Security - Configuring IPv6 First Hop Security [Cisco Catalyst 3850 Series Switches]

Contents
Configuring IPv6 First Hop Security
Prerequisites for First Hop Security in IPv6
Restrictions for First Hop Security in IPv6
Information about First Hop Security in IPv6
How to Configure an IPv6 Snooping Policy
How to Attach an IPv6 Snooping Policy to an Interface or a VLAN on an Interface
How to Attach an IPv6 Snooping Policy to VLANs Globally
How to Configure the IPv6 Binding Table Content
How to Configure an IPv6 Neighbor Discovery Inspection Policy
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
How to Attach an IPv6 DHCP Guard Policy to an Interface
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
How to Configure an IPv6 Router Advertisement Guard Policy
How to Attach an IPv6 RA Guard Policy to an Interface
How to Attach an IPv6 RA Guard Policy to VLANs Globally
Configuring IPv6 First Hop Security

Prerequisites for First Hop Security in IPv6
Restrictions for First Hop Security in IPv6
Information about First Hop Security in IPv6
How to Configure an IPv6 Snooping Policy
How to Configure the IPv6 Binding Table Content
How to Configure an IPv6 Neighbor Discovery Inspection Policy
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
How to Configure an IPv6 Router Advertisement Guard Policy

Prerequisites for First Hop Security in IPv6

You have configured the necessary IPv6 enabled SDM template.

You should be familiar with the IPv6 neighbor discovery feature. For information, see the "Implementing IPv6 Addressing and Basic Connectivity" chapter of the Cisco IOS IPv6 Configuration Library on Cisco.com.

Restrictions for First Hop Security in IPv6

Although visible in the command-line help strings, the IPv6 first hop security (FHS) is not supported on the Catalyst 3750-G and 3750v2 switches. The command-line help strings are visible on these switches to support the FHS feature in a mixed switch stack scenario where one of these switches could become an active switch.

Information about First Hop Security in IPv6

First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 policy features that can be applied to an interface or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, then applied as was specified. The following IPv6 policies are currently supported:

First Hop Security in IPv6 Features Description

IPv6 Snooping Policy IPv6 Snooping Policy acts as a container policy that enables most of the features available with FHS in IPv6.

IPv6 Binding Table Content A database table of IPv6 neighbors connected to the switch is created from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding, table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.

IPv6 Neighbor Discovery Inspection IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in L2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that do not conform are dropped. An SA ND message is considered trustworthy if its IPv6-to-Media Access Control (MAC) mapping is verifiable.

IPv6 Router Advertisement Guard The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the L2 device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

IPv6 DHCP Guard
You can use the DHCP guard to prevent forged messages from being entered in the binding table. The DHCP guard blocks DHCP server messages when they are received on ports that are not explicitly configured as facing a DHCP server or DHCP relay.

To use this feature, configure a policy and attach it to a DHCP guard. To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command.
How to Configure an IPv6 Snooping Policy
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :

SUMMARY STEPS
1.    configure terminal

2.    ipv6 snooping policypolicy-name

3.    {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }

4.    end

5.    show ipv6 snooping policy policy-name

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
ipv6 snooping policypolicy-name

Example:
Switch(config)# ipv6 snooping policy example_policy
Creates a snooping policy and enters IPv6 Snooping Policy Configuration mode.
Step 3 {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }

Example:Switch(config-ipv6-snooping)# security-level inspect

Example:Switch(config-ipv6-snooping)# trusted-port
Enables data address gleaning, validates messages against various criteria, specifies the security level for messages.

(Optional) default—Sets all to default options.

(Optional) device-role{node] | switch}—Specifies the role of the device attached to the port. Default is node.

(Optional) limit address-count value—Limits the number of addresses allowed per target.

(Optional) no—Negates a command or sets it to defaults.

(Optional) protocol{dhcp | ndp}—Specifies which protocol should be redirected to the snooping feature for analysis. The default, is dhcp and ndp. To change the default, use the no protocol command.

