Consolidated Platform Configuration Guide, Cisco IOS XE Release 3.3SE (Cisco WLC 5700 Series)
Configuring IPv6 First Hop Security
Downloads: This chapterpdf (PDF - 1.45MB) The complete bookPDF (PDF - 23.06MB) | The complete bookePub (ePub - 5.56MB) | Feedback

Configuring IPv6 First Hop Security

Contents

Configuring IPv6 First Hop Security

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for First Hop Security in IPv6

  • You have configured the necessary IPv6 enabled SDM template.
  • You should be familiar with the IPv6 neighbor discovery feature. For information, see the "Implementing IPv6 Addressing and Basic Connectivity" chapter of the Cisco IOS IPv6 Configuration Library on Cisco.com.

Restrictions for First Hop Security in IPv6

The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):

  • An FHS policy can be attached to a Layer 2 EtherChannel interface or to VLANs in an EtherChannel Group.
  • An FHS policy cannot be attached to a Layer 3 EtherChannel interface.
  • A physical port with an FHS policy attached cannot join an EtherChannel group.
  • An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.

Information about First Hop Security in IPv6

First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached to a physical interface, an EtherChannel interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, then applied as was specified. The following IPv6 policies are currently supported:

  • IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features available with FHS in IPv6.
  • IPv6 Binding Table Content—A database table of IPv6 neighbors connected to the switch is created from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding, table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
  • IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in L2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access Control (MAC) mapping is verifiable.
  • IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the L2 device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
  • IPv6 DHCP Guard— The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature, configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command.

How to Configure an IPv6 Snooping Policy

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :

SUMMARY STEPS

    1.    configure terminal

    2.    ipv6 snooping policypolicy-name

    3.    {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }

    4.    end

    5.    show ipv6 snooping policy policy-name


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure terminal


    Example:
    Controller# configure terminal
     

    Enters the global configuration mode.

     
    Step 2 ipv6 snooping policypolicy-name


    Example:
    Controller(config)# ipv6 snooping policy example_policy
     

    Creates a snooping policy and enters IPv6 Snooping Policy Configuration mode.

     
    Step 3 {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }


    Example:Controller(config-ipv6-snooping)# security-level inspect

    Example:Controller(config-ipv6-snooping)# trusted-port 

    Enables data address gleaning, validates messages against various criteria, specifies the security level for messages.

    • (Optional) default—Sets all to default options.
    • (Optional) device-role{node] | switch}—Specifies the role of the device attached to the port. Default is node.
    • (Optional) limit address-count value—Limits the number of addresses allowed per target.
    • (Optional) no—Negates a command or sets it to defaults.
    • (Optional) protocol{dhcp | ndp}—Specifies which protocol should be redirected to the snooping feature for analysis. The default, is dhcp and ndp. To change the default, use the no protocol command.
    • (Optional) security-level{glean|guard|inspect}—Specifies the level of security enforced by the feature. Default is guard.
      • glean—Gleans addresses from messages and populates the binding table without any verification.
      • guard—Gleans addresses and inspects messages. In addition, it rejects RA and DHCP server messages. This is the default option.
      • inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership.
    • (Optional) tracking {disable | enable}—Overrides the default tracking behavior and specifies a tracking option.
    • (Optional) trusted-port—Sets up a trusted port. It disables the guard on applicable targets. Bindings learned through a trusted port have preference over bindings learned through any other port. A trusted port is given preference in case of a collision while making an entry in the table.
     
    Step 4 end


    Example:
    Controller(config-ipv6-snooping)# exit
     

    Exits configuration modes to Privileged EXEC mode.

     
    Step 5 show ipv6 snooping policy policy-name


    Example:
    Controller#show ipv6 snooping policy example_policy
     

    Displays the snooping policy configuration.

     
    What to Do Next

    Attach an IPv6 Snooping policy to interfaces or VLANs.

    How to Attach an IPv6 Snooping Policy to an Interface

    Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an interface or VLAN:

    SUMMARY STEPS

      1.    configure terminal

      2.    interface Interface_type stack/module/port

      3.    switchport

      4.    ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

      5.    do show running-config


    DETAILED STEPS
        Command or Action Purpose
      Step 1 configure terminal


      Example:
      Controller# configure terminal
       

      Enters the global configuration mode.

       
      Step 2 interface Interface_type stack/module/port


      Example:
      Controller(config)#  interface gigabitethernet 1/1/4 
       

      Specifies an interface type and identifier; enters the interface configuration mode.

