Security Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
Configuring IPv6 First Hop Security
Downloads: This chapterpdf (PDF - 1.47MB) The complete bookPDF (PDF - 8.1MB) | Feedback

Configuring IPv6 First Hop Security

Contents

Configuring IPv6 First Hop Security

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for First Hop Security in IPv6

  • You have configured the necessary IPv6 enabled SDM template.

  • You should be familiar with the IPv6 neighbor discovery feature.

Restrictions for First Hop Security in IPv6

  • Although visible in the command-line help strings, the IPv6 first hop security (FHS) is not supported on the Catalyst 3750-G and 3750v2 switches. The command-line help strings are visible on these switches to support the FHS feature in a mixed switch stack scenario where one of these switches could become a master.

  • The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):

    • A physical port with an FHS policy attached cannot join an EtherChannel group.

    • An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.

Information about First Hop Security in IPv6

First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached to a physical interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, then applied as was specified. The following IPv6 policies are currently supported:

  • IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features available with FHS in IPv6.

  • IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding, table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
  • NDP Address Gleaning—The NDP address gleaning feature is enabled by default when you configure the ipv6 snooping policy global configuration command. To disable this function, enter the no protocol ndp global configuration command and attach the policy to the target port or VLAN.

  • IPv6 DHCP Address Gleaning—The IPv6 DHCP address gleaning feature provides the ability to extract addresses from DHCP messages and populate the binding table. The switch extracts address binding information from the following types of DHCPv6 exchanges (using User Datagram Protocol (UDP), ports 546 and 547):

    • DHCP-REQUEST

    • DHCP-CONFIRM

    • DHCP- RENEW

    • DHCP-REBIND

    • DHCP-REPLY

    • DHCP-RELEASE

    • DHCP-DECLINE

    After a switch receives a DHCP-REQUEST message from a client, one of the following can happen:

    • The switch receives a DHCP-REPLY message from the DHCP server and a binding table entry is created in the REACHABLE state and completed. The reply contains the IP address and the MAC address in the Layer 2 DMAC field.

      Creating an entry in the binding table allows the switch to learn addresses assigned by DHCP. A binding table can have one of the following states:

      • INCOMPLETE—Address resolution is in progress and the link-layer address is not yet known.

      • REACHABLE—The table is known to be reachable within the last reachable time interval.

      • STALE—The table requires re-resolution.

      • SEARCH—The feature creating the entry does not have the Layer 2 address and requests the binding table to search for the Layer 2 address.

      • VERIFY—The Layer 2 and Layer 3 addresses are known and a duplicate address detection (DAD) Neighbor solicitation (NS) unicast message is sent to the Layer 2 and Layer 3 destinations to verify the addresses.

      • DOWN—The interface from which the entry was learned is down, preventing verification.

    • The DHCP server sends a DHCP-DECLINE or DHCP release message and the entry is deleted.

    • The client sends a DHCP-RENEW message to the server that allocates the address or aDHCP-REBIND message to any server and the lifespan of the entry is extended.

    • The server does not reply and the session is timed-out.

    To enable this feature, configure a policy using the ipv6 snooping policy policy-name global configuration command.

    You can configure a policy and attach it to a DHCP guard to prevent the binding table from being filled with forged DHCP messages.

  • IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access Control (MAC) mapping is verifiable.

    This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on DAD, address resolution, router discovery, and the neighbor cache.

    For detailed information about IPv6 Neighbor Discovery Inspection, see the “IPv6 Neighbor Discovery Inspection” chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

  • IPv6 Binding Table Recovery Mechanism—The IPv6 first-hop security binding table recovery feature recovers the missing binding table entries when the resolution for a destination address fails in the destination guard. Upon a failure, a binding table entry is recovered by querying the DHCP server or the destination host depending on the configuration.

    The recovery mechanism blocks any data traffic sourced from an unknown source, that is, a source not already specified in the binding table and previously learned by using NDP or Dynamic Host Configuration Protocol (DHCP) gleaning.

    For detailed information about IPv6 binding table recovery, see the “IPv6 First-Hop Security Binding Table” chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

  • IPv6 Data Address Gleaning—The IPv6 data address gleaning feature provides the ability to extract addresses from redirected datatraffic, to discover neighbors, and to populate binding tables.

    When a port receives a data packet where the binding is unknown, that is, the neighbor is in an INCOMPLETE state and the link-layer address is not yet known, the switch sends a DAD NS NDP unicast message to the port from which the data packet was received.

    After the host replies with a DAD Neighbor Advertisement (NA) NDP message, the binding table is updated and a private VLAN ACL (PVACL) is installed in the hardware for this binding.

    If the host does not reply with a DAD NA, after the binding table timer expires, the hardware is notified and any resources associated with that binding are released.

    To enable this feature, configure a policy with data-glean and attach the policy to a target port. To debug the policy, use the debug ipv6 snooping privileged EXEC command.

  • IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 device with the information found in the received RA frame. Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

    For detailed information about IPv6 Router Advertisement Guard, see the “IPv6 Router Advertisement Guard" chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

  • IPv6 Device Tracking—The IPv6 device tracking feature provides IPv6 host liveness tracking so that a neighbor table can be updated when an IPv6 host disappears. The feature tracks the liveness of the neighbors connected through the Layer 2 switch on regular basis in order to revoke network access privileges as they become inactive.

    For detailed information about IPv6 Device Tracking, see the “IPv6 Device Tracking" chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

  • IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature, configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command.

  • IPv6 Port-Based Access List Support—The IPv6 port-based access list (PACL) feature provides the ability to provide access control (permit or deny) on Layer 2 switch ports for IPv6 traffic. IPv6 PACLs are similar to IPv4 PACLs, which provide access control on Layer 2 switch ports for IPv4 traffic.

    With Catalyst 3750-E, 3750X, 3560E, 3560-X, 3750v2, and 3560 v2 switches, this feature is supported in hardware and only in ingress direction. In a mixed stack scenario where the stack has a switch that does not support IPv6 FHS, the VLAN target is disabled on the whole switch for security. Port targets are allowed on the IPv6 FHS-capable ports of the switch. If a non-supporting switch becomes the stack master, the IPv6 FHS functions are still supported on the IPv6 FHS-capable ports of the switch.

    Access lists determine which traffic is blocked and which traffic is forwarded at switch interfaces and allow filtering based on source and destination addresses, inbound and outbound, to a specific interface. Each access list has an implicit deny statement at the end. To configure an IPv6 PACL, you have to create an IPv6 access list and then configure the PACL mode on the specified IPv6 Layer 2 interface.

    PACL can filter ingress traffic on Layer 2 interfaces based on Layer 3 and Layer 4 header information or non-IP Layer 2 information.

  • IPv6 Source Guard—Like IPv4 Source Guard, IPv6 Source Guard validates the source address or prefix to prevent source address spoofing.

    A source guard programs the hardware to allow or deny traffic based on source or destination addresses. It deals exclusively with data packet traffic.

    The IPv6 source guard feature provides the ability to use the IPv6 binding table to install PACLs to prevent a host from sending packets with an invalid IPv6 source address.

    To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.


    Note


    The IPv6 PACL feature is supported only in the ingress direction; it is not supported in the egress direction.


    The following restrictions apply:

    • An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.

    • When IPv6 source guard is enabled on a switch port, NDP or DHCP snooping must be enabled on the interface to which the switch port belongs. Otherwise, all data traffic from this port will be blocked.

    • An IPv6 source guard policy cannot be attached to a VLAN. It is supported only at the interface level.

    • You cannot use IPv6 Source Guard and Prefix Guard together. When you attach the policy to an interface, it should be "validate address" or "validate prefix" but not both.

    • PVLAN and Source/Prefix Guard cannot be applied together.

      For more information on IPv6 Source Guard, see the IPv6 Source Guard chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

    • IPv6 Prefix Guard—The IPv6 prefix guard feature works within the IPv6 source guard feature, to enable the device to deny traffic originated from non-topologically correct addresses. IPv6 prefix guard is often used when IPv6 prefixes are delegated to devices (for example, home gateways) using DHCP prefix delegation. The feature discovers ranges of addresses assigned to the link and blocks any traffic sourced with an address outside this range.

      For more information on IPv6 Prefix Guard, see the IPv6 Prefix Guard chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

    • IPv6 Destination Guard—The IPv6 destination guard feature works with IPv6 neighbor discovery to ensure that the device performs address resolution only for those addresses that are known to be active on the link. It relies on the address glean functionality to populate all destinations active on the link into the binding table and then blocks resolutions before they happen when the destination is not found in the binding table.


      Note


      IPv6 Destination Guard is recommended only on Layer 3. It is not recommended on Layer2.


      For more information about IPv6 Destination Guard, see the IPv6 Destination Guard chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

    • IPv6 Neighbor Discovery Multicast Suppress—The IPv6 Neighbor Discovery multicast suppress feature is an IPv6 snooping feature that runs on a switch or a wireless controller and is used to reduce the amount of control traffic necessary for proper link operations.

    • DHCPv6 Relay—Lightweight DHCPv6 Relay Agent—The DHCPv6 Relay—Lightweight DHCPv6 Relay Agent feature allows relay agent information to be inserted by an access node that performs a link-layer bridging (non-routing) function. Lightweight DHCPv6 Relay Agent (LDRA) functionality can be implemented in existing access nodes, such as DSL access multiplexers (DSLAMs) and Ethernet switches, that do not support IPv6 control or routing functions. LDRA is used to insert relay-agent options in DHCP version 6 (DHCPv6) message exchanges primarily to identify client-facing interfaces. LDRA functionality can be enabled on an interface and on a VLAN.

      For more information about DHCPv6 Relay, See the DHCPv6 Relay—Lightweight DHCPv6 Relay Agent section of the IP Addressing: DHCP Configuration Guide, Cisco IOS Release 15.1SG.