(Optional) security-level{glean|guard|inspect}—Specifies the level of security enforced by the feature. Default is guard.
glean—Gleans addresses from messages and populates the binding table without any verification.

guard—Gleans addresses and inspects messages. In addition, it rejects RA and DHCP server messages. This is the default option.

inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership.

(Optional) tracking {disable | enable}—Overrides the default tracking behavior and specifies a tracking option.

(Optional) trusted-port—Sets up a trusted port. It disables the guard on applicable targets. Bindings learned through a trusted port have preference over bindings learned through any other port. A trusted port is given preference in case of a collision while making an entry in the table.
Step 4
end

Example:
Switch(config-ipv6-snooping)# exit
Exits configuration modes to Privileged EXEC mode.
Step 5
show ipv6 snooping policy policy-name

Example:
Switch#show ipv6 snooping policy example_policy
Displays the snooping policy configuration.
What to Do Next
Attach an IPv6 Snooping policy to interfaces or VLANs.
How to Attach an IPv6 Snooping Policy to an Interface or a VLAN on an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy ot and interface or VLAN:

SUMMARY STEPS
1.    configure terminal

2.    interface Interface_type stack/module/port

3.    switchport

4.    ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4    
Specifies an interface type and identifier; enters the interface configuration mode.
Step 3
switchport

Example:
Switch(config-if)# switchport
Enters the Switchport mode.

Note
To configure Layer 2 parameters, if the interface is in Layer 3 mode, you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode. This shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. The command prompt displays as (config-if)# in Switchport configuration mode.
Step 4
ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 snooping 

or 

Switch(config-if)# ipv6 snooping attach-policy example_policy

or
Switch(config-if)# ipv6 snooping vlan 111,112

or 

Switch(config-if)# ipv6 snooping attach-policy example_policy vlan 111,112
Attaches a custom ipv6 snooping policy to the interface or the specified VLANs on the interface. To attach the default policy to the interface, use the ipv6 snooping command without the attach-policy keyword. To attach the default policy to VLANs on the interface, use the ipv6 snooping vlan command. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.
How to Attach an IPv6 Snooping Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy to VLANs across multiple interfaces:

SUMMARY STEPS
1.    configure terminal

2.    vlan configuration vlan_list

3.    ipv6 snooping [attach-policy policy_name]

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
vlan configuration vlan_list

Example:
Switch(config)#  vlan configuration 333    
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.
Step 3
ipv6 snooping [attach-policy policy_name]

Example:
Switch(config-vlan-config)#ipv6 snooping attach-policy example_policy
Attaches the IPv6 Snooping policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.
How to Configure the IPv6 Binding Table Content
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

SUMMARY STEPS
1.    configure terminal

2.    [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]

3.    [no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]

4.    ipv6 neighbor binding logging

5.    exit

6.    show ipv6 neighbor binding

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
[no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]

Example:
Switch(config)#  ipv6 neighbor binding 
Step 3
[no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]

Example:
Switch(config)#  ipv6 neighbor binding max-entries 30000
Specifies the maximum number of entries that are allowed to be inserted in the binding table cache.
Step 4
ipv6 neighbor binding logging

Example:
Switch(config)# ipv6 neighbor binding logging  
Enables the logging of binding table main events.
Step 5
exit

Example:
Switch(config)# exit   
Exits global configuration mode, and places the router in privileged EXEC mode.
Step 6
show ipv6 neighbor binding

Example:
Switch#  show ipv6 neighbor binding  
Displays contents of a binding table.
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:

SUMMARY STEPS
1.    configure terminal

2.    [no]ipv6 nd inspection policy policy-name

3.    device-role {host | monitor | router | switch}

4.    drop-unsecure

5.    limit address-count value

6.    sec-level minimum value

7.    tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}

8.    trusted-port

9.    validate source-mac

10.    no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

11.    default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

12.    exit

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
[no]ipv6 nd inspection policy policy-name

