- First hop
- Segment between end host and default gateway.
- Security
- Prevent against internal threats at access layer
- Both IPv4/6 have vulnerable control plane at access-layer.
- IPv4
- ARP
- DHCP
- IPv6
- Neighbor Discovery (icmpv6)
- Duplicate Address Detection (DAD)
- SLAAC
- DHCPv6
- IPv4
- ICMPv6 ND
- Replaces ARP in v4
- ICMPv6 ND uses 4 messages instead of 2 (like arp request/reply)
- NS – Neighbor Solicitation
- ask for neighbor info
- NA – Neighbor Advertisement
- Advertise yourself to other neighbors
- RS – Router solicitation
- Ask info about local routers
- RA – Router Advertisement
- Advertise yourself as an active router
- NS – Neighbor Solicitation
- Router Advertisement Guard
- Hosts dynamically discover default gateway based on NDP RA messages.
- Prevents router spoofing on segment.
- Prevents prefix spoofing on segment
- Policy can be applied at VLAN or port level.
- Says on interface level what’s on the other end
- ie. Proper router or host.
- Hosts dynamically discover default gateway based on NDP RA messages.
- DHCPv6 Guard
- DHCPv6 does not assign default-router like IPv4.
- Default router is learned through SLAAC from RA.
- Similar in scope to DHCP Snooping.
- Prevents DHCPv6 server spoofing.
- Policy can be applied at VLAN or port level.
- DHCPv6 does not assign default-router like IPv4.
- IPv6 Snooping:
- IPv6 to MAC resolution achieved through Neighbor Discovery NS/NA messages.
- Similar to dynamic arp inspection.
- Inspects DHCPv6 and NDP messages.
- Performs binding table through v6 neighbor tracking.
- Prevents host spoofing on segment.
- Optionally enables basic RA Guard and DHCPv6 Guard
- Optionally can inspect data packets to perform neighbor binding.
- Manual bindings can be completed.
- Policy can be applied at VLAN or port level.
- IPv6 to MAC resolution achieved through Neighbor Discovery NS/NA messages.
- IPv6 Source-Guard
- Similar in scope to IPv4 Source Guard
- Relies on v6 snooping to create v6 neighbor binding table.
- Creates automatic v6 PACL to filter sources based on neighbor binding table.
- Similar in scope to IPv4 Source Guard
mickx009.org 