       
      Step 3 switchport


      Example:
      Controller(config-if)# switchport
      
       

      Enters the Switchport mode.

      Note   

      To configure Layer 2 parameters, if the interface is in Layer 3 mode, you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode. This shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. The command prompt displays as (config-if)# in Switchport configuration mode.

       
      Step 4 ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


      Example:
      Controller(config-if)# ipv6 snooping 
      
      or 
      
      Controller(config-if)# ipv6 snooping attach-policy example_policy
      
      or
      Controller(config-if)# ipv6 snooping vlan 111,112
      
      or 
      
      Controller(config-if)# ipv6 snooping attach-policy example_policy vlan 111,112
      
      
       

      Attaches a custom ipv6 snooping policy to the interface or the specified VLANs on the interface. To attach the default policy to the interface, use the ipv6 snooping command without the attach-policy keyword. To attach the default policy to VLANs on the interface, use the ipv6 snooping vlan command. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.

       
      Step 5 do show running-config


      Example:
      Controller#(config-if)#  do show running-config 
       

      Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.

       

      How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface

      Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an EtherChannel interface or VLAN:

      SUMMARY STEPS

        1.    configure terminal

        2.    interface range Interface_name

        3.    ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

        4.    do show running-config interfaceportchannel_interface_name


      DETAILED STEPS
          Command or Action Purpose
        Step 1 configure terminal


        Example:
        Controller# configure terminal
         

        Enters the global configuration mode.

         
        Step 2 interface range Interface_name


        Example:
        Controller(config)#  interface range Po11 
         

        Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

        Tip   

        Enter the do show interfaces summary command for quick reference to interface names and types.

         
        Step 3 ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


        Example:
        Controller(config-if-range)# ipv6 snooping attach-policy example_policy
        
        or
        
        Controller(config-if-range)# ipv6 snooping attach-policy example_policy vlan 222,223,224 or 
        Controller(config-if-range)#ipv6 snooping vlan 222, 223,224 
         

        Attaches the IPv6 Snooping policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

         
        Step 4 do show running-config interfaceportchannel_interface_name


        Example:
        Controller#(config-if-range)#  do show running-config int po11
         

        Confirms that the policy is attached to the specified interface without exiting the configuration mode.

         

        How to Attach an IPv6 Snooping Policy to VLANs Globally

        Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy to VLANs across multiple interfaces:

        SUMMARY STEPS

          1.    configure terminal

          2.    vlan configuration vlan_list

          3.    ipv6 snooping [attach-policy policy_name]

          4.    do show running-config


        DETAILED STEPS
            Command or Action Purpose
          Step 1 configure terminal


          Example:
          Controller# configure terminal
           

          Enters the global configuration mode.

           
          Step 2 vlan configuration vlan_list


          Example:
          Controller(config)#  vlan configuration 333 
           

          Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.

           
          Step 3 ipv6 snooping [attach-policy policy_name]


          Example:
          Controller(config-vlan-config)#ipv6 snooping attach-policy example_policy
          
          
           

          Attaches the IPv6 Snooping policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.

           
          Step 4 do show running-config


          Example:
          Controller#(config-if)#  do show running-config 
           

          Verifies that the policy is attached to the specified VLANs without exiting the interface configuration mode.

           

          How to Configure the IPv6 Binding Table Content

          Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

          SUMMARY STEPS

            1.    configure terminal

            2.    [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]

            3.    [no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]

            4.    ipv6 neighbor binding logging

            5.    exit

            6.    show ipv6 neighbor binding


          DETAILED STEPS
              Command or Action Purpose
            Step 1 configure terminal


            Example:
            Controller# configure terminal
             

            Enters the global configuration mode.

             
            Step 2 [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]


            Example:
            Controller(config)#  ipv6 neighbor binding 
            
             

             
            Step 3 [no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]


            Example:
            Controller(config)#  ipv6 neighbor binding max-entries 30000
            
             

            Specifies the maximum number of entries that are allowed to be inserted in the binding table cache.

             
            Step 4 ipv6 neighbor binding logging


            Example:
            Controller(config)# ipv6 neighbor binding logging 
             

            Enables the logging of binding table main events.

             
            Step 5 exit


            Example:
            Controller(config)# exit 
             

            Exits global configuration mode, and places the router in privileged EXEC mode.