Example:
Switch(config)# ipv6 nd inspection policy example_policy
Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode.
Step 3
device-role {host | monitor | router | switch}

Example:
Switch(config-nd-inspection)# device-role switch
Specifies the role of the device attached to the port. The default is host.
Step 4
drop-unsecure

Example:
Switch(config-nd-inspection)# drop-unsecure
Drops messages with no or invalid options or an invalid signature.
Step 5
limit address-count value

Example:
Switch(config-nd-inspection)# limit address-count 1000
Enter 1–10,000.
Step 6
sec-level minimum value

Example:
Switch(config-nd-inspection)# limit address-count 1000
Specifies the minimum security level parameter value when Cryptographically Generated Address (CGA) options are used.
Step 7
tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}

Example:
Switch(config-nd-inspection)# tracking disable stale-lifetime infinite
Overrides the default tracking policy on a port.
Step 8
trusted-port

Example:
Switch(config-nd-inspection)# trusted-port
Configures a port to become a trusted port.
Step 9
validate source-mac

Example:
Switch(config-nd-inspection)# validate source-mac
Step 10
no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

Example:
Switch(config-nd-inspection)# no validate source-mac
Remove the current configuration of a parameter with the no form of the command.
Step 11
default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

Example:
Switch(config-nd-inspection)# default limit address-count
Restores configuration to the default values.
Step 12
exit

Example:
Switch(config-nd-inspection)# default limit address-count
Exits ND Inspection Configuration mode to Global Configuration mode.
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface or VLANs on an interface :

SUMMARY STEPS
1.    configure terminal

2.    interface Interface_type stack/module/port

3.    ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

4.    show command here

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4    
Specifies an interface type and identifier; enters the interface configuration mode.
Step 3
ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 nd inspection attach-policy example_policy

or

Switch(config-if)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224

or 

Switch(config-if)# ipv6 nd inspection vlan 222, 223,224

 
Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Step 4
show command here

Example:
Switch#  show     
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to VLANs across multiple interfaces:

SUMMARY STEPS
1.    configure terminal

2.    vlan configuration vlan_list

3.    ipv6 nd inspection [attach-policy policy_name]

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
vlan configuration vlan_list

Example:
Switch(config)# vlan configuration 334    
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.
Step 3
ipv6 nd inspection [attach-policy policy_name]

Example:
Switch(config-vlan-config)#ipv6 nd inspection attach-policy example_policy
Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role host, no drop-unsecure, limit address-count xxWHAT??xx, sec-level minimum xxWHAT?xx, tracking xxWHAT?xx, no trusted-port, no validate source-mac.
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:

SUMMARY STEPS
1.    configure terminal

2.    vlan configuration vlan_list

3.    ipv6 dhcp guard [attach-policy policy_name]

4.    show policy here

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
vlan configuration vlan_list

Example:
Switch(config)# vlan configuration 334    
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.
Step 3
ipv6 dhcp guard [attach-policy policy_name]

Example:
Switch(config-vlan-config)#ipv6 dhcp guard attach-policy example_policy
Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port.
Step 4 show policy here

Example:
How to Attach an IPv6 DHCP Guard Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

SUMMARY STEPS
1.    configure terminal

2.    interface Interface_type stack/module/port

3.    ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4    
Specifies an interface type and identifier; enters the interface configuration mode.
Step 3
ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 dhcp guard attach-policy example_policy

or

Switch(config-if)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224

or 

Switch(config-if)# ipv6 dhcp guard vlan 222, 223,224

 
Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:

SUMMARY STEPS
1.    configure terminal

2.    vlan configuration vlan_list

3.    ipv6 dhcp guard [attach-policy policy_name]

4.    show policy here

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
vlan configuration vlan_list

Example:
Switch(config)# vlan configuration 334    
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode.
Step 3
ipv6 dhcp guard [attach-policy policy_name]

