages. DHCP Guard discards DHCPv6 reply messages received on interfaces whose role is client. The interface role is configured in the DHCP Guard Settings page. •Validation of received DHCPv6 messages. DHCPv6 Guard validates DHCPv6 messages that match the filtering based on the DHCPv6 Guard policy attached to the interface. If a message does not pass verification, it is dropped. If the logging packet drop configuration on the FHS common component is enabled, a rate limited SYSLOG message is sent.
Security: IPV6 First Hop Security Neighbor Binding Integrity Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 417 20 Neighbor Binding Integrity Neighbor Binding (NB) Integrity establishes binding of neighbors. A separate, independent instance of NB Integrity runs on each VLAN on which the feature is enabled. Learning Advertised IPv6 Prefixes NB Integrity learns IPv6 prefixes advertised in RA messages and saves it in the Neighbor Prefix table. The prefixes are used for verification of assigned global IPv6 addresses. By default, this validation is disabled. When it is enabled, addresses are validated against the prefixes in the Neighbor Binding Settings page. Static prefixes used for the address validation can be added in the Neighbor Binding Table page. Neighbor Binding Table Overflow When there is no free space to create a new entry, the new entry overrides the entry with the highest creation time. Establishing Binding of Neighbors An IPv6 First Hop Security switch can discover and record binding information by using the following methods: •NBI-NDP Method: Learning IPv6 addresses from the snooped Neighbor Discovery Protocol messages •NBI-Manual Method: By manual configuration An IPv6 address is bound to a link layer property of the hosts network attachment. This property, called a binding anchor consists of the interface identifier (ifIndex) through which the host is connected to and the host’s MAC address. IPv6 First Hop Security switch establishes binding only on perimeterical interfaces (see IPv6 First Hop Security Perimeter). Binding information is saved in the Neighbor Binding table.
Security: IPV6 First Hop Security Neighbor Binding Integrity 418 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 NBI-NDP method The NBI-NDP method used is based on the FCFS- SAVI method specified in RFC6620, with the following differences: •Unlike FCFS-SAVI, which supports only binding for link local IPv6 addresses, NBI-NDP additionally supports binding global IPv6 addresses as well. •NBI-NDP supports IPv6 address binding only for IPv6 addresses learnt from NDP messages. Source address validation for data message is provided by IPv6 Source Address Guard. • In NBI-NDP, proof of address ownership is based on the First-Come, First- Served principle. The first host that claims a given source address is the owner of that address until further notice. Since no host changes are acceptable, a way must be found to confirm address ownership without requiring a new protocol. For this reason, whenever an IPv6 address is first learned from an NDP message, the switch binds the address to the interface. Subsequent NDP messages containing this IPV6 address can be checked against the same binding anchor to confirm that the originator owns the source IP address. The exception to this rule occurs when an IPv6 host roams in the L2 domain or changes its MAC address. In this case, the host is still the owner of the IP address, but the associated binding anchor might have changed. To cope with this case, the defined NBI-NDP behavior implies verification of whether or not the host is still reachable by sending DAD-NS messages to the previous binding interface. If the host is no longer reachable at the previously-recorded binding anchor, NBI-NDP assumes that the new anchor is valid and changes the binding anchor. If the host is still reachable using the previously recorded binding anchor, the binding interface is not changed. To reduce the size of the Neighbor Binding table, NBI-NDP establishes binding only on perimeterical interfaces (see IPv6 First Hop Security Perimeter) and distributes binding information through internal interfaces using NS and NA messages. Before creating an NBI-NDP local binding, the device sends a DAD-NS message querying for the address involved. If a host replies to that message with an NA message, the device that sent the DAD-NS message infers that a binding for that address exists in another device and does not create a local binding for it. If no NA message is received as a reply to the DAD-NS message, the local device infers that no binding for that address exists in other devices and creates the local binding for that address.
Security: IPV6 First Hop Security Attack Protection Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 419 20 NBI-NDP supports a lifetime timer. A value of the timer is configurable in the Neighbor Binding Settings page. The timer is restarted each time that the bound IPv6 address is confirmed. If the timer expires, the device sends up to 2 DAD-NS messages with short intervals to validate the neighbor. NB Integrity Policy In the same way that other IPv6 First Hop Security features function, NB Integrity behavior on a interface is specified by an NB Integrity policy attached to an interface. These policies are configured in the Neighbor Binding Settings page. At tack Protection The section describes attack protection provided by IPv6 First Hop Security Protection against IPv6 Router Spoofing An IPv6 host can use the received RA messages for: •IPv6 router discovery •Stateless address configuration A malicious host could send RA messages advertising itself as an IPv6 router and providing counterfeit prefixes for stateless address configuration. RA Guard provides protection against such attacks by configuring the interface role as a host interface for all interfaces where IPv6 routers cannot be connected. Protection against IPv6 Address Resolution Spoofing A malicious host could send NA messages advertising itself as an IPv6 Host having the given IPv6 address. NB Integrity provides protection against such attacks in the following ways: •If the given IPv6 address is unknown, the Neighbor Solicitation (NS) message is forwarded only on inner interfaces. •If the given IPv6 address is known, the NS message is forwarded only on the interface to which the IPv6 address is bound.
Security: IPV6 First Hop Security Attack Protection 420 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 •A Neighbor Advertisement (NA) message is dropped if the target IPv6 address is bound with another interface. Protection against IPv6 Duplication Address Detection Spoofing An IPv6 host must perform Duplication Address Detection for each assigned IPv6 address by sending a special NS message (Duplicate Address Detection Neighbor Solicitation message (DAD_NS) message). A malicious host could send reply to a DAD_RS message advertising itself as an IPv6 host having the given IPv6 address. NB Integrity provides protection against such attacks in the following ways: •If the given IPv6 address is unknown, the DAD_NS message is forwarded only on inner interfaces. •If the given IPv6 address is known, the DAD_NS message is forwarded only on the interface where the IPv6 address is bound. •An NA message is dropped if the target IPv6 address is bound with another interface. Protection against DHCPv6 Server Spoofing An IPv6 host can use the DHCPv6 protocol for: •Stateless Information configuration •Statefull address configuration A malicious host could send DHCPv6 reply messages advertising itself as a DHCPv6 server and providing counterfeit stateless information and IPv6 addresses. DHCPv6 Guard provides protection against such attacks by configuring the interface role as a client port for all ports to which DHCPv6 servers cannot be connected. Protection Against NBD Cache Spoofing An IPv6 router supports the Neighbor Discovery Protocol (NDP) cache that maps the IPv6 address to the MAC address for the last hop routing.
Security: IPV6 First Hop Security Policies, Global Parameters and System Defaults Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 421 20 A malicious host could send IPv6 messages with a different destination IPv6 address for the last hop forwarding, causing overflow of the NBD cache. An embedded mechanism in the NDP implementation, which limits the number of entries allowed in the INCOMPLETE state in the Neighbor Discovery cache, provides protection. Policies, Global Parameters and System Defaults Each feature of FHS can be enabled or disabled individually. No feature is enabled by default. Features must initially be enabled on specific VLANs. When you enable the feature, you can also define global configuration values for that feature’s rules of verification. If you do not define a policy that contain different values for these verification rules, the global values are used to apply the feature to packets. Policies Policies contain the rules of verification that are performed on input packets. They can be attached to VLANs and also to ports and LAGs. If the feature is not enabled on a VLAN, the policies have no effect. Policies can be user-defined or default policies (see below). Default Policies Empty default polices exist for each FHS feature and are by default attached to all VLANs and interfaces. The default policies are named: vlan_default and port_default (for each feature): •Rules can be added to these default policies. You cannot manually attach default policies to interfaces. They are attached by default. •Default policies can never be deleted. You can only delete the user-added configuration. User-Defined Policies You can define policies other than the default policies.
Security: IPV6 First Hop Security Common Tasks 422 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 When a user-defined policy is attached to an interface, the default policy for that interface is detached. If the user-define policy is detached from the interface, the default policy is reattached. Policies do not take effect until: •The feature in the policy is enabled on the VLAN containing the interface •The policy is attached to the interface (VLAN, port or LAG). When you attach a policy, the default policy for that interface is detached. When you remove the policy from the interface, the default policy is reattached. You can only attach 1 policy (for a specific feature) to a VLAN. You can attach multiple policies (for a specific feature) to an interface if they specify different VLANs. Levels of Verification Rules The final set of rules that is applied to an input packet on an interface is built in the following way: •The rules configured in policies attached to the interface (port or LAG) on which the packet arrived are added to the set. •The rules configured in the policy attached to the VLAN are added to the set if they have not been added at the port level. •The global rules are added to the set if they have not been added at the VLAN or port level. Rules defined at the port level override the rules set at the VLAN level. Rules defined at the VLAN level override the globally-configured rules. The globally- configured rules override system defaults. Common Tasks First Hop Security Common Work Flow STEP 1In the FHS Settings page, enter the list of VLANs on which this feature is enabled. STEP 2In this same page, set the Global Packet Drop Logging feature.