             
            Step 6 show ipv6 neighbor binding


            Example:
            Controller#  show ipv6 neighbor binding 
             

            Displays contents of a binding table.

             

            How to Configure an IPv6 Neighbor Discovery Inspection Policy

            Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:

            SUMMARY STEPS

              1.    configure terminal

              2.    [no]ipv6 nd inspection policy policy-name

              3.    device-role {host | monitor | router | switch}

              4.    drop-unsecure

              5.    limit address-count value

              6.    sec-level minimum value

              7.    tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}

              8.    trusted-port

              9.    validate source-mac

              10.    no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

              11.    default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

              12.    do show ipv6 nd inspection policy policy_name


            DETAILED STEPS
                Command or Action Purpose
              Step 1 configure terminal


              Example:
              Controller# configure terminal
               

              Enters the global configuration mode.

               
              Step 2 [no]ipv6 nd inspection policy policy-name


              Example:
              Controller(config)# ipv6 nd inspection policy example_policy
               

              Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode.

               
              Step 3 device-role {host | monitor | router | switch}


              Example:
              Controller(config-nd-inspection)# device-role switch
               

              Specifies the role of the device attached to the port. The default is host.

               
              Step 4 drop-unsecure


              Example:
              Controller(config-nd-inspection)# drop-unsecure
               

              Drops messages with no or invalid options or an invalid signature.

               
              Step 5 limit address-count value


              Example:
              Controller(config-nd-inspection)# limit address-count 1000
               

              Enter 1–10,000.

               
              Step 6 sec-level minimum value


              Example:
              Controller(config-nd-inspection)# limit address-count 1000
               

              Specifies the minimum security level parameter value when Cryptographically Generated Address (CGA) options are used.

               
              Step 7 tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}


              Example:
              Controller(config-nd-inspection)# tracking disable stale-lifetime infinite
               

              Overrides the default tracking policy on a port.

               
              Step 8 trusted-port


              Example:
              Controller(config-nd-inspection)# trusted-port
               

              Configures a port to become a trusted port.

               
              Step 9 validate source-mac


              Example:
              Controller(config-nd-inspection)# validate source-mac
               

               
              Step 10 no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}


              Example:
              Controller(config-nd-inspection)# no validate source-mac
               

              Remove the current configuration of a parameter with the no form of the command.

               
              Step 11 default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}


              Example:
              Controller(config-nd-inspection)# default limit address-count
               

              Restores configuration to the default values.

               
              Step 12 do show ipv6 nd inspection policy policy_name


              Example:
              Controller(config-nd-inspection)# do show ipv6 nd inspection policy example_policy
               

              Verifies the ND Inspection Configuration without exiting ND inspection configuration mode.

               

              How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface

              Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface or VLANs on an interface :

              SUMMARY STEPS

                1.    configure terminal

                2.    interface Interface_type stack/module/port

                3.    ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                4.    do show running-config


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 configure terminal


                Example:
                Controller# configure terminal
                 

                Enters the global configuration mode.

                 
                Step 2 interface Interface_type stack/module/port


                Example:
                Controller(config)#  interface gigabitethernet 1/1/4 
                 

                Specifies an interface type and identifier; enters the interface configuration mode.

                 
                Step 3 ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                Example:
                Controller(config-if)# ipv6 nd inspection attach-policy example_policy
                
                or
                
                Controller(config-if)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224 or 
                Controller(config-if)# ipv6 nd inspection vlan 222, 223,224 
                 

                Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                 
                Step 4 do show running-config


                Example:
                Controller#(config-if)#  do show running-config 
                 

                Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.

                 

                How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface

                Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Neighbor Discovery Inspection policy on an EtherChannel interface or VLAN:

                SUMMARY STEPS

                  1.    configure terminal

                  2.    interface range Interface_name

                  3.    ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                  4.    do show running-config interfaceportchannel_interface_name


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 configure terminal


                  Example:
                  Controller# configure terminal
                   

                  Enters the global configuration mode.

                   
                  Step 2 interface range Interface_name


                  Example:
                  Controller(config)#  interface range Po11 
                   

                  Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

                  Tip   

                  Enter the do show interfaces summary command for quick reference to interface names and types.