Example:
Switch(config-vlan-config)#ipv6 dhcp guard attach-policy example_policy
Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port.
Step 4 show policy here

Example:
How to Configure an IPv6 Router Advertisement Guard Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :

SUMMARY STEPS
1.    configure terminal

2.    [no]ipv6 nd raguard policy policy-name

3.    device-role {host | monitor | router | switch}

4.    hop-limit {maximum | minimum} value

5.    managed-config-flag {off | on}

6.    match {ipv6 access-list list | ra prefix-list list}

7.    other-config-flag {on | off}

8.    router-preference maximum {high | medium | low}

9.    trusted-port

10.    default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}

11.    no {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}

12.    exit

13.    Show command here

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
[no]ipv6 nd raguard policy policy-name

Example:
Switch(config)# ipv6 nd raguard policy example_policy
Specifies the RA Guard policy name and enters RA Guard Policy configuration mode.
Step 3
device-role {host | monitor | router | switch}

Example:
Switch(config-nd-raguard)# device-role switch
Specifies the role of the device attached to the port. The default is host.
Step 4
hop-limit {maximum | minimum} value

Example:
Switch(config-nd-raguard)# hop-limit maximum 33
Enables verification of the advertised Hop count limit. (1–255) Maximum hop count value allowed. (1–255) Minimum hop count value allowed.
Step 5
managed-config-flag {off | on}

Example:
Switch(config-nd-raguard)# managed-config-flag on
Enables verification of the advertised M flag
Step 6
match {ipv6 access-list list | ra prefix-list list}

Example:
Switch(config-nd-raguard)# match ipv6 access-list example_list
Matches a specified prefix list or access list.
Step 7
other-config-flag {on | off}

Example:
Switch(config-nd-raguard)# other-config-flag on 
Enables verification of the advertised O flag.
Step 8
router-preference maximum {high | medium | low}

Example:
Switch(config-nd-raguard)# router-preference maximum high 
Enables verification of the advertised Router Preference flag.

high—Discards RAs with router preference greater than high.

low—Discards RAs with router preference greater than low.

medium—Discards RAs with router preference greater than medium.
Step 9
trusted-port

Example:
Switch(config-nd-raguard)# trusted-port
Configures a port to become a trusted port.
Step 10
default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}

Example:
Switch(config-nd-raguard)# default hop-limit
Restores a command to its default value.
Step 11
no {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}

Example:
Switch(config-nd-raguard)# no match ipv6 access-list
Remove the current configuration of a parameter with the no form of the command.
Step 12
exit

Example:
Switch(config-nd-raguard)# default limit address-count
Exits ND RA Guard configuration mode to Global Configuration mode.
Step 13
Show command here

Example:
Switch(config-nd-raguard)# show 
(Optional)—Exits the ND Guard Policy configuration mode to Global configuration mode.
How to Attach an IPv6 RA Guard Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface :

SUMMARY STEPS
1.    configure terminal

2.    interface Interface_type stack/module/port

3.    ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

4.    show command here

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4    
Specifies an interface type and identifier; enters the interface configuration mode.
Step 3
ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 nd raguard attach-policy example_policy

or

Switch(config-if)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224

or 

Switch(config-if)# ipv6 nd raguard vlan 222, 223,224

 
Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Step 4
show command here

Example:
Switch#  show     
How to Attach an IPv6 RA Guard Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to VLANs regardless of interface:

SUMMARY STEPS
1.    configure terminal

2.    vlan configuration vlan_list

3.    ipv6 dhcp guard [attach-policy policy_name]

4.    show policy here

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
vlan configuration vlan_list

Example:
Switch(config)# vlan configuration 335    
Specifies the VLANs to which the IPv6 RA Guard policy will be attached ; enters the VLAN interface configuration mode.
Step 3
ipv6 dhcp guard [attach-policy policy_name]

Example:
Switch(config-vlan-config)#ipv6 nd raguard attach-policy example_policy
Attaches the IPv6 RA Guard policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.
Step 4 show policy here

Example: