hit counter script

Ipv6 Snooping; Overview Of Ipv6 Snooping; Guidelines And Limitations For Ipv6 Snooping - Cisco Nexus 9000 Series Configuration Manual

Nx-os security configuration guide, release 9.x
Hide thumbs Also See for Nexus 9000 Series:
Table of Contents

Advertisement

IPv6 Snooping

IPv6 Snooping

Overview of IPv6 Snooping

IPv6 "snooping," feature bundles several Layer 2 IPv6 first-hop security features, which operates at Layer 2,
or between Layer 2 and Layer 3, and provides IPv6 features with security and scalability. This feature mitigates
some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address
detection (DAD), address resolution, device discovery, and the neighbor cache.
IPv6 snooping learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables
and analyzes snooping messages in order to build a trusted binding table. IPv6 snooping messages that do not
have valid bindings are dropped. An IPv6 snooping message is considered trustworthy if its IPv6-to-MAC
mapping is verifiable.
When IPv6 snooping is configured on a target (which varies depending on platform target support and may
include device ports, switch ports, Layer 2 interfaces, Layer 3 interfaces, and VLANs), capture instructions
are downloaded to the hardware to redirect the snooping protocol and Dynamic Host Configuration Protocol
(DHCP) for IPv6 traffic up to the switch integrated security features (SISF) infrastructure in the routing device.
For snooping traffic, Neighbor Discovery Protocol (NDP) messages are directed to SISF. For DHCPv6, UDP
messages sourced from dhcvp6_client and dhcvp_server ports are redirected.
IPv6 snooping registers its "capture rules" to the classifier, which aggregates all rules from all features on a
given target and installs the corresponding ACL down into the platform-dependent modules. Upon receiving
redirected traffic, the classifier calls all entry points from any registered feature (for the target on which the
traffic is being received), including the IPv6 snooping entry point. This entry point is the last to be called, so
any decision (such as drop) made by another feature supersedes the IPv6 snooping decision.
IPv6 snooping provides IPv6 host liveness tracking so that a neighbor table can be immediately updated when
an IPv6 host disappears.
Additionally, IPv6 snooping is the foundation for many other IPv6 features that depend on an accurate binding
table. It inspects snooping and DHCP messages on a link to glean addresses, and then populates the binding
table with these addresses. This feature also enforces address ownership and limits the number of addresses
any given node is allowed to claim.

Guidelines and Limitations for IPv6 Snooping

The guidelines and limitations of IPv6 Snooping are as follows:
• You must perform the same configurations on both the vPC peers. Automatic consistency checker for
• The IPv6 Snooping feature is supported only in hardware when the ternary content addressable memory
• This feature can be configured on a switch port interface or VLAN only on the ingress port.
• For IPv6 Snooping to learn DHCP bindings, it must see both server and client replies. A IPv6 snooping
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
376
IPv6 snooping is not supported.
(TCAM) is programed.
policy must be attached to both the client facing the interface (or VLAN) as well as the DHCP server
facing interface (or VLAN). In the case of DHCP Relay, an IPv6 Snooping policy must be attached at
the VLAN level to see the server replies.
Configuring IPv6 First Hop Security

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents

Save PDF