Ipv6 Nd Inspection; Ipv6 Device Tracking; Ipv6 First-Hop Security Binding Table; Recovery Protocols And Prefix Lists - Cisco Catalyst 3850 series Configuration Manual
Ip multicast routing configuration guide
Hide thumbs
Also See for Catalyst 3850 series:
- Configuration manual (58 pages) ,
- Hardware installation manual (146 pages)
Table of Contents
Advertisement
Configuring Wireless Multicast
IPv6 ND Inspection
IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor
tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table
database, and IPv6 neighbor discovery messages that do not have valid bindings are dropped. A neighbor
discovery message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as
attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.
IPv6 Device Tracking
IPv6 device tracking provides IPv6 host liveness tracking so that a neighbor table can be immediately updated
when an IPv6 host disappears.
IPv6 First-Hop Security Binding Table
The IPv6 First-Hop Security Binding Table recovery mechanism feature enables the binding table to recover
in the event of a device reboot. A database table of IPv6 neighbors connected to the device is created from
information sources such as ND snooping. This database, or binding, table is used by various IPv6 guard
features to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors
to prevent spoofing and redirect attacks.
This mechanism enables the binding table to recover in the event of a device reboot. The recovery mechanism
will block any data traffic sourced from an unknown source; that is, a source not already specified in the
binding table and previously learned through ND or DHCP gleaning. This feature recovers the missing binding
table entries when the resolution for a destination address fails in the destination guard. When a failure occurs,
a binding table entry is recovered by querying the DHCP server or the destination host, depending on the
configuration.
Recovery Protocols and Prefix Lists
The IPv6 First-Hop Security Binding Table Recovery Mechanism feature introduces the capability to provide
a prefix list that is matched before the recovery is attempted for both DHCP and NDP.
If an address does not match the prefix list associated with the protocol, then the recovery of the binding table
entry will not be attempted with that protocol. The prefix list should correspond to the prefixes that are valid
for address assignment in the Layer 2 domain using the protocol. The default is that there is no prefix list, in
which case the recovery is attempted for all addresses. The command to associate a prefix list to a protocol
is protocol {dhcp | ndp} [prefix-list prefix-list-name].
IPv6 Device Tracking
IPv6 device tracking provides IPv6 host liveness tracking so that a neighbor table can be immediately updated
when an IPv6 host disappears.
IPv6 Address Glean
IPv6 address glean is the foundation for many other IPv6 features that depend on an accurate binding table.
It inspects ND and DHCP messages on a link to glean addresses, and then populates the binding table with
these addresses. This feature also enforces address ownership and limits the number of addresses any given
node is allowed to claim.
OL-32598-01
IP Multicast Routing Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)
Information About IPv6 Snooping
245
- Quick Links:
- Prerequisites for Using the Web Gui
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
