- No category
![](http://s3.manualzz.com/store/data/019572218_1-fd1dd3291f417b7c3f439c728b30bbb8-128x128.png)
advertisement
![Configuring IPv6 First Hop Security | Manualzz Configuring IPv6 First Hop Security | Manualzz](http://s3.manualzz.com/store/data/019572218_1-fd1dd3291f417b7c3f439c728b30bbb8-360x466.png)
Configuring IPv6 First Hop Security
•
Finding Feature Information, page 1
•
Prerequisites for First Hop Security in IPv6, page 1
•
Restrictions for First Hop Security in IPv6, page 2
•
Information about First Hop Security in IPv6, page 2
•
How to Configure an IPv6 Snooping Policy, page 4
•
How to Configure the IPv6 Binding Table Content , page 10
•
How to Configure an IPv6 Neighbor Discovery Inspection Policy, page 11
•
How to Configure an IPv6 Router Advertisement Guard Policy, page 17
•
How to Configure an IPv6 DHCP Guard Policy , page 23
•
How to Configure IPv6 Source Guard, page 28
•
How to Configure IPv6 Prefix Guard, page 32
•
Configuration Examples for IPv6 First Hop Security, page 35
•
Additional References, page 36
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn . An account on Cisco.com is not required.
Prerequisites for First Hop Security in IPv6
• You have configured the necessary IPv6 enabled SDM template.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
1
Configuring IPv6 First Hop Security
Restrictions for First Hop Security in IPv6
• You should be familiar with the IPv6 neighbor discovery feature.
Restrictions for First Hop Security in IPv6
• The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
◦A physical port with an FHS policy attached cannot join an EtherChannel group.
◦An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.
Information about First Hop Security in IPv6
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached to a physical interface, an EtherChannel interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, then applied as was specified. The following IPv6 policies are currently supported:
• IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features available with FHS in IPv6.
• IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding, table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
• IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access
Control (MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on
DAD, address resolution, router discovery, and the neighbor cache.
• IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 device with the information found in the received RA frame.
Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
• IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature,
2
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
Information about First Hop Security in IPv6
configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the
debug ipv6 snooping dhcp-guard privileged EXEC command.
• IPv6 Source Guard—Like IPv4 Source Guard, IPv6 Source Guard validates the source address or prefix to prevent source address spoofing.
A source guard programs the hardware to allow or deny traffic based on source or destination addresses.
It deals exclusively with data packet traffic.
The IPv6 source guard feature provides the ability to store entries in the hardware TCAM table to prevent a host from sending packets with an invalid IPv6 source address.
To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.
Note
The IPv6 source guard and prefix guard features are supported only in the ingress direction; it is not supported in the egress direction.
The following restrictions apply:
◦An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.
◦When IPv6 source guard is enabled on a switch port, NDP or DHCP snooping must be enabled on the interface to which the switch port belongs. Otherwise, all data traffic from this port will be blocked.
◦An IPv6 source guard policy cannot be attached to a VLAN. It is supported only at the interface level.
◦You cannot use IPv6 Source Guard and Prefix Guard together. When you attach the policy to an interface, it should be "validate address" or "validate prefix" but not both.
◦PVLAN and Source/Prefix Guard cannot be applied together.
◦IPv6 Source Guard and Prefix Guard is supported on EtherChannels
For more information on IPv6 Source Guard, see the IPv6 Source Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.
• IPv6 Prefix Guard—The IPv6 prefix guard feature works within the IPv6 source guard feature, to enable the device to deny traffic originated from non-topologically correct addresses. IPv6 prefix guard is often used when IPv6 prefixes are delegated to devices (for example, home gateways) using DHCP prefix delegation. The feature discovers ranges of addresses assigned to the link and blocks any traffic sourced with an address outside this range.
For more information on IPv6 Prefix Guard, see the IPv6 Prefix Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.
• IPv6 Destination Guard—The IPv6 destination guard feature works with IPv6 neighbor discovery to ensure that the device performs address resolution only for those addresses that are known to be active on the link. It relies on the address glean functionality to populate all destinations active on the link into the binding table and then blocks resolutions before they happen when the destination is not found in the binding table.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
3
Configuring IPv6 First Hop Security
How to Configure an IPv6 Snooping Policy
Note
IPv6 Destination Guard is recommended to apply on Layer 2 VLAN with an SVI configured
For more information about IPv6 Destination Guard, see the IPv6 Destination Guard chapter of the
Cisco IOS IPv6 Configuration Guide Library on Cisco.com.
