Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-ND | 30.36 KB |
Introduction
IP-MAC binding entries
The device prevents user spoofing attacks by using an IP-MAC binding table to filter out illegitimate packets with forged source IPv6 addresses or MAC addresses.
ND
The IPv6 neighbor discovery (ND) process uses ICMP messages for address resolution, neighbor reachability verification, and neighboring device tracking.
Table 1 describes the ICMPv6 messages used by the IPv6 ND protocol.
Table 1 ICMPv6 messages used by ND
|
ICMPv6 message |
Type |
Function |
|
Neighbor Solicitation (NS) |
135 |
Acquires the link-layer address of a neighbor on the local link. |
|
Verifies the reachability of a neighbor. |
||
|
Detects duplicate addresses. |
||
|
Neighbor Advertisement (NA) |
136 |
Responds to an NS message. |
|
Notifies the neighboring nodes of link layer changes. |
||
|
Router Solicitation (RS) |
133 |
Requests an address prefix and other configuration information for autoconfiguration after startup. |
|
Router Advertisement (RA) |
134 |
Responds to an RS message. |
|
Advertises information, such as the Prefix Information options and flag bits. |
||
|
Redirect |
137 |
Informs the source host of a better next hop on the path to a particular destination when certain conditions are met. |
Restrictions and guidelines
Restrictions and guidelines: IP-MAC binding entries
IP-MAC binding entries can be created manually or generated in bulk.
· Manual creation—You can manually create IP-MAC binding entries one by one. This method is applicable only to networks that do not contain many hosts.
· Bulk generation—You can configure the device to generate IPv6-MAC binding entries in bulk based on ND entries on an interface. This method is applicable to networks that contain many hosts.
Configure IP-MAC binding entries on the device to improve communication security. Upon receiving a packet, the device compares the source IPv6 address and source MAC address in the packet with IP-MAC binding entries.
· If the source IPv6 address and source MAC address match the same IP-MAC binding entry, the device forwards the packet.
· In the following situations, the device determines that the packet is a forged packet and drops the packet:
¡ Only the source IP address or source MAC address matches a binding entry.
¡ The source IP address and source MAC address match two different binding entries.
· If both the source IPv6 address and the source MAC address match no IP-MAC binding entry, the device permits or drops the packet based on the default action configuration.
Restrictions and guidelines: ND entries
A neighbor entry stores information about a link-local node. The entry can be created dynamically through NS and NA messages, or configured statically.
You can configure a static neighbor entry by using one of the following methods:
· Method 1—Associate a neighbor's IPv6 address and link-layer address with the local Layer 3 interface.
· Method 2—Associate a neighbor's IPv6 address and link-layer address with a Layer 2 port in a VLAN.
You can use either of the methods to configure a static neighbor entry for a VLAN interface.
· If you use Method 1, the device is required to resolve the Layer 2 port in the related VLAN.
· If you use Method 2, make sure the Layer 2 port belongs to the specified VLAN and the corresponding VLAN interface already exists.