How to Configure an IPv6 Snooping Policy

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :

SUMMARY STEPS

    1.    configure terminal

    2.    ipv6 snooping policy policy-name

    3.    {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }

    4.    end

    5.    show ipv6 snooping policy policy-name


DETAILED STEPS
     Command or ActionPurpose
    Step 1 configure terminal


    Example:
    SwitchController# configure terminal
     

    Enters the global configuration mode.

     
    Step 2 ipv6 snooping policy policy-name


    Example:
    SwitchController(config)# ipv6 snooping policy example_policy
     

    Creates a snooping policy and enters IPv6 Snooping Policy Configuration mode.

     
    Step 3{[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }


    Example:SwitchController(config-ipv6-snooping)# security-level inspect

    Example:SwitchController(config-ipv6-snooping)# trusted-port  

    Enables data address gleaning, validates messages against various criteria, specifies the security level for messages.

    • (Optional) default—Sets all to default options.

    • (Optional) device-role{node] | switch}—Specifies the role of the device attached to the port. Default is node.

    • (Optional) limit address-count value—Limits the number of addresses allowed per target.

    • (Optional) no—Negates a command or sets it to defaults.

    • (Optional) protocol{dhcp | ndp}—Specifies which protocol should be redirected to the snooping feature for analysis. The default, is dhcp and ndp. To change the default, use the no protocol command.

    • (Optional) security-level{glean|guard|inspect}—Specifies the level of security enforced by the feature. Default is guard.

      • glean—Gleans addresses from messages and populates the binding table without any verification.
      • guard—Gleans addresses and inspects messages. In addition, it rejects RA and DHCP server messages. This is the default option.
      • inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership.
    • (Optional) tracking {disable | enable}—Overrides the default tracking behavior and specifies a tracking option.

    • (Optional) trusted-port—Sets up a trusted port. It disables the guard on applicable targets. Bindings learned through a trusted port have preference over bindings learned through any other port. A trusted port is given preference in case of a collision while making an entry in the table.

     
    Step 4end


    Example:
    SwitchController(config-ipv6-snooping)# exit
     

    Exits configuration modes to Privileged EXEC mode.

     
    Step 5show ipv6 snooping policy policy-name


    Example:
    SwitchController#show ipv6 snooping policy example_policy
     

    Displays the snooping policy configuration.

     
    What to Do Next

    Attach an IPv6 Snooping policy to interfaces or VLANs.

    How to Attach an IPv6 Snooping Policy to an Interface

    Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an interface or VLAN:

    SUMMARY STEPS

      1.    configure terminal

      2.    interface Interface_type stack/module/port

      3.    switchport

      4.    ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

      5.    do show running-config


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 configure terminal


      Example:
      SwitchController# configure terminal
       

      Enters the global configuration mode.

       
      Step 2interface Interface_type stack/module/port


      Example:
      SwitchController(config)#  interface gigabitethernet 1/1/4    
       

      Specifies an interface type and identifier; enters the interface configuration mode.

       
      Step 3switchport


      Example:
      SwitchController(config-if)# switchport
      
       

      Enters the Switchport mode.

      Note   

      To configure Layer 2 parameters, if the interface is in Layer 3 mode, you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode. This shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. The command prompt displays as (config-if)# in Switchport configuration mode.

       
      Step 4ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


      Example:
      SwitchController(config-if)# ipv6 snooping 
      
      or 
      
      SwitchController(config-if)# ipv6 snooping attach-policy example_policy
      
      or
      SwitchController(config-if)# ipv6 snooping vlan 111,112
      
      or 
      
      SwitchController(config-if)# ipv6 snooping attach-policy example_policy vlan 111,112
      
      
       

      Attaches a custom ipv6 snooping policy to the interface or the specified VLANs on the interface. To attach the default policy to the interface, use the ipv6 snooping command without the attach-policy keyword. To attach the default policy to VLANs on the interface, use the ipv6 snooping vlan command. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.

       
      Step 5do show running-config


      Example:
      SwitchController#(config-if)#  do show running-config 
       

      Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.

       

      How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface

      Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an EtherChannel interface or VLAN:

      SUMMARY STEPS

        1.    configure terminal

        2.    interface range Interface_name

        3.    ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

        4.    do show running-config interfaceportchannel_interface_name


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 configure terminal


        Example:
        SwitchController# configure terminal
         

        Enters the global configuration mode.

         
        Step 2interface range Interface_name


        Example:
        SwitchController(config)#  interface Po11    
         

        Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

        Tip   

        Enter the do show interfaces summary command for quick reference to interface names and types.

         
        Step 3ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


        Example:
        SwitchController(config-if-range)# ipv6 snooping attach-policy example_policy
        
        or
        
        SwitchController(config-if-range)# ipv6 snooping attach-policy example_policy vlan 222,223,224
        
        or 
        
        SwitchController(config-if-range)#ipv6 snooping vlan 222, 223,224
        
         
        
         

        Attaches the IPv6 Snooping policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

         
        Step 4do show running-config interfaceportchannel_interface_name


        Example:
        SwitchController#(config-if-range)#  do show running-config int po11
         

        Confirms that the policy is attached to the specified interface without exiting the configuration mode.