                   
                  Step 3 ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                  Example:
                  Controller(config-if-range)# ipv6 nd inspection attach-policy example_policy
                  
                  or
                  
                  Controller(config-if-range)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224 or 
                  Controller(config-if-range)#ipv6 nd inspection vlan 222, 223,224 
                   

                  Attaches the ND Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                   
                  Step 4 do show running-config interfaceportchannel_interface_name


                  Example:
                  Controller#(config-if-range)#  do show running-config int po11
                   

                  Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                   

                  How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally

                  Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to VLANs across multiple interfaces:

                  SUMMARY STEPS

                    1.    configure terminal

                    2.    vlan configuration vlan_list

                    3.    ipv6 nd inspection [attach-policy policy_name]

                    4.    do show running-config


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 configure terminal


                    Example:
                    Controller# configure terminal
                     

                    Enters the global configuration mode.

                     
                    Step 2 vlan configuration vlan_list


                    Example:
                    Controller(config)# vlan configuration 334 
                     

                    Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.

                     
                    Step 3 ipv6 nd inspection [attach-policy policy_name]


                    Example:
                    Controller(config-vlan-config)#ipv6 nd inspection attach-policy example_policy
                    
                    
                     

                    Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.

                    The default policy is, device-role host, no drop-unsecure, limit address-count disabled, sec-level minimum is disabled, tracking is disabled, no trusted-port, no validate source-mac.

                     
                    Step 4 do show running-config


                    Example:
                    Controller#(config-if)#  do show running-config 
                     

                    Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.

                     

                    How to Configure an IPv6 Router Advertisement Guard Policy

                    Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :

                    SUMMARY STEPS

                      1.    configure terminal

                      2.    [no]ipv6 nd raguard policy policy-name

                      3.    [no]device-role {host | monitor | router | switch}

                      4.    [no]hop-limit {maximum | minimum} value

                      5.    [no]managed-config-flag {off | on}

                      6.    [no]match {ipv6 access-list list | ra prefix-list list}

                      7.    [no]other-config-flag {on | off}

                      8.    [no]router-preference maximum {high | medium | low}

                      9.    [no]trusted-port

                      10.    default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}

                      11.    do show ipv6 nd raguard policy policy_name


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 configure terminal


                      Example:
                      Controller# configure terminal
                       

                      Enters the global configuration mode.

                       
                      Step 2 [no]ipv6 nd raguard policy policy-name


                      Example:
                      Controller(config)# ipv6 nd raguard policy example_policy
                       

                      Specifies the RA Guard policy name and enters RA Guard Policy configuration mode.

                       
                      Step 3 [no]device-role {host | monitor | router | switch}


                      Example:
                      Controller(config-nd-raguard)# device-role switch
                       

                      Specifies the role of the device attached to the port. The default is host.

                       
                      Step 4 [no]hop-limit {maximum | minimum} value


                      Example:
                      Controller(config-nd-raguard)# hop-limit maximum 33
                       

                      (1–255) Range for Maximum and Minimum Hop Limit values.

                      Enables filtering of Router Advertisement messages by the Hop Limit value. A rogue RA message may have a low Hop Limit value (equivalent to the IPv4 Time to Live) that when accepted by the host, prevents the host from generating traffic to destinations beyond the rogue RA message generator. An RA message with an unspecified Hop Limit value is blocked.

                      If not configured, this filter is disabled. Configure minimum to block RA messages with Hop Limit values lower than the value you specify. Configure maximumto block RA messages with Hop Limit values greater than the value you specify.

                       
                      Step 5 [no]managed-config-flag {off | on}


                      Example:
                      Controller(config-nd-raguard)# managed-config-flag on
                       

                      Enables filtering of Router Advertisement messages by the Managed Address Configuration, or "M" flag field. A rouge RA message with an M field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

                      On—Accepts and forwards RA messages with an M value of 1, blocks those with 0.

                      Off—Accepts and forwards RA messages with an M value of 0, blocks those with 1.

                       
                      Step 6 [no]match {ipv6 access-list list | ra prefix-list list}


                      Example:
                      Controller(config-nd-raguard)# match ipv6 access-list example_list
                       

                      Matches a specified prefix list or access list.

                       
                      Step 7 [no]other-config-flag {on | off}


                      Example:
                      Controller(config-nd-raguard)# other-config-flag on 
                       

                      Enables filtering of Router Advertisement messages by the Other Configuration, or "O" flag field. A rouge RA message with an O field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

                      On—Accepts and forwards RA messages with an O value of 1, blocks those with 0.

                      Off—Accepts and forwards RA messages with an O value of 0, blocks those with 1.

                       
                      Step 8 [no]router-preference maximum {high | medium | low}


                      Example:
                      Controller(config-nd-raguard)# router-preference maximum high 
                       

                      Enables filtering of Router Advertisement messages by the Router Preference flag. If not configured, this filter is disabled.

                      • high—Accepts RA messages with the Router Preference set to high, medium, or low.
                      • medium—Blocks RA messages with the Router Preference set to high.
                      • low—Blocks RA messages with the Router Preference set to medium and high.
                       
                      Step 9 [no]trusted-port


                      Example:
                      Controller(config-nd-raguard)# trusted-port
                       

                      When configured as a trusted port, all attached devices are trusted, and no further message verification is performed.

                       
                      Step 10 default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}


                      Example:
                      Controller(config-nd-raguard)# default hop-limit
                       

                      Restores a command to its default value.

                       
                      Step 11 do show ipv6 nd raguard policy policy_name


                      Example:
                      Controller(config-nd-raguard)# do show ipv6 nd raguard policy example_policy
                       

                      (Optional)—Displays the ND Guard Policy configuration without exiting the RA Guard policy configuration mode.

                       

                      How to Attach an IPv6 Router Advertisement Guard Policy to an Interface

                      Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface :

                      SUMMARY STEPS

                        1.    configure terminal

                        2.    interface Interface_type stack/module/port

                        3.    ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                        4.    do show running-config


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 configure terminal


                        Example:
                        Controller# configure terminal
                         

                        Enters the global configuration mode.

                         
                        Step 2 interface Interface_type stack/module/port


                        Example:
                        Controller(config)#  interface gigabitethernet 1/1/4 
                         

                        Specifies an interface type and identifier; enters the interface configuration mode.

                         
                        Step 3 ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                        Example:
                        Controller(config-if)# ipv6 nd raguard attach-policy example_policy
                        
                        or
                        
                        Controller(config-if)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224 or 
                        Controller(config-if)# ipv6 nd raguard vlan 222, 223,224 
                         

                        Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                         
                        Step 4 do show running-config


                        Example:
                        Controller#(config-if)#  do show running-config 
                         

                        Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                         

                        How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface

                        Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy on an EtherChannel interface or VLAN:

                        SUMMARY STEPS

                          1.    configure terminal

                          2.    interface range Interface_name

                          3.    ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                          4.    do show running-config interfaceportchannel_interface_name


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 configure terminal


                          Example:
                          Controller# configure terminal
                           

                          Enters the global configuration mode.

                           
                          Step 2 interface range Interface_name


                          Example:
                          Controller(config)#  interface range Po11 
                           

                          Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

                          Tip   

                          Enter the do show interfaces summary command for quick reference to interface names and types.

                           
                          Step 3 ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                          Example:
                          Controller(config-if-range)# ipv6 nd raguard attach-policy example_policy
                          
                          or
                          
                          Controller(config-if-range)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224 or 
                          Controller(config-if-range)#ipv6 nd raguard vlan 222, 223,224 
                           

                          Attaches the RA Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                           
                          Step 4 do show running-config interfaceportchannel_interface_name


                          Example:
                          Controller#(config-if-range)#  do show running-config int po11
                           

                          Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                           

                          How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally

                          Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to VLANs regardless of interface:

                          SUMMARY STEPS

                            1.    configure terminal

                            2.    vlan configuration vlan_list

                            3.    ipv6 dhcp guard [attach-policy policy_name]

                            4.    do show running-config


                          DETAILED STEPS
                              Command or Action Purpose
                            Step 1 configure terminal


                            Example:
                            Controller# configure terminal
                             

                            Enters global configuration mode.

                             
                            Step 2 vlan configuration vlan_list


                            Example:
                            Controller(config)# vlan configuration 335 
                             

                            Specifies the VLANs to which the IPv6 RA Guard policy will be attached ; enters the VLAN interface configuration mode.

                             
                            Step 3 ipv6 dhcp guard [attach-policy policy_name]


                            Example:
                            Controller(config-vlan-config)#ipv6 nd raguard attach-policy example_policy
                            
                            
                             

                            Attaches the IPv6 RA Guard policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.

                             
                            Step 4 do show running-config


                            Example:
                            Controller#(config-if)#  do show running-config 
                             

                            Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.