Related Topics
How to Configure an IPv6 Snooping Policy, on page 4
How to Attach an IPv6 Snooping Policy to an Interface, on page 6
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface, on page 8
How to Attach an IPv6 Snooping Policy to VLANs Globally , on page 9
How to Configure the IPv6 Binding Table Content , on page 10
How to Configure an IPv6 Neighbor Discovery Inspection Policy, on page 11
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface , on page 14
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface, on page 8
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally , on page 16
How to Configure an IPv6 Router Advertisement Guard Policy, on page 17
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface, on page 19
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface , on
page 20
How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally, on page 22
How to Configure an IPv6 DHCP Guard Policy , on page 23
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface, on page 25
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface, on page 26
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally , on page 27
How to Configure IPv6 Source Guard, on page 28
How to Attach an IPv6 Source Guard Policy to an Interface, on page 30
How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface, on page 31
How to Configure IPv6 Prefix Guard, on page 32
How to Attach an IPv6 Prefix Guard Policy to an Interface, on page 33
How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface, on page 34
How to Configure an IPv6 Snooping Policy
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :
4
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Configure an IPv6 Snooping Policy
SUMMARY STEPS
1. configure terminal
2. ipv6 snooping policy policy-name
3. {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp}
] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] |
enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }
4. end
5. show ipv6 snooping policy policy-name
DETAILED STEPS
Step 1
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Step 2
Step 3
Example:
Switch#
configure terminal
ipv6 snooping policy policy-name
Creates a snooping policy and enters IPv6 Snooping Policy Configuration mode.
Example:
Switch(config)#
ipv6 snooping policy example_policy
{[default ] | [device-role {node | switch}] |
[limit address-count value] | [no] | [protocol
{dhcp | ndp} ] | [security-level {glean | guard
| inspect} ] | [tracking {disable [stale-lifetime
[seconds | infinite] | enable
[reachable-lifetime [seconds | infinite] } ] |
[trusted-port ] }
Enables data address gleaning, validates messages against various criteria, specifies the security level for messages.
• (Optional) default—Sets all to default options.
• (Optional) device-role{node] | switch}—Specifies the role of the device attached to the port. Default is node.
• (Optional) limit address-count value—Limits the number of addresses allowed per target.
Example:
Switch(config-ipv6-snooping)# security-level inspect
• (Optional) no—Negates a command or sets it to defaults.
Example:
Switch(config-ipv6-snooping)# trusted-port
• (Optional) protocol{dhcp | ndp}—Specifies which protocol should be redirected to the snooping feature for analysis. The default, is dhcp and ndp. To change the default, use the no protocol command.
• (Optional) security-level{glean|guard|inspect}—Specifies the level of security enforced by the feature. Default is guard.
glean—Gleans addresses from messages and populates the binding table without any verification.
guard—Gleans addresses and inspects messages. In addition, it rejects RA and DHCP server messages. This is the default option.
inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
5
Configuring IPv6 First Hop Security
How to Attach an IPv6 Snooping Policy to an Interface
Command or Action
Step 4 end
Step 5
Example:
Switch(config-ipv6-snooping)#
exit
show ipv6 snooping policy policy-name
Example:
Switch#
show ipv6 snooping policy example_policy
Purpose
• (Optional) tracking {disable | enable}—Overrides the default tracking behavior and specifies a tracking option.
• (Optional) trusted-port—Sets up a trusted port. It disables the guard on applicable targets. Bindings learned through a trusted port have preference over bindings learned through any other port. A trusted port is given preference in case of a collision while making an entry in the table.
Exits configuration modes to Privileged EXEC mode.
Displays the snooping policy configuration.
What to Do Next
Attach an IPv6 Snooping policy to interfaces or VLANs.
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Snooping Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an interface or
VLAN:
SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. switchport
4. ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none |
remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
5. do show running-config
6
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 Snooping Policy to an Interface
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface Interface_type stack/module/port
Specifies an interface type and identifier; enters the interface configuration mode.
Example:
Switch(config)#
interface gigabitethernet
1/1/4 switchport
Example:
Switch(config-if)#
switchport
Enters the Switchport mode.
Note
To configure Layer 2 parameters, if the interface is in Layer
3 mode, you must enter the switchport interface configuration command without any parameters to put the interface into
Layer 2 mode. This shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. The command prompt displays as (config-if)# in Switchport configuration mode.
ipv6 snooping [attach-policy policy_name [ vlan
{vlan_id | add vlan_ids | exceptvlan_ids | none |
Attaches a custom ipv6 snooping policy to the interface or the specified
VLANs on the interface. To attach the default policy to the interface, use the ipv6 snooping command without the attach-policy keyword.
remove vlan_ids}] | vlan {vlan_id | add vlan_ids
| exceptvlan_ids | none | remove vlan_ids | all} ] To attach the default policy to VLANs on the interface, use the ipv6
snooping vlan command. The default policy is, security-level guard,
Example:
Switch(config-if)#
ipv6 snooping
device-role node, protocol ndp and dhcp. or
Switch(config-if)#
ipv6 snooping attach-policy example_policy
or
Switch(config-if)#
ipv6 snooping vlan
111,112
or
Switch(config-if)#
ipv6 snooping attach-policy example_policy vlan 111,112 do show running-config
Example:
Switch#(config-if)#
do show running-config
Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
7
Configuring IPv6 First Hop Security
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an EtherChannel interface or VLAN:
SUMMARY STEPS
1. configure terminal
2. interface range Interface_name
3. ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interfaceportchannel_interface_name
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface range Interface_name
Example:
Switch(config)#
interface Po11
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
Tip
Enter the do show interfaces summary command for quick reference to interface names and types.
ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids |
add vlan_ids | except vlan_ids | none | remove vlan_ids | all}
] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none |
remove vlan_ids | all} ]
Attaches the IPv6 Snooping policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-if-range)#
ipv6 snooping attach-policy example_policy
or
Switch(config-if-range)#
ipv6 snooping attach-policy example_policy vlan 222,223,224 or
8
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 Snooping Policy to VLANs Globally
Command or Action
Switch(config-if-range)#
ipv6 snooping vlan 222,
223,224
Purpose
Step 4
do show running-config interfaceportchannel_interface_name Confirms that the policy is attached to the specified interface without exiting the configuration mode.
Example:
Switch#(config-if-range)#
do show running-config int po11
Related Topics
Information about First Hop Security in IPv6, on page 2
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Snooping Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy to VLANs across multiple interfaces:
SUMMARY STEPS
1. configure terminal
2. vlan configuration vlan_list
3. ipv6 snooping [attach-policy policy_name]
4. do show running-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Example:
Switch#
configure terminal
vlan configuration vlan_list
Example:
Switch(config)#
vlan configuration 333
Purpose
Enters the global configuration mode.
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
9
Configuring IPv6 First Hop Security
How to Configure the IPv6 Binding Table Content
Step 3
Step 4
Command or Action
ipv6 snooping [attach-policy policy_name]
Example:
Switch(config-vlan-config)#
ipv6 snooping attach-policy example_policy
Purpose
Attaches the IPv6 Snooping policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.
do show running-config
Example:
Switch#(config-if)#
do show running-config
Verifies that the policy is attached to the specified VLANs without exiting the interface configuration mode.
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Configure the IPv6 Binding Table Content
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :
SUMMARY STEPS
1. configure terminal
2. [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port
hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [
reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds |
default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite]
} ]
3. [no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit
number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]
4. ipv6 neighbor binding logging
5. exit
6. show ipv6 neighbor binding
DETAILED STEPS
Step 1
Command or Action configure terminal
Example:
Switch#
configure terminal
Purpose
Enters the global configuration mode.
10
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose
[no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue
[seconds | default | infinite] | [tracking{ [default | disable] [
reachable-lifetimevalue [seconds | default | infinite] | [enable
[reachable-lifetimevalue [seconds | default | infinite] | [retry-interval
{seconds| default [reachable-lifetimevalue [seconds | default | infinite]
} ]
Adds a static entry to the binding table database.
Example:
Switch(config)#
ipv6 neighbor binding
[no] ipv6 neighbor binding max-entries number [mac-limit number |
port-limit number [mac-limit number] | vlan-limit number [ [mac-limit
number] | [port-limit number [mac-limitnumber] ] ] ]
Specifies the maximum number of entries that are allowed to be inserted in the binding table cache.
Example:
Switch(config)#
ipv6 neighbor binding max-entries 30000 ipv6 neighbor binding logging
Enables the logging of binding table main events.
Example:
Switch(config)#
ipv6 neighbor binding logging exit
Exits global configuration mode, and places the router in privileged EXEC mode.
Example:
Switch(config)#
exit show ipv6 neighbor binding
Displays contents of a binding table.
Example:
Switch#
show ipv6 neighbor binding
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
11
Configuring IPv6 First Hop Security
How to Configure an IPv6 Neighbor Discovery Inspection Policy
SUMMARY STEPS
1. configure terminal
2. [no]ipv6 nd inspection policy policy-name
3. device-role {host | monitor | router | switch}
4. drop-unsecure
5. limit address-count value
6. sec-level minimum value
7. tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}
8. trusted-port
9. validate source-mac
10. no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port |
validate source-mac}
11. default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port
| validate source-mac}
12. do show ipv6 nd inspection policy policy_name
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
[no]ipv6 nd inspection policy policy-name
Example:
Switch(config)#
ipv6 nd inspection policy example_policy
device-role {host | monitor | router | switch}
Specifies the ND inspection policy name and enters
ND Inspection Policy configuration mode.
Specifies the role of the device attached to the port.
The default is host.
Example:
Switch(config-nd-inspection)#
device-role switch drop-unsecure
Example:
Switch(config-nd-inspection)#
drop-unsecure
limit address-count value
Example:
Switch(config-nd-inspection)#
limit address-count 1000
Drops messages with no or invalid options or an invalid signature.
Enter 1–10,000.
12
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Command or Action Purpose
sec-level minimum value
Example:
Switch(config-nd-inspection)#
limit address-count 1000
Specifies the minimum security level parameter value when Cryptographically Generated Address
(CGA) options are used.
tracking {enable [reachable-lifetime {value | infinite}] |
disable [stale-lifetime {value | infinite}]}
Overrides the default tracking policy on a port.
Example:
Switch(config-nd-inspection)#
tracking disable stale-lifetime infinite trusted-port
Example:
Switch(config-nd-inspection)#
trusted-port validate source-mac
Configures a port to become a trusted port.
Checks the source media access control (MAC) address against the link-layer address.
Example:
Switch(config-nd-inspection)#
validate source-mac
no {device-role | drop-unsecure | limit address-count |
sec-level minimum | tracking | trusted-port | validate
source-mac}
Remove the current configuration of a parameter with the no form of the command.
Example:
Switch(config-nd-inspection)#
no validate source-mac
default {device-role | drop-unsecure | limit address-count |
sec-level minimum | tracking | trusted-port | validate
source-mac}
Restores configuration to the default values.
Example:
Switch(config-nd-inspection)#
default limit address-count
do show ipv6 nd inspection policy policy_name
Example:
Switch(config-nd-inspection)#
do show ipv6 nd inspection policy example_policy
Verifies the ND Inspection Configuration without exiting ND inspection configuration mode.
Related Topics
Information about First Hop Security in IPv6, on page 2
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
13
Configuring IPv6 First Hop Security
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface or VLANs on an interface :
SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none
| remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface Interface_type stack/module/port
Specifies an interface type and identifier; enters the interface configuration mode.
Example:
Switch(config)#
interface gigabitethernet 1/1/4
ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids
| add vlan_ids | except vlan_ids | none | remove vlan_ids | all}
] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none |
remove vlan_ids | all} ]
Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the
attach-policy option is not used.
Example:
Switch(config-if)#
ipv6 nd inspection attach-policy example_policy
or
Switch(config-if)#
ipv6 nd inspection attach-policy example_policy vlan 222,223,224 or
Switch(config-if)#
ipv6 nd inspection vlan 222, 223,224
Step 4 do show running-config
Example:
Switch#(config-if)#
do show running-config
Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.
14
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2
EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Neighbor Discovery Inspection policy on an EtherChannel interface or VLAN:
SUMMARY STEPS
1. configure terminal
2. interface range Interface_name
3. ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none
| remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interfaceportchannel_interface_name
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface range Interface_name
Example:
Switch(config)#
interface Po11
ipv6 nd inspection [attach-policy policy_name [ vlan
{vlan_ids | add vlan_ids | except vlan_ids | none | remove
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids |
exceptvlan_ids | none | remove vlan_ids | all} ]
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
Tip
Enter the do show interfaces summary command for quick reference to interface names and types.
Attaches the ND Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-if-range)#
ipv6 nd inspection attach-policy example_policy
or
Switch(config-if-range)#
ipv6 nd inspection
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
15
Configuring IPv6 First Hop Security
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally
Command or Action attach-policy example_policy vlan 222,223,224 or
Switch(config-if-range)#
ipv6 nd inspection vlan 222,
223,224
Purpose
Step 4
do show running-config interfaceportchannel_interface_name
Confirms that the policy is attached to the specified interface without exiting the configuration mode.
Example:
Switch#(config-if-range)#
do show running-config int po11
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to VLANs across multiple interfaces:
SUMMARY STEPS
1. configure terminal
2. vlan configuration vlan_list
3. ipv6 nd inspection [attach-policy policy_name]
4. do show running-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
vlan configuration vlan_list Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.
Example:
Switch(config)#
vlan configuration 334
ipv6 nd inspection [attach-policy policy_name] Attaches the IPv6 Neighbor Discovery policy to the specified
VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-vlan-config)#
ipv6 nd inspection attach-policy example_policy
The default policy is, device-role host, no drop-unsecure, limit address-count disabled, sec-level minimum is disabled, tracking is disabled, no trusted-port, no validate source-mac.
16
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Configure an IPv6 Router Advertisement Guard Policy
Step 4
Command or Action do show running-config
Example:
Switch#(config-if)#
do show running-config
Purpose
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Configure an IPv6 Router Advertisement Guard Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :
SUMMARY STEPS
1. configure terminal
2. [no]ipv6 nd raguard policy policy-name
3. [no]device-role {host | monitor | router | switch}
4. [no]hop-limit {maximum | minimum} value
5. [no]managed-config-flag {off | on}
6. [no]match {ipv6 access-list list | ra prefix-list list}
7. [no]other-config-flag {on | off}
8. [no]router-preference maximum {high | medium | low}
9. [no]trusted-port
10. default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list
| ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}
11. do show ipv6 nd raguard policy policy_name
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
[no]ipv6 nd raguard policy policy-name
Example:
Switch(config)#
ipv6 nd raguard policy example_policy
Specifies the RA Guard policy name and enters RA Guard Policy configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
17
Configuring IPv6 First Hop Security
How to Configure an IPv6 Router Advertisement Guard Policy
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action
[no]device-role {host | monitor | router |
switch}
Purpose
Specifies the role of the device attached to the port. The default is
host.
Example:
Switch(config-nd-raguard)#
device-role switch
[no]hop-limit {maximum | minimum} value
Example:
Switch(config-nd-raguard)#
hop-limit maximum 33
[no]managed-config-flag {off | on}
Example:
Switch(config-nd-raguard)#
managed-config-flag on
(1–255) Range for Maximum and Minimum Hop Limit values.
Enables filtering of Router Advertisement messages by the Hop Limit value. A rogue RA message may have a low Hop Limit value
(equivalent to the IPv4 Time to Live) that when accepted by the host, prevents the host from generating traffic to destinations beyond the rogue RA message generator. An RA message with an unspecified
Hop Limit value is blocked.
If not configured, this filter is disabled. Configure minimum to block
RA messages with Hop Limit values lower than the value you specify.
Configure maximumto block RA messages with Hop Limit values greater than the value you specify.
Enables filtering of Router Advertisement messages by the Managed
Address Configuration, or "M" flag field. A rouge RA message with an M field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.
