IPv6 Global Policies
IPv6 global policies provide storage and access policy database services. IPv6 ND inspection and IPv6 RA
guard are IPv6 global policies features. Every time an ND inspection or RA guard is configured globally, the
policy attributes are stored in the software policy database. The policy is then applied to an interface, and the
software policy database entry is updated to include this interface to which the policy is applied.
IPv6 RA Guard
The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted
or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce
themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by
unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA
guard feature compares configuration information on the Layer 2 (L2) device with the information found in
the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect
frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame
content is not validated, the RA is dropped.
Information About IPv6 Snooping
IPv6 Neighbor Discovery Inspection
The IPv6 Neighbor Discovery Inspection, or IPv6 "snooping," feature bundles several Layer 2 IPv6 first-hop
security features, including IPv6 Address Glean and IPv6 Device Tracking. IPv6 neighbor discovery (ND)
inspection operates at Layer 2, or between Layer 2 and Layer 3, and provides IPv6 features with security and
scalability. This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism,
such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor
cache.
IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor
tables and analyzes ND messages in order to build a trusted binding table. IPv6 ND messages that do not have
valid bindings are dropped. An ND message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.
When IPv6 ND inspection is configured on a target (which varies depending on platform target support and
may include device ports, switch ports, Layer 2 interfaces, Layer 3 interfaces, and VLANs), capture instructions
are downloaded to the hardware to redirect the ND protocol and Dynamic Host Configuration Protocol (DHCP)
for IPv6 traffic up to the switch integrated security features (SISF) infrastructure in the routing device. For
ND traffic, messages such as NS, NA, RS, RA, and REDIRECT are directed to SISF. For DHCP, UDP
messages sourced from port 546 or 547 are redirected.
IPv6 ND inspection registers its "capture rules" to the classifier, which aggregates all rules from all features
on a given target and installs the corresponding ACL down into the platform-dependent modules. Upon
receiving redirected traffic, the classifier calls all entry points from any registered feature (for the target on
which the traffic is being received), including the IPv6 ND inspection entry point. This entry point is the last
to be called, so any decision (such as drop) made by another feature supersedes the IPv6 ND inspection
decision.
IP Multicast Routing Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)
244 OL-32598-01
Configuring Wireless Multicast
IPv6 Global Policies
To Next Page
Loading...
Need help?
General