• First hop
    • Segment between end host and default gateway.
  • Security
    • Prevent against internal threats at access layer
  • Both IPv4/6 have vulnerable control plane at access-layer.
    • IPv4
      • ARP
      • DHCP
    • IPv6
      • Neighbor Discovery (icmpv6)
      • Duplicate Address Detection (DAD)
      • SLAAC
      • DHCPv6
  • ICMPv6 ND
    • Replaces ARP in v4
    • ICMPv6 ND uses 4 messages instead of 2 (like arp request/reply)
      • NS – Neighbor Solicitation
        • ask for neighbor info
      • NA – Neighbor Advertisement
        • Advertise yourself to other neighbors
      • RS – Router solicitation
        • Ask info about local routers
      • RA – Router Advertisement
        • Advertise yourself as an active router
  • Router Advertisement Guard
    • Hosts dynamically discover default gateway based on NDP RA messages.
      • Prevents router spoofing on segment.
      • Prevents prefix spoofing on segment
      • Policy can be applied at VLAN or port level.
      • Says on interface level what’s on the other end
        • ie. Proper router or host.
  • DHCPv6 Guard
    • DHCPv6 does not assign default-router like IPv4.
      • Default router is learned through SLAAC from RA.
    • Similar in scope to DHCP Snooping.
    • Prevents DHCPv6 server spoofing.
    • Policy can be applied at VLAN or port level.
  • IPv6 Snooping:
    • IPv6 to MAC resolution achieved through Neighbor Discovery NS/NA messages.
      • Similar to dynamic arp inspection.
    • Inspects DHCPv6 and NDP messages.
      • Performs binding table through v6 neighbor tracking.
      • Prevents host spoofing on segment.
      • Optionally enables basic RA Guard and DHCPv6 Guard
      • Optionally can inspect data packets to perform neighbor binding.
    • Manual bindings can be completed.
    • Policy can be applied at VLAN or port level.
  • IPv6 Source-Guard
    • Similar in scope to IPv4 Source Guard
      • Relies on v6 snooping to create v6 neighbor binding table.
      • Creates automatic v6 PACL to filter sources based on neighbor binding table.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s