Cisco Systems SG50028PK9NA Manual De Usuario

Attack Protection

Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 

419

 

NBI-NDP supports a lifetime timer. A value of the timer is configurable in the 
Neighbor Binding Settings page. The timer is restarted each time that the bound 
IPv6 address is confirmed. If the timer expires, the device sends up to 2 DAD-NS 
messages with short intervals to validate the neighbor.

In the same way that other IPv6 First Hop Security features function, NB Integrity 
behavior on a interface is specified by an NB Integrity policy attached to an 
interface. These policies are configured in the Neighbor Binding Settings page.

The section describes attack protection provided by IPv6 First Hop Security

An IPv6 host can use the received RA messages for:

•

IPv6 router discovery

•

Stateless address configuration

A malicious host could send RA messages advertising itself as an IPv6 router and 
providing 

counterfeit prefixes for 

stateless address configuration.

 

RA Guard provides protection against such attacks by configuring the interface 
role as a host interface for all interfaces where IPv6 routers cannot be connected.

A malicious host could send NA messages advertising itself as an IPv6 Host 
having the given IPv6 address.

 

NB Integrity provides protection against such attacks in the following ways: 

•

If the given IPv6 address is unknown, the Neighbor Solicitation (NS) 
message is forwarded only on inner interfaces.

•

If the given IPv6 address is known, the NS message is forwarded only on 
the interface to which the IPv6 address is bound.