         

        How to Attach an IPv6 Snooping Policy to VLANs Globally

        Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy to VLANs across multiple interfaces:

        SUMMARY STEPS

          1.    configure terminal

          2.    vlan configuration vlan_list

          3.    ipv6 snooping [attach-policy policy_name]

          4.    do show running-config


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 configure terminal


          Example:
          SwitchController# configure terminal
           

          Enters the global configuration mode.

           
          Step 2vlan configuration vlan_list


          Example:
          SwitchController(config)#  vlan configuration 333    
           

          Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.

           
          Step 3ipv6 snooping [attach-policy policy_name]


          Example:
          SwitchController(config-vlan-config)#ipv6 snooping attach-policy example_policy
          
          
           

          Attaches the IPv6 Snooping policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.

           
          Step 4do show running-config


          Example:
          SwitchController#(config-if)#  do show running-config 
           

          Verifies that the policy is attached to the specified VLANs without exiting the interface configuration mode.

           

          How to Configure the IPv6 Binding Table Content

          Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

          SUMMARY STEPS

            1.    configure terminal

            2.    [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]

            3.    [no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]

            4.    ipv6 neighbor binding logging

            5.    exit

            6.    show ipv6 neighbor binding


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 configure terminal


            Example:
            SwitchController# configure terminal
             

            Enters the global configuration mode.

             
            Step 2[no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]


            Example:
            SwitchController(config)#  ipv6 neighbor binding 
            
             

            Adds a static entry to the binding table database.

             
            Step 3[no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]


            Example:
            SwitchController(config)#  ipv6 neighbor binding max-entries 30000
            
             

            Specifies the maximum number of entries that are allowed to be inserted in the binding table cache.

             
            Step 4ipv6 neighbor binding logging


            Example:
            SwitchController(config)# ipv6 neighbor binding logging  
             

            Enables the logging of binding table main events.

             
            Step 5exit


            Example:
            SwitchController(config)# exit   
             

            Exits global configuration mode, and places the router in privileged EXEC mode.

             
            Step 6show ipv6 neighbor binding


            Example:
            SwitchController#  show ipv6 neighbor binding  
             

            Displays contents of a binding table.

             

            How to Configure an IPv6 Neighbor Discovery Inspection Policy

            Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:

            SUMMARY STEPS

              1.    configure terminal

              2.    [no]ipv6 nd inspection policy policy-name

              3.    device-role {host | monitor | router | switch}

              4.    drop-unsecure

              5.    limit address-count value

              6.    sec-level minimum value

              7.    tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}

              8.    trusted-port

              9.    validate source-mac

              10.    no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

              11.    default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

              12.    do show ipv6 nd inspection policy policy_name


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 configure terminal


              Example:
              SwitchController# configure terminal
               

              Enters the global configuration mode.

               
              Step 2 [no]ipv6 nd inspection policy policy-name


              Example:
              SwitchController(config)# ipv6 nd inspection policy example_policy
               

              Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode.

               
              Step 3 device-role {host | monitor | router | switch}


              Example:
              SwitchController(config-nd-inspection)# device-role switch
               

              Specifies the role of the device attached to the port. The default is host.

               
              Step 4 drop-unsecure


              Example:
              SwitchController(config-nd-inspection)# drop-unsecure
               

              Drops messages with no or invalid options or an invalid signature.

               
              Step 5 limit address-count value


              Example:
              SwitchController(config-nd-inspection)# limit address-count 1000
               

              Enter 1–10,000.

               
              Step 6 sec-level minimum value


              Example:
              SwitchController(config-nd-inspection)# limit address-count 1000
               

              Specifies the minimum security level parameter value when Cryptographically Generated Address (CGA) options are used.

               
              Step 7tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}


              Example:
              SwitchController(config-nd-inspection)# tracking disable stale-lifetime infinite
               

              Overrides the default tracking policy on a port.

               
              Step 8 trusted-port


              Example:
              SwitchController(config-nd-inspection)# trusted-port
               

              Configures a port to become a trusted port.

               
              Step 9validate source-mac


              Example:
              SwitchController(config-nd-inspection)# validate source-mac
               

              Checks the source media access control (MAC) address against the link-layer address.

               
              Step 10no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}


              Example:
              SwitchController(config-nd-inspection)# no validate source-mac
               

              Remove the current configuration of a parameter with the no form of the command.

               
              Step 11default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}


              Example:
              SwitchController(config-nd-inspection)# default limit address-count
               

              Restores configuration to the default values.

               
              Step 12do show ipv6 nd inspection policy policy_name


              Example:
              SwitchController(config-nd-inspection)# do show ipv6 nd inspection policy example_policy
               

              Verifies the ND Inspection Configuration without exiting ND inspection configuration mode.

               

              How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface

              Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface or VLANs on an interface :

              SUMMARY STEPS

                1.    configure terminal

                2.    interface Interface_type stack/module/port

                3.    ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                4.    do show running-config


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1 configure terminal


                Example:
                SwitchController# configure terminal
                 

                Enters the global configuration mode.