On—Accepts and forwards RA messages with an M value of 1, blocks those with 0.
Off—Accepts and forwards RA messages with an M value of 0, blocks those with 1.
[no]match {ipv6 access-list list | ra prefix-list
list}
Matches a specified prefix list or access list.
Example:
Switch(config-nd-raguard)#
match ipv6 access-list example_list
[no]other-config-flag {on | off}
Example:
Switch(config-nd-raguard)#
other-config-flag on
[no]router-preference maximum {high |
medium | low}
Enables filtering of Router Advertisement messages by the Other
Configuration, or "O" flag field. A rouge RA message with an O field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.
On—Accepts and forwards RA messages with an O value of 1, blocks those with 0.
Off—Accepts and forwards RA messages with an O value of 0, blocks those with 1.
Enables filtering of Router Advertisement messages by the Router
Preference flag. If not configured, this filter is disabled.
18
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface
Step 9
Step 10
Step 11
Command or Action
Example:
Switch(config-nd-raguard)#
router-preference maximum high
Purpose
• high—Accepts RA messages with the Router Preference set to high, medium, or low.
• medium—Blocks RA messages with the Router Preference set to high.
• low—Blocks RA messages with the Router Preference set to medium and high.
[no]trusted-port When configured as a trusted port, all attached devices are trusted, and no further message verification is performed.
Example:
Switch(config-nd-raguard)#
trusted-port
default {device-role | hop-limit {maximum |
minimum} | managed-config-flag | match {ipv6
access-list | ra prefix-list } | other-config-flag |
router-preference maximum| trusted-port}
Restores a command to its default value.
Example:
Switch(config-nd-raguard)#
default hop-limit
do show ipv6 nd raguard policy policy_name (Optional)—Displays the ND Guard Policy configuration without exiting the RA Guard policy configuration mode.
Example:
Switch(config-nd-raguard)#
do show ipv6 nd raguard policy example_policy
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface :
SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
19
Configuring IPv6 First Hop Security
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface Interface_type stack/module/port
Specifies an interface type and identifier; enters the interface configuration mode.
Example:
Switch(config)#
interface gigabitethernet 1/1/4
ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids |
add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ]
| vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove
vlan_ids | all} ]
Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the
attach-policy option is not used.
Example:
Switch(config-if)#
ipv6 nd raguard attach-policy example_policy
or
Switch(config-if)#
ipv6 nd raguard attach-policy example_policy vlan 222,223,224 or
Switch(config-if)#
ipv6 nd raguard vlan 222, 223,224
Step 4 do show running-config
Example:
Switch#(config-if)#
do show running-config
Confirms that the policy is attached to the specified interface without exiting the configuration mode.
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2
EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy on an EtherChannel interface or VLAN:
20
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface
SUMMARY STEPS
1. configure terminal
2. interface range Interface_name
3. ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interfaceportchannel_interface_name
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface range Interface_name
Example:
Switch(config)#
interface Po11
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
Tip
Enter the do show interfaces summary command for quick reference to interface names and types.
ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids
| add vlan_ids | except vlan_ids | none | remove vlan_ids |
all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none
| remove vlan_ids | all} ]
Attaches the RA Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-if-range)#
ipv6 nd raguard attach-policy example_policy
or
Switch(config-if-range)#
ipv6 nd raguard attach-policy example_policy vlan 222,223,224 or
Switch(config-if-range)#
ipv6 nd raguard vlan 222,
223,224
Step 4
do show running-config interfaceportchannel_interface_name Confirms that the policy is attached to the specified interface without exiting the configuration mode.
Example:
Switch#(config-if-range)#
do show running-config int po11
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
21
Configuring IPv6 First Hop Security
How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to
VLANs regardless of interface:
SUMMARY STEPS
1. configure terminal
2. vlan configuration vlan_list
3. ipv6 dhcp guard [attach-policy policy_name]
4. do show running-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
Switch#
configure terminal
vlan configuration vlan_list
Example:
Switch(config)#
vlan configuration 335
ipv6 dhcp guard [attach-policy policy_name]
Specifies the VLANs to which the IPv6 RA Guard policy will be attached ; enters the VLAN interface configuration mode.
Example:
Switch(config-vlan-config)#
ipv6 nd raguard attach-policy example_policy do show running-config
Example:
Switch#(config-if)#
do show running-config
Attaches the IPv6 RA Guard policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.
Related Topics
Information about First Hop Security in IPv6, on page 2
22
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Configure an IPv6 DHCP Guard Policy
How to Configure an IPv6 DHCP Guard Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 DHCP (DHCPv6) Guard policy:
SUMMARY STEPS
1. configure terminal
2. [no]ipv6 dhcp guard policy policy-name
3. [no]device-role {client | server}
4. [no] match server access-list ipv6-access-list-name
5. [no] match reply prefix-list ipv6-prefix-list-name
6. [no]preference{ max limit | min limit }
7. [no] trusted-port
8. default {device-role | trusted-port}
9. do show ipv6 dhcp guard policy policy_name
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
[no]ipv6 dhcp guard policy policy-name Specifies the DHCPv6 Guard policy name and enters DHCPv6
Guard Policy configuration mode.
