Guest

Support

IPv6 Neighbor Discovery Inspection

  • Viewing Options

  • PDF (133.4 KB)
  • Feedback
IPv6 Neighbor Discovery Inspection

IPv6 Neighbor Discovery Inspection

Last Updated: November 30, 2012

IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes ND messages in order to build a trusted binding table. IPv6 ND messages that do not have valid bindings are dropped.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About IPv6 Neighbor Discovery Inspection

IPv6 Global Policies

IPv6 global policies provide storage and access policy database services. IPv6 ND inspection and IPv6 RA guard are IPv6 global policies features. Every time an ND inspection or RA guard is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface, and the software policy database entry is updated to include this interface to which the policy is applied.

IPv6 ND Inspection

IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 neighbor discovery messages that do not have valid bindings are dropped. A neighbor discovery message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.

This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.

How to Configure IPv6 Neighbor Discovery Inspection

Configuring IPv6 ND Inspection Globally

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 nd inspection policy policy-name

4.    drop-unsecure

5.    sec-level minimum value

6.    device-role {host | monitor | router}

7.    tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}

8.    trusted-port


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 nd inspection policy policy-name


Example:

Device(config)# ipv6 nd inspection policy policy1

 

Defines the ND inspection policy name and enters ND inspection policy configuration mode.

 
Step 4
drop-unsecure


Example:

Device(config-nd-inspection)# drop-unsecure

 

Drops messages with no options, invalid options, or an invalid signature.

 
Step 5
sec-level minimum value


Example:

Device(config-nd-inspection)# sec-level minimum 2

 

Specifies the minimum security level parameter value when cryptographically generated address (CGA) options are used.

 
Step 6
device-role {host | monitor | router}


Example:

Device(config-nd-inspection)# device-role monitor

 

Specifies the role of the device attached to the port.

 
Step 7
tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}


Example:

Device(config-nd-inspection)# tracking disable stale-lifetime infinite

 

Overrides the default tracking policy on a port.

 
Step 8
trusted-port


Example:

Device(config-nd-inspection)# trusted-port

 

Configures a port to become a trusted port.

 

Applying IPv6 ND Inspection on an Interface

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface type number

4.    ipv6 nd inspection [attach-policy [policy policy-name] | vlan {add | except | none | remove | all} vlan [vlan1, vlan2, vlan3...]]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type number


Example:

Device(config)# interface fastethernet 0/0

 

Specifies an interface type and number and enters interface configuration mode.

 
Step 4
ipv6 nd inspection [attach-policy [policy policy-name] | vlan {add | except | none | remove | all} vlan [vlan1, vlan2, vlan3...]]


Example:

Device(config-if)# ipv6 nd inspection

 

Applies the ND Inspection feature on the interface.

 

Verifying and Troubleshooting IPv6 ND Inspection

SUMMARY STEPS

1.    enable

2.    show ipv6 snooping capture-policy [interface type number]

3.    show ipv6 snooping counter [interface type number]

4.    show ipv6 snooping features

5.    show ipv6 snooping policies [interface type number]

6.    debug ipv6 snooping [binding-table | classifier | errors | feature-manager | filter acl | ha | hw-api | interface interface | memory | ndp-inspection | policy | vlan vlanid | switcher | filter acl | interface interface | vlanid]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
show ipv6 snooping capture-policy [interface type number]


Example:

Device# show ipv6 snooping capture-policy interface ethernet 0/0

 

Displays snooping ND message capture policies.

 
Step 3
show ipv6 snooping counter [interface type number]


Example:

Device# show ipv6 snooping counter interface FastEthernet 4/12

 

Displays information about the packets counted by the interface counter.

 
Step 4
show ipv6 snooping features


Example:

Device# show ipv6 snooping features

 

Displays information about snooping features configured on the device.

 
Step 5
show ipv6 snooping policies [interface type number]


Example:

Device# show ipv6 snooping policies

 

Displays information about the configured policies and the interfaces to which they are attached.

 
Step 6
debug ipv6 snooping [binding-table | classifier | errors | feature-manager | filter acl | ha | hw-api | interface interface | memory | ndp-inspection | policy | vlan vlanid | switcher | filter acl | interface interface | vlanid]


Example:

Device# debug ipv6 snooping

 

Enables debugging for snooping information in IPv6.

 

Configuration Examples for IPv6 Neighbor Discovery Inspection

Example: Configuring IPv6 ND Inspection and RA Guard

This example provides information about an interface on which both the Neighbor Discovery Inspection and RA Guard features are configured:

Device# show ipv6 snooping capture-policy interface ethernet 0/0

Hardware policy registered on Ethernet 0/0 
Protocol     Protocol value   Message   Value     Action    Feature 
ICMP         58               RS        85        punt      RA Guard 
                                                  punt      ND Inspection 
ICMP         58               RA        86        drop      RA guard 
                                                  punt      ND Inspection 
ICMP         58               NS        87        punt      ND Inspection 
ICM          58               NA        88        punt      ND Inspection 
ICMP         58               REDIR     89        drop      RA Guard 
                                                  punt      ND Inspection 

Additional References

Related Documents

Related Topic Document Title

IPv6 addressing and connectivity

IPv6 Configuration Guide

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

IPv6 commands

Cisco IOS IPv6 Command Reference

Cisco IOS IPv6 features

Cisco IOS IPv6 Feature Mapping

Standards and RFCs

Standard/RFC Title

RFCs for IPv6

IPv6 RFCs

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 Neighbor Discovery Inspection

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for IPv6 Neighbor Discovery Inspection
Feature Name Releases Feature Information

IPv6 Neighbor Discovery Inspection

12.2(50)SY

15.0(1)SY

15.0(2)SE

15.1(2)SG

IPv6 neighbor discovery inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables.

The following commands were introduced or modified: debug ipv6 snooping, device-role, drop-unsecure, ipv6 nd inspection, ipv6 nd inspection policy, sec-level minimum, show ipv6 snooping capture-policy, show ipv6 snooping counter, show ipv6 snooping features, show ipv6 snooping policies, tracking, trusted-port.

Glossary

  • CA--certification authority.
  • CGA--cryptographically generated address.
  • CPA--certificate path answer.
  • CPR--certificate path response.
  • CPS--certification path solicitation. The solicitation message used in the addressing process.
  • CRL--certificate revocation list.
  • CS--certification server.
  • CSR--certificate signing request.
  • DAD--duplicate address detection. A mechanism that ensures two IPv6 nodes on the same link are not using the same address.
  • DER--distinguished encoding rules. An encoding scheme for data values.
  • nonce--An unpredictable random or pseudorandom number generated by a node and used once. In SeND, nonces are used to ensure that a particular advertisement is linked to the solicitation that triggered it.
  • non-SeND node--An IPv6 node that does not implement SeND but uses only the Neighbor Discovery Protocol without security.
  • NUD--neighbor unreachability detection. A mechanism used for tracking neighbor reachability.
  • PACL--port-based access list.
  • PKI--public key infrastructure.
  • RA--router advertisement.
  • RD--Router discovery allows the hosts to discover what devices exist on the link and what subnet prefixes are available. Router discovery is a part of the Neighbor Discovery Protocol.
  • Router Authorization Certificate--A public key certificate.
  • SeND node--An IPv6 node that implements SeND.
  • trust anchor--An entity that the host trusts to authorize devices to act as devices. Hosts are configured with a set of trust anchors to protect device discovery.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.