                 
                Step 2interface Interface_type stack/module/port


                Example:
                SwitchController(config)#  interface gigabitethernet 1/1/4    
                 

                Specifies an interface type and identifier; enters the interface configuration mode.

                 
                Step 3ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                Example:
                SwitchController(config-if)# ipv6 nd inspection attach-policy example_policy
                
                or
                
                SwitchController(config-if)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224
                
                or 
                
                SwitchController(config-if)# ipv6 nd inspection vlan 222, 223,224
                
                 
                
                 

                Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                 
                Step 4do show running-config


                Example:
                SwitchController#(config-if)#  do show running-config 
                 

                Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.

                 

                How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface

                Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Neighbor Discovery Inspection policy on an EtherChannel interface or VLAN:

                SUMMARY STEPS

                  1.    configure terminal

                  2.    interface range Interface_name

                  3.    ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                  4.    do show running-config interfaceportchannel_interface_name


                DETAILED STEPS
                   Command or ActionPurpose
                  Step 1 configure terminal


                  Example:
                  SwitchController# configure terminal
                   

                  Enters the global configuration mode.

                   
                  Step 2interface range Interface_name


                  Example:
                  SwitchController(config)#  interface Po11    
                   

                  Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

                  Tip   

                  Enter the do show interfaces summary command for quick reference to interface names and types.

                   
                  Step 3ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                  Example:
                  SwitchController(config-if-range)# ipv6 nd inspection attach-policy example_policy
                  
                  or
                  
                  SwitchController(config-if-range)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224
                  
                  or 
                  
                  SwitchController(config-if-range)#ipv6 nd inspection vlan 222, 223,224
                  
                   
                  
                   

                  Attaches the ND Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                   
                  Step 4do show running-config interfaceportchannel_interface_name


                  Example:
                  SwitchController#(config-if-range)#  do show running-config int po11
                   

                  Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                   

                  How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally

                  Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to VLANs across multiple interfaces:

                  SUMMARY STEPS

                    1.    configure terminal

                    2.    vlan configuration vlan_list

                    3.    ipv6 nd inspection [attach-policy policy_name]

                    4.    do show running-config


                  DETAILED STEPS
                     Command or ActionPurpose
                    Step 1 configure terminal


                    Example:
                    SwitchController# configure terminal
                     

                    Enters the global configuration mode.

                     
                    Step 2vlan configuration vlan_list


                    Example:
                    SwitchController(config)# vlan configuration 334    
                     

                    Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.

                     
                    Step 3ipv6 nd inspection [attach-policy policy_name]


                    Example:
                    SwitchController(config-vlan-config)#ipv6 nd inspection attach-policy example_policy
                    
                    
                     

                    Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.

                    The default policy is, device-role host, no drop-unsecure, limit address-count disabled, sec-level minimum is disabled, tracking is disabled, no trusted-port, no validate source-mac.

                     
                    Step 4do show running-config


                    Example:
                    SwitchController#(config-if)#  do show running-config 
                     

                    Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.

                     

                    How to Configure an IPv6 Router Advertisement Guard Policy

                    Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :

                    SUMMARY STEPS

                      1.    configure terminal

                      2.    [no]ipv6 nd raguard policy policy-name

                      3.    [no]device-role {host | monitor | router | switch}

                      4.    [no]hop-limit {maximum | minimum} value

                      5.    [no]managed-config-flag {off | on}

                      6.    [no]match {ipv6 access-list list | ra prefix-list list}

                      7.    [no]other-config-flag {on | off}

                      8.    [no]router-preference maximum {high | medium | low}

                      9.    [no]trusted-port

                      10.    default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}

                      11.    do show ipv6 nd raguard policy policy_name


                    DETAILED STEPS
                       Command or ActionPurpose
                      Step 1 configure terminal


                      Example:
                      SwitchController# configure terminal
                       

                      Enters the global configuration mode.

                       
                      Step 2 [no]ipv6 nd raguard policy policy-name


                      Example:
                      SwitchController(config)# ipv6 nd raguard policy example_policy
                       

                      Specifies the RA Guard policy name and enters RA Guard Policy configuration mode.

                       
                      Step 3 [no]device-role {host | monitor | router | switch}


                      Example:
                      SwitchController(config-nd-raguard)# device-role switch
                       

                      Specifies the role of the device attached to the port. The default is host.

                       
                      Step 4 [no]hop-limit {maximum | minimum} value


                      Example:
                      SwitchController(config-nd-raguard)# hop-limit maximum 33
                       

                      (1–255) Range for Maximum and Minimum Hop Limit values.

                      Enables filtering of Router Advertisement messages by the Hop Limit value. A rogue RA message may have a low Hop Limit value (equivalent to the IPv4 Time to Live) that when accepted by the host, prevents the host from generating traffic to destinations beyond the rogue RA message generator. An RA message with an unspecified Hop Limit value is blocked.

                      If not configured, this filter is disabled. Configure minimum to block RA messages with Hop Limit values lower than the value you specify. Configure maximumto block RA messages with Hop Limit values greater than the value you specify.