Example:
Switch(config)#
ipv6 dhcp guard policy example_policy
[no]device-role {client | server}
Example:
Switch(config-dhcp-guard)#
device-role server
(Optional) Filters out DHCPv6 replies and DHCPv6 advertisements on the port that are not from a device of the specified role. Default is client.
• client—Default value, specifies that the attached device is a client. Server messages are dropped on this port.
• server—Specifies that the attached device is a DHCPv6 server.
Server messages are allowed on this port.
[no] match server access-list ipv6-access-list-name
Example:
(Optional). Enables verification that the advertised DHCPv6 server or relay address is from an authorized server access list (The destination address in the access list is 'any'). If not configured, this check will be bypassed. An empty access list is treated as a permit all.
;;Assume a preconfigured IPv6 Access List as follows:
Switch(config)#
ipv6 access-list my_acls
Switch(config-ipv6-acl)#
permit host
FE80::A8BB:CCFF:FE01:F700 any
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
23
Configuring IPv6 First Hop Security
How to Configure an IPv6 DHCP Guard Policy
Step 5
Step 6
Step 7
Step 8
Step 9
Command or Action
;;configure DCHPv6 Guard to match approved access list.
Switch(config-dhcp-guard)#
match server access-list my_acls
[no] match reply prefix-list ipv6-prefix-list-name
Example:
Purpose
(Optional) Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit.
;;Assume a preconfigured IPv6 prefix list as follows:
Switch(config)#
ipv6 prefix-list my_prefix permit 2001:0DB8::/64 le 128
;; Configure DCHPv6 Guard to match prefix
Switch(config-dhcp-guard)#
match reply prefix-list my_prefix
[no]preference{ max limit | min limit }
Example:
Switch(config-dhcp-guard)#
preference max
250
Switch(config-dhcp-guard)#
preference min 150
Configure max and min when device-role is serverto filter DCHPv6 server advertisements by the server preference value. The defaults permit all advertisements.
max limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. Default is 255. If not specified, this check will be bypassed.
min limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. Default is 0. If not specified, this check will be bypassed.
[no] trusted-port
Example:
Switch(config-dhcp-guard)#
trusted-port
default {device-role | trusted-port}
(Optional) trusted-port—Sets the port to a trusted mode. No further policing takes place on the port.
Note
If you configure a trusted port then the device-role option is not available.
(Optional) default—Sets a command to its defaults.
Example:
Switch(config-dhcp-guard)#
default device-role
do show ipv6 dhcp guard policy policy_name
Example:
Switch(config-dhcp-guard)#
do show ipv6 dhcp guard policy example_policy
(Optional) Displays the configuration of the IPv6 DHCP guard policy without leaving the configuration submode. Omitting the
policy_name variable displays all DHCPv6 policies.
Example of DHCPv6 Guard Configuration
enable configure terminal ipv6 access-list acl1 permit host FE80::A8BB:CCFF:FE01:F700 any ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
24
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface
ipv6 dhcp guard policy pol1 device-role server match server access-list acl1 match reply prefix-list abc preference min 0 preference max 255 trusted-port interface GigabitEthernet 0/2/0 switchport ipv6 dhcp guard attach-policy pol1 vlan add 1 vlan 1 ipv6 dhcp guard attach-policy pol1 show ipv6 dhcp guard policy pol1
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an
Interface
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :
SUMMARY STEPS
1. configure terminal
2. interface Interface_type stack/module/port
3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interface Interface_type stack/module/port
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface Interface_type stack/module/port Specifies an interface type and identifier; enters the interface configuration mode.
Example:
Switch(config)#
interface gigabitethernet 1/1/4
ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids |
add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] |
vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove
vlan_ids | all} ]
Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-if)#
ipv6 dhcp guard attach-policy example_policy
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
25
Configuring IPv6 First Hop Security
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface
Step 4
Command or Action
or
Switch(config-if)#
ipv6 dhcp guard attach-policy example_policy vlan 222,223,224 or
Switch(config-if)#
ipv6 dhcp guard vlan 222, 223,224
Purpose
do show running-config interface Interface_type stack/module/port Confirms that the policy is attached to the specified interface without exiting the configuration mode.
Example:
Switch#(config-if)#
do show running-config gig 1/1/4
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy on an
EtherChannel interface or VLAN:
SUMMARY STEPS
1. configure terminal
2. interface range Interface_name
3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none |
remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids |
all} ]
4. do show running-config interfaceportchannel_interface_name
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Example:
Switch#
configure terminal
interface range Interface_name
Example:
Switch(config)#
interface Po11
Purpose
Enters the global configuration mode.
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
26
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
Step 3
Command or Action Purpose
Tip
Enter the do show interfaces summary command for quick reference to interface names and types.
ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids
| add vlan_ids | except vlan_ids | none | remove vlan_ids |
all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none
| remove vlan_ids | all} ]
Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-if-range)#
ipv6 dhcp guard attach-policy example_policy
or
Switch(config-if-range)#
ipv6 dhcp guard attach-policy example_policy vlan 222,223,224 or
Switch(config-if-range)#
ipv6 dhcp guard vlan 222,
223,224
Step 4
do show running-config interfaceportchannel_interface_name Confirms that the policy is attached to the specified interface without exiting the configuration mode.