                             

                            How to Configure an IPv6 DHCP Guard Policy

                            Beginning in privileged EXEC mode, follow these steps to configure an IPv6 DHCP (DHCPv6) Guard policy:

                            SUMMARY STEPS

                              1.    configure terminal

                              2.    [no]ipv6 dhcp guard policy policy-name

                              3.    [no]device-role {client | server}

                              4.    [no] match server access-list ipv6-access-list-name

                              5.    [no] match reply prefix-list ipv6-prefix-list-name

                              6.    [no]preference{ max limit | min limit }

                              7.    [no] trusted-port

                              8.    default {device-role | trusted-port}

                              9.    do show ipv6 dhcp guard policy policy_name


                            DETAILED STEPS
                                Command or Action Purpose
                              Step 1 configure terminal


                              Example:
                              Controller# configure terminal
                               

                              Enters the global configuration mode.

                               
                              Step 2 [no]ipv6 dhcp guard policy policy-name


                              Example:
                              Controller(config)# ipv6 dhcp guard policy example_policy
                               

                              Specifies the DHCPv6 Guard policy name and enters DHCPv6 Guard Policy configuration mode.

                               
                              Step 3 [no]device-role {client | server}


                              Example:
                              Controller(config-dhcp-guard)# device-role server
                               

                              (Optional) Filters out DHCPv6 replies and DHCPv6 advertisements on the port that are not from a device of the specified role. Default is client.

                              • client—Default value, specifies that the attached device is a client. Server messages are dropped on this port.
                              • server—Specifies that the attached device is a DHCPv6 server. Server messages are allowed on this port.
                               
                              Step 4 [no] match server access-list ipv6-access-list-name


                              Example:
                              ;;Assume a preconfigured IPv6 Access List as follows:
                              Controller(config)# ipv6 access-list my_acls
                              Controller(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
                               
                              ;;configure DCHPv6 Guard to match approved access list.
                              Controller(config-dhcp-guard)#  match server access-list my_acls 
                               

                              (Optional). Enables verification that the advertised DHCPv6 server or relay address is from an authorized server access list (The destination address in the access list is 'any'). If not configured, this check will be bypassed. An empty access list is treated as a permit all.

                               
                              Step 5 [no] match reply prefix-list ipv6-prefix-list-name


                              Example:
                              ;;Assume a preconfigured IPv6 prefix list as follows:
                              Controller(config)# ipv6 prefix-list my_prefix permit 2001:0DB8::/64 le 128
                              
                              ;; Configure DCHPv6 Guard to match prefix
                              Controller(config-dhcp-guard)#  match reply prefix-list my_prefix 
                               

                              (Optional) Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit.

                               
                              Step 6 [no]preference{ max limit | min limit }


                              Example:
                              Controller(config-dhcp-guard)# preference max 250
                              Controller(config-dhcp-guard)#preference min 150
                               

                              Configure max and min when device-role is serverto filter DCHPv6 server advertisements by the server preference value. The defaults permit all advertisements.

                              max limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. Default is 255. If not specified, this check will be bypassed.

                              min limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. Default is 0. If not specified, this check will be bypassed.

                               
                              Step 7 [no] trusted-port


                              Example:
                              Controller(config-dhcp-guard)# trusted-port
                               

                              (Optional) trusted-port—Sets the port to a trusted mode. No further policing takes place on the port.

                              Note   

                              If you configure a trusted port then the device-role option is not available.

                               
                              Step 8 default {device-role | trusted-port}


                              Example:
                              Controller(config-dhcp-guard)# default device-role
                               

                              (Optional) default—Sets a command to its defaults.

                               
                              Step 9 do show ipv6 dhcp guard policy policy_name


                              Example:
                              Controller(config-dhcp-guard)# do show ipv6 dhcp guard policy example_policy
                               

                              (Optional) Displays the configuration of the IPv6 DHCP guard policy without leaving the configuration submode. Omitting the policy_name variable displays all DHCPv6 policies.

                               

                              Example of DHCPv6 Guard Configuration

                              enable
                              configure terminal
                              ipv6 access-list acl1
                               permit host FE80::A8BB:CCFF:FE01:F700 any
                              ipv6 prefix-list abc permit 2001:0DB8::/64 le 128	
                              ipv6 dhcp guard policy pol1
                               device-role server
                               match server access-list acl1
                               match reply prefix-list abc
                               preference min 0
                               preference max 255
                               trusted-port
                              interface GigabitEthernet 0/2/0
                               switchport
                               ipv6 dhcp guard attach-policy pol1 vlan add 1
                               vlan 1
                                ipv6 dhcp guard attach-policy pol1
                              show ipv6 dhcp guard policy pol1
                              

                              How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface

                              Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

                              SUMMARY STEPS

                                1.    configure terminal

                                2.    interface Interface_type stack/module/port

                                3.    ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                                4.    do show running-config interface Interface_type stack/module/port


                              DETAILED STEPS
                                  Command or Action Purpose
                                Step 1 configure terminal


                                Example:
                                Controller# configure terminal
                                 

                                Enters the global configuration mode.

                                 
                                Step 2 interface Interface_type stack/module/port


                                Example:
                                Controller(config)#  interface gigabitethernet 1/1/4 
                                 

                                Specifies an interface type and identifier; enters the interface configuration mode.

                                 
                                Step 3 ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                                Example:
                                Controller(config-if)# ipv6 dhcp guard attach-policy example_policy
                                
                                or
                                
                                Controller(config-if)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224 or 
                                Controller(config-if)# ipv6 dhcp guard vlan 222, 223,224 
                                 

                                Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                                 
                                Step 4 do show running-config interface Interface_type stack/module/port


                                Example:
                                Controller#(config-if)#  do show running-config gig 1/1/4
                                 

                                Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                                 

                                How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface

                                Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy on an EtherChannel interface or VLAN:

                                SUMMARY STEPS

                                  1.    configure terminal

                                  2.    interface range Interface_name

                                  3.    ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                                  4.    do show running-config interfaceportchannel_interface_name


                                DETAILED STEPS
                                    Command or Action Purpose
                                  Step 1 configure terminal


                                  Example:
                                  Controller# configure terminal
                                   

                                  Enters the global configuration mode.

                                   
                                  Step 2 interface range Interface_name


                                  Example:
                                  Controller(config)#  interface range Po11 
                                   

                                  Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

                                  Tip   

                                  Enter the do show interfaces summary command for quick reference to interface names and types.

                                   
                                  Step 3 ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                                  Example:
                                  Controller(config-if-range)# ipv6 dhcp guard attach-policy example_policy
                                  
                                  or
                                  
                                  Controller(config-if-range)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224 or 
                                  Controller(config-if-range)#ipv6 dhcp guard vlan 222, 223,224 
                                   

                                  Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                                   
                                  Step 4 do show running-config interfaceportchannel_interface_name


                                  Example:
                                  Controller#(config-if-range)#  do show running-config int po11
                                   

                                  Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                                   

                                  How to Attach an IPv6 DHCP Guard Policy to VLANs Globally

                                  Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:

                                  SUMMARY STEPS

                                    1.    configure terminal

                                    2.    vlan configuration vlan_list

                                    3.    ipv6 dhcp guard [attach-policy policy_name]

                                    4.    do show running-config


                                  DETAILED STEPS
                                      Command or Action Purpose
                                    Step 1 configure terminal


                                    Example:
                                    Controller# configure terminal
                                     

                                    Enters the global configuration mode.

                                     
                                    Step 2 vlan configuration vlan_list


                                    Example:
                                    Controller(config)# vlan configuration 334 
                                     

                                    Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.

                                     
                                    Step 3 ipv6 dhcp guard [attach-policy policy_name]


                                    Example:
                                    Controller(config-vlan-config)#ipv6 dhcp guard attach-policy example_policy
                                    
                                    
                                     

                                    Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port.

                                     
                                    Step 4 do show running-config


                                    Example:
                                    Controller#(config-if)#  do show running-config 
                                     

                                    Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.

                                     

                                    Additional References

                                    Related Documents

                                    Related Topic Document Title

                                    IPv6 network management and security topics

                                    IPv6 Configuration Library, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

                                    http:/​/​www.cisco.com/​en/​US/​docs/​ios-xml/​ios/​ipv6/​config_library/​xe-3se/​3850/​ipv6-xe-3se-3850-library.html

                                    IPv6 Command Reference

                                    IPv6 Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

                                    http:/​/​www.cisco.com/​en/​US/​docs/​ios-xml/​ios/​ipv6/​command/​ipv6-xe-3se-3850-cr-book.html

                                    Error Message Decoder

                                    Description Link

                                    To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

                                    https:/​/​www.cisco.com/​cgi-bin/​Support/​Errordecoder/​index.cgi

                                    Technical Assistance

                                    Description Link

                                    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                                    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                                    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                                    http:/​/​www.cisco.com/​support