                       
                      Step 5 [no]managed-config-flag {off | on}


                      Example:
                      SwitchController(config-nd-raguard)# managed-config-flag on
                       

                      Enables filtering of Router Advertisement messages by the Managed Address Configuration, or "M" flag field. A rouge RA message with an M field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

                      On—Accepts and forwards RA messages with an M value of 1, blocks those with 0.

                      Off—Accepts and forwards RA messages with an M value of 0, blocks those with 1.

                       
                      Step 6 [no]match {ipv6 access-list list | ra prefix-list list}


                      Example:
                      SwitchController(config-nd-raguard)# match ipv6 access-list example_list
                       

                      Matches a specified prefix list or access list.

                       
                      Step 7 [no]other-config-flag {on | off}


                      Example:
                      SwitchController(config-nd-raguard)# other-config-flag on 
                       

                      Enables filtering of Router Advertisement messages by the Other Configuration, or "O" flag field. A rouge RA message with an O field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

                      On—Accepts and forwards RA messages with an O value of 1, blocks those with 0.

                      Off—Accepts and forwards RA messages with an O value of 0, blocks those with 1.

                       
                      Step 8 [no]router-preference maximum {high | medium | low}


                      Example:
                      SwitchController(config-nd-raguard)# router-preference maximum high 
                       

                      Enables filtering of Router Advertisement messages by the Router Preference flag. If not configured, this filter is disabled.

                      • high—Accepts RA messages with the Router Preference set to high, medium, or low.

                      • medium—Blocks RA messages with the Router Preference set to high.

                      • low—Blocks RA messages with the Router Preference set to medium and high.

                       
                      Step 9 [no]trusted-port


                      Example:
                      SwitchController(config-nd-raguard)# trusted-port
                       

                      When configured as a trusted port, all attached devices are trusted, and no further message verification is performed.

                       
                      Step 10default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}


                      Example:
                      SwitchController(config-nd-raguard)# default hop-limit
                       

                      Restores a command to its default value.

                       
                      Step 11do show ipv6 nd raguard policy policy_name


                      Example:
                      SwitchController(config-nd-raguard)# do show ipv6 nd raguard policy example_policy
                       

                      (Optional)—Displays the ND Guard Policy configuration without exiting the RA Guard policy configuration mode.

                       

                      How to Attach an IPv6 Router Advertisement Guard Policy to an Interface

                      Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface :

                      SUMMARY STEPS

                        1.    configure terminal

                        2.    interface Interface_type stack/module/port

                        3.    ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                        4.    do show running-config


                      DETAILED STEPS
                         Command or ActionPurpose
                        Step 1 configure terminal


                        Example:
                        SwitchController# configure terminal
                         

                        Enters the global configuration mode.

                         
                        Step 2interface Interface_type stack/module/port


                        Example:
                        SwitchController(config)#  interface gigabitethernet 1/1/4    
                         

                        Specifies an interface type and identifier; enters the interface configuration mode.

                         
                        Step 3ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                        Example:
                        SwitchController(config-if)# ipv6 nd raguard attach-policy example_policy
                        
                        or
                        
                        SwitchController(config-if)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224
                        
                        or 
                        
                        SwitchController(config-if)# ipv6 nd raguard vlan 222, 223,224
                        
                         
                        
                         

                        Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                         
                        Step 4do show running-config


                        Example:
                        SwitchController#(config-if)#  do show running-config 
                         

                        Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                         

                        How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface

                        Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy on an EtherChannel interface or VLAN:

                        SUMMARY STEPS

                          1.    configure terminal

                          2.    interface range Interface_name

                          3.    ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                          4.    do show running-config interfaceportchannel_interface_name


                        DETAILED STEPS
                           Command or ActionPurpose
                          Step 1 configure terminal


                          Example:
                          SwitchController# configure terminal
                           

                          Enters the global configuration mode.

                           
                          Step 2interface range Interface_name


                          Example:
                          SwitchController(config)#  interface Po11    
                           

                          Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

                          Tip   

                          Enter the do show interfaces summary command for quick reference to interface names and types.

                           
                          Step 3ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                          Example:
                          SwitchController(config-if-range)# ipv6 nd raguard attach-policy example_policy
                          
                          or
                          
                          SwitchController(config-if-range)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224
                          
                          or 
                          
                          SwitchController(config-if-range)#ipv6 nd raguard vlan 222, 223,224
                          
                           
                          
                           

                          Attaches the RA Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                           
                          Step 4do show running-config interfaceportchannel_interface_name


                          Example:
                          SwitchController#(config-if-range)#  do show running-config int po11
                           

                          Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                           

                          How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally

                          Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to VLANs regardless of interface:

                          SUMMARY STEPS

                            1.    configure terminal

                            2.    vlan configuration vlan_list

                            3.    ipv6 dhcp guard [attach-policy policy_name]

                            4.    do show running-config


                          DETAILED STEPS
                             Command or ActionPurpose
                            Step 1 configure terminal


                            Example:
                            SwitchController# configure terminal
                             

                            Enters global configuration mode.