Example:
Switch#(config-if-range)#
do show running-config int po11
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:
SUMMARY STEPS
1. configure terminal
2. vlan configuration vlan_list
3. ipv6 dhcp guard [attach-policy policy_name]
4. do show running-config
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
27
Configuring IPv6 First Hop Security
How to Configure IPv6 Source Guard
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
vlan configuration vlan_list
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.
Example:
Switch(config)#
vlan configuration 334
ipv6 dhcp guard [attach-policy policy_name]
Example:
Switch(config-vlan-config)#
ipv6 dhcp guard attach-policy example_policy
Attaches the IPv6 Neighbor Discovery policy to the specified
VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port.
do show running-config
Example:
Switch#(config-if)#
do show running-config
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Configure IPv6 Source Guard
SUMMARY STEPS
1. enable
2. configure terminal
3. [no] ipv6 source-guard policy policy_name
4. [deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }]
5. end
6. show ipv6 source-guard policy policy_name
DETAILED STEPS
Step 1
Command or Action enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
28
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Configure IPv6 Source Guard
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose
Example:
Switch>
enable configure terminal
Example:
Switch(config-sisf-sourceguard)#
end
show ipv6 source-guard policy policy_name
Enters the global configuration mode.
Example:
Switch#
configure terminal
[no] ipv6 source-guard policy policy_name Specifies the IPv6 Source Guard policy name and enters IPv6
Source Guard policy configuration mode.
Example:
Switch(config)#
ipv6 source-guard policy example_policy
[deny global-autoconf] [permit link-local]
[default{. . . }] [exit] [no{. . . }]
(Optional) Defines the IPv6 Source Guard policy.
Example:
Switch(config-sisf-sourceguard)#
deny global-autoconf
• deny global-autoconf—Denies data traffic from auto-configured global addresses. This is useful when all global addresses on a link are DHCP-assigned and the administrator wants to block hosts with self-configured addresses to send traffic.
• permit link-local—Allows all data traffic that is sourced by a link-local address.
end
Note
Trusted option under source guard policy is not supported.
Exits out of IPv6 Source Guard policy configuration mode.
Shows the policy configuration and all the interfaces where the policy is applied.
Example:
Switch#
show ipv6 source-guard policy example_policy
What to Do Next
Apply the IPv6 Source Guard policy to an interface.
Related Topics
Information about First Hop Security in IPv6, on page 2
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
29
Configuring IPv6 First Hop Security
How to Attach an IPv6 Source Guard Policy to an Interface
How to Attach an IPv6 Source Guard Policy to an Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface Interface_type stack/module/port
4. ipv6 source-guard [attach-policy <policy_name> ]
5. show ipv6 source-guard policy policy_name
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Switch>
enable configure terminal
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface Interface_type stack/module/port
Example:
Switch(config)#
interface gigabitethernet 1/1/4
Specifies an interface type and identifier; enters the interface configuration mode.
ipv6 source-guard [attach-policy <policy_name> ]
Example:
Switch(config-if)#
ipv6 source-guard attach-policy example_policy
Attaches the IPv6 Source Guard policy to the interface.
The default policy is attached if the attach-policy option is not used.
show ipv6 source-guard policy policy_name
Example:
Switch#(config-if)#
show ipv6 source-guard policy example_policy
Shows the policy configuration and all the interfaces where the policy is applied.
Related Topics
Information about First Hop Security in IPv6, on page 2
30
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface
How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface port-channel port-channel-number
4. ipv6 source-guard [attach-policy <policy_name> ]
5. show ipv6 source-guard policy policy_name
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Switch>
enable configure terminal
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface port-channel port-channel-number Specifies an interface type and port number and places the switch in the port channel configuration mode.
Example:
Switch (config)#
interface Po4
ipv6 source-guard [attach-policy <policy_name> ] Attaches the IPv6 Source Guard policy to the interface.
The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-if) #
ipv6 source-guard attach-policy example_policy
show ipv6 source-guard policy policy_name
Example:
Switch(config-if) #
show ipv6 source-guard policy example_policy
Shows the policy configuration and all the interfaces where the policy is applied.
Related Topics
Information about First Hop Security in IPv6, on page 2
Examples: How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface, on page 35
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
31
Configuring IPv6 First Hop Security
How to Configure IPv6 Prefix Guard
How to Configure IPv6 Prefix Guard
Note
To allow routing protocol control packets sourced by a link-local address when prefix guard is applied, enable the permit link-local command in the source-guard policy configuration mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. [no] ipv6 source-guard policy source-guard-policy
4. [ no ] validate address
5. validate prefix
6. exit
7. show ipv6 source-guard policy [source-guard-policy]
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Switch>
enable configure terminal
Enters the global configuration mode.
Example:
Switch#
configure terminal
[no] ipv6 source-guard policy source-guard-policy Defines an IPv6 source-guard policy name and enters switch integrated security features source-guard policy configuration mode.
Example:
Switch (config)#
ipv6 source-guard policy my_snooping_policy
[ no ] validate address
Example:
Switch (config-sisf-sourceguard)#
no validate address
Disables the validate address feature and enables the IPv6 prefix guard feature to be configured.