                             
                            Step 2vlan configuration vlan_list


                            Example:
                            SwitchController(config)# vlan configuration 335    
                             

                            Specifies the VLANs to which the IPv6 RA Guard policy will be attached ; enters the VLAN interface configuration mode.

                             
                            Step 3ipv6 dhcp guard [attach-policy policy_name]


                            Example:
                            SwitchController(config-vlan-config)#ipv6 nd raguard attach-policy example_policy
                            
                            
                             

                            Attaches the IPv6 RA Guard policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.

                             
                            Step 4do show running-config


                            Example:
                            SwitchController#(config-if)#  do show running-config 
                             

                            Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.

                             

                            How to Configure an IPv6 DHCP Guard Policy

                            Beginning in privileged EXEC mode, follow these steps to configure an IPv6 DHCP (DHCPv6) Guard policy:

                            SUMMARY STEPS

                              1.    configure terminal

                              2.    [no]ipv6 dhcp guard policy policy-name

                              3.    [no]device-role {client | server}

                              4.    [no] match server access-list ipv6-access-list-name

                              5.    [no] match reply prefix-list ipv6-prefix-list-name

                              6.    [no]preference{ max limit | min limit }

                              7.    [no] trusted-port

                              8.    default {device-role | trusted-port}

                              9.    do show ipv6 dhcp guard policy policy_name


                            DETAILED STEPS
                               Command or ActionPurpose
                              Step 1 configure terminal


                              Example:
                              SwitchController# configure terminal
                               

                              Enters the global configuration mode.

                               
                              Step 2 [no]ipv6 dhcp guard policy policy-name


                              Example:
                              SwitchController(config)# ipv6 dhcp guard policy example_policy
                               

                              Specifies the DHCPv6 Guard policy name and enters DHCPv6 Guard Policy configuration mode.

                               
                              Step 3 [no]device-role {client | server}


                              Example:
                              SwitchController(config-dhcp-guard)# device-role server
                               

                              (Optional) Filters out DHCPv6 replies and DHCPv6 advertisements on the port that are not from a device of the specified role. Default is client.

                              • client—Default value, specifies that the attached device is a client. Server messages are dropped on this port.

                              • server—Specifies that the attached device is a DHCPv6 server. Server messages are allowed on this port.

                               
                              Step 4 [no] match server access-list ipv6-access-list-name


                              Example:
                              ;;Assume a preconfigured IPv6 Access List as follows:
                              SwitchController(config)# ipv6 access-list my_acls
                              SwitchController(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
                               
                              ;;configure DCHPv6 Guard to match approved access list.
                              SwitchController(config-dhcp-guard)#  match server access-list my_acls  
                               

                              (Optional). Enables verification that the advertised DHCPv6 server or relay address is from an authorized server access list (The destination address in the access list is 'any'). If not configured, this check will be bypassed. An empty access list is treated as a permit all.

                               
                              Step 5 [no] match reply prefix-list ipv6-prefix-list-name


                              Example:
                              ;;Assume a preconfigured IPv6 prefix list as follows:
                              SwitchController(config)# ipv6 prefix-list my_prefix permit 2001:0DB8::/64 le 128
                              
                              ;; Configure DCHPv6 Guard to match prefix
                              SwitchController(config-dhcp-guard)#  match reply prefix-list my_prefix 
                               

                              (Optional) Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit.

                               
                              Step 6 [no]preference{ max limit | min limit }


                              Example:
                              SwitchController(config-dhcp-guard)# preference max 250
                              SwitchController(config-dhcp-guard)#preference min 150
                               

                              Configure max and min when device-role is serverto filter DCHPv6 server advertisements by the server preference value. The defaults permit all advertisements.

                              max limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. Default is 255. If not specified, this check will be bypassed.

                              min limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. Default is 0. If not specified, this check will be bypassed.

                               
                              Step 7 [no] trusted-port


                              Example:
                              SwitchController(config-dhcp-guard)# trusted-port
                               

                              (Optional) trusted-port—Sets the port to a trusted mode. No further policing takes place on the port.

                              Note   

                              If you configure a trusted port then the device-role option is not available.

                               
                              Step 8default {device-role | trusted-port}


                              Example:
                              SwitchController(config-dhcp-guard)# default device-role
                               

                              (Optional) default—Sets a command to its defaults.

                               
                              Step 9do show ipv6 dhcp guard policy policy_name


                              Example:
                              SwitchController(config-dhcp-guard)# do show ipv6 dhcp guard policy example_policy
                               

                              (Optional) Displays the configuration of the IPv6 DHCP guard policy without leaving the configuration submode. Omitting the policy_name variable displays all DHCPv6 policies.