32
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
How to Attach an IPv6 Prefix Guard Policy to an Interface
Step 5
Step 6
Step 7
Command or Action Purpose validate prefix
Enables IPv6 source guard to perform the IPv6 prefix-guard operation.
Example:
Switch (config-sisf-sourceguard)#
validate prefix exit
Exits switch integrated security features source-guard policy configuration mode and returns to privileged EXEC mode.
Example:
Switch (config-sisf-sourceguard)#
exit
show ipv6 source-guard policy [source-guard-policy] Displays the IPv6 source-guard policy configuration.
Example:
Switch #
show ipv6 source-guard policy policy1
Related Topics
Information about First Hop Security in IPv6, on page 2
How to Attach an IPv6 Prefix Guard Policy to an Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface Interface_type stack/module/port
4. ipv6 source-guard attach-policy policy_name
5. show ipv6 source-guard policy policy_name
DETAILED STEPS
Step 1
Step 2
Command or Action enable
Example:
Switch>
enable configure terminal
Example:
Switch#
configure terminal
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Enters the global configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
33
Configuring IPv6 First Hop Security
How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface
Step 3
Step 4
Step 5
Command or Action
interface Interface_type stack/module/port
Example:
Switch(config)#
interface gigabitethernet 1/1/4
Purpose
Specifies an interface type and identifier; enters the interface configuration mode.
ipv6 source-guard attach-policy policy_name
Example:
Switch(config-if)#
ipv6 source-guard attach-policy example_policy
Attaches the IPv6 Source Guard policy to the interface.
The default policy is attached if the attach-policy option is not used.
show ipv6 source-guard policy policy_name
Example:
Switch(config-if)#
show ipv6 source-guard policy example_policy
Shows the policy configuration and all the interfaces where the policy is applied.
Related Topics
Information about First Hop Security in IPv6, on page 2
How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface port-channel port-channel-number
4. ipv6 source-guard [attach-policy <policy_name> ]
5. show ipv6 source-guard policy policy_name
DETAILED STEPS
Step 1
Command or Action enable
Example:
Switch>
enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
34
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
Configuration Examples for IPv6 First Hop Security
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Purpose
Enters the global configuration mode.
Example:
Switch#
configure terminal
interface port-channel port-channel-number Specifies an interface type and port number and places the switch in the port channel configuration mode.
Example:
Switch (config)#
interface Po4
ipv6 source-guard [attach-policy <policy_name> ] Attaches the IPv6 Source Guard policy to the interface.
The default policy is attached if the attach-policy option is not used.
Example:
Switch(config-if)#
ipv6 source-guard attach-policy example_policy
show ipv6 source-guard policy policy_name
Example:
Switch(config-if)#
show ipv6 source-guard policy example_policy
Shows the policy configuration and all the interfaces where the policy is applied.
Related Topics
Information about First Hop Security in IPv6, on page 2
Examples: How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface, on page 36
Configuration Examples for IPv6 First Hop Security
Examples: How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel
Interface
The following example shows how to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface:
Switch# configure terminal
Switch(config)# ipv6 source-guard policy POL
Switch(config-sisf-sourceguard) # validate address switch(config-sisf-sourceguard)# exit
Switch(config)# interface Po4
Switch(config)# ipv6 snooping
Switch(config-if)# ipv6 source-guard attach-policy POL
Switch(config-if)# exit switch(config)#
Related Topics
How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface, on page 31
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
35
Configuring IPv6 First Hop Security
Examples: How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface
Examples: How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel
Interface
The following example shows how to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface:
Switch# configure terminal
Switch(config)# ipv6 source-guard policy POL
Switch (config-sisf-sourceguard)# no validate address
Switch((config-sisf-sourceguard)# validate prefix
Switch(config)# interface Po4
Switch(config-if)# ipv6 snooping
Switch(config-if)# ipv6 source-guard attach-policy POL
Related Topics
How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface, on page 34
Additional References
Related Documents
Related Topic
Implementing IPv6 Addressing and Basic Connectivity
IPv6 network management and security topics
IPv6 Command Reference
Document Title
http://www.cisco.com/en/US/docs/ ios-xml/ios/ipv6/configuration/
15-0sy/ip6-addrg-bsc-con.html
IPv6 Configuration Library, Cisco
IOS XE Release 3SE (Catalyst
3850 Switches) http://www.cisco.com/en/US/docs/ ios-xml/ios/ipv6/config_library/ xe-3se/3850/ ipv6-xe-3se-3850-library.html
IPv6 Command Reference, Cisco
IOS XE Release 3SE (Catalyst
3850 Switches) http://www.cisco.com/en/US/docs/ ios-xml/ios/ipv6/command/ ipv6-xe-3se-3850-cr-book.html
36
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
Configuring IPv6 First Hop Security
Additional References
Error Message Decoder
Description
To help you research and resolve system error messages in this release, use the Error Message
Decoder tool.
Link
https://www.cisco.com/cgi-bin/Support/Errordecoder/ index.cgi
Technical Assistance
Description Link
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with
Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
37
Additional References
Configuring IPv6 First Hop Security
38
Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)
advertisement
Related manuals
advertisement