                               

                              Example of DHCPv6 Guard Configuration

                              enable
                              configure terminal
                              ipv6 access-list acl1
                               permit host FE80::A8BB:CCFF:FE01:F700 any
                              ipv6 prefix-list abc permit 2001:0DB8::/64 le 128	
                              ipv6 dhcp guard policy pol1
                               device-role server
                               match server access-list acl1
                               match reply prefix-list abc
                               preference min 0
                               preference max 255
                               trusted-port
                              interface GigabitEthernet 0/2/0
                               switchport
                               ipv6 dhcp guard attach-policy pol1 vlan add 1
                               vlan 1
                                ipv6 dhcp guard attach-policy pol1
                              show ipv6 dhcp guard policy pol1
                              

                              How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface

                              Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

                              SUMMARY STEPS

                                1.    configure terminal

                                2.    interface Interface_type stack/module/port

                                3.    ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                                4.    do show running-config interface Interface_type stack/module/port


                              DETAILED STEPS
                                 Command or ActionPurpose
                                Step 1 configure terminal


                                Example:
                                SwitchController# configure terminal
                                 

                                Enters the global configuration mode.

                                 
                                Step 2interface Interface_type stack/module/port


                                Example:
                                SwitchController(config)#  interface gigabitethernet 1/1/4    
                                 

                                Specifies an interface type and identifier; enters the interface configuration mode.

                                 
                                Step 3ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                                Example:
                                SwitchController(config-if)# ipv6 dhcp guard attach-policy example_policy
                                
                                or
                                
                                SwitchController(config-if)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224
                                
                                or 
                                
                                SwitchController(config-if)# ipv6 dhcp guard vlan 222, 223,224
                                
                                 
                                
                                 

                                Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                                 
                                Step 4do show running-config interface Interface_type stack/module/port


                                Example:
                                SwitchController#(config-if)#  do show running-config gig 1/1/4
                                 

                                Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                                 

                                How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface

                                Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy on an EtherChannel interface or VLAN:

                                SUMMARY STEPS

                                  1.    configure terminal

                                  2.    interface range Interface_name

                                  3.    ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

                                  4.    do show running-config interfaceportchannel_interface_name


                                DETAILED STEPS
                                   Command or ActionPurpose
                                  Step 1 configure terminal


                                  Example:
                                  SwitchController# configure terminal
                                   

                                  Enters the global configuration mode.

                                   
                                  Step 2interface range Interface_name


                                  Example:
                                  SwitchController(config)#  interface Po11    
                                   

                                  Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

                                  Tip   

                                  Enter the do show interfaces summary command for quick reference to interface names and types.

                                   
                                  Step 3ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]


                                  Example:
                                  SwitchController(config-if-range)# ipv6 dhcp guard attach-policy example_policy
                                  
                                  or
                                  
                                  SwitchController(config-if-range)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224
                                  
                                  or 
                                  
                                  SwitchController(config-if-range)#ipv6 dhcp guard vlan 222, 223,224
                                  
                                   
                                  
                                   

                                  Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

                                   
                                  Step 4do show running-config interfaceportchannel_interface_name


                                  Example:
                                  SwitchController#(config-if-range)#  do show running-config int po11
                                   

                                  Confirms that the policy is attached to the specified interface without exiting the configuration mode.

                                   

                                  How to Attach an IPv6 DHCP Guard Policy to VLANs Globally

                                  Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:

                                  SUMMARY STEPS

                                    1.    configure terminal

                                    2.    vlan configuration vlan_list

                                    3.    ipv6 dhcp guard [attach-policy policy_name]

                                    4.    do show running-config


                                  DETAILED STEPS
                                     Command or ActionPurpose
                                    Step 1 configure terminal


                                    Example:
                                    SwitchController# configure terminal
                                     

                                    Enters the global configuration mode.

                                     
                                    Step 2vlan configuration vlan_list


                                    Example:
                                    SwitchController(config)# vlan configuration 334    
                                     

                                    Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.

                                     
                                    Step 3ipv6 dhcp guard [attach-policy policy_name]


                                    Example:
                                    SwitchController(config-vlan-config)#ipv6 dhcp guard attach-policy example_policy
                                    
                                    
                                     

                                    Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port.

                                     
                                    Step 4do show running-config


                                    Example:
                                    SwitchController#(config-if)#  do show running-config 
                                     

                                    Confirms that the policy is attached to the specified VLANs without exiting the configuration mode.

                                     

                                    Additional References

                                    Related Documents

                                    Related Topic Document Title

                                    Implementing IPv6 Addressing and Basic Connectivity

                                    http:/​/​www.cisco.com/​en/​US/​docs/​ios-xml/​ios/​ipv6/​configuration/​15-0sy/​ip6-addrg-bsc-con.html

                                    IPv6 network management and security topics

                                    IPv6 Configuration Library, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

                                    http:/​/​www.cisco.com/​en/​US/​docs/​ios-xml/​ios/​ipv6/​config_library/​xe-3se/​3850/​ipv6-xe-3se-3850-library.html

                                    IPv6 Command Reference

                                    IPv6 Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

                                    http:/​/​www.cisco.com/​en/​US/​docs/​ios-xml/​ios/​ipv6/​command/​ipv6-xe-3se-3850-cr-book.html

                                    Error Message Decoder

                                    Description Link

                                    To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

                                    https:/​/​www.cisco.com/​cgi-bin/​Support/​Errordecoder/​index.cgi

                                    Technical Assistance

                                    Description Link

                                    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                                    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                                    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                                    http:/​/​www.cisco.com/​support