Introduction
This document describes the USGv6 Certification Support Matrix for ISE 3.3 Patch 4.
Pre-Requisites
Cisco recommends that you have knowledge of these topics:
- Cisco Identity Services Engine (ISE) 3.3
- Basic knowledge about IPv6
Background Information
- The USGv6 (U.S. Government IPv6) (https://www.nist.gov/programs-projects/usgv6-program/usgv6) framework is a set of technical standards, testing, and purchasing requirements for IPv6 in the U.S. Federal Government.
- The framework goals are to:
- Advance the adoption of IPv6 in government system.
- Ensure the successful integration of IPv6.
- Ensure that certified products can be safely deployed in IPv6 environments
- The USGv6 framework includes:
- USGv6 Profile: A set of protocol specifications that includes basic IPv6 functionality, specific requirements, and optional capabilities.
- USGv6 Test Program: A program that aligns with existing industry-led efforts on product test and certification.
- Alignment with industry efforts
- The USGv6 framework aligns with existing industry-led efforts, such as:
- IPv6-Ready
- IPv6-Forum
- DODv6
Components Used
Cisco Identity Services Engine 3.3 Patch 4
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
High Level Flow Diagram
USGv6 Flow
Additional Details
- Supported on 3.3 Patch 4 as of now.
- When enabled or disabled, system goes for a reboot after making the necessary changes.
- USGv6 enable EUI64 is the default for the ipv6 address (using the system mac address)
- USGv6 enable opaque sets the stable secret for the ipv6 address.
- Admin can toggle between both EUI64 and opaque based on need. A reboot is performed every time.
- If enabled, USGv6 must be disabled post upgrade.
- The state of the USGv6 remains on a system remains the same if restore is performed on the system.
Example: Any backup taken from a USGV6 disabled node, if restored on a USGv6 enabled node, the state of the restored node is USGv6-enabled only.
CLI Commands
Possible completions:
disable Set Usgv6 disable
enable Set Usgv6 enable
status Show Usgv6 status
Possible completions:
EUI64 Set Usgv6 enable with EUI64
Opaque Set Usgv6 enable with Opaque
- Usgv6 disable
- Usgv6 status
- More on EUI64 and Opaque:
EUI-64 (Extended Unique Identifier) is a method you can use to automatically configure IPv6 host addresses. An IPv6 device must use the MAC address of its interface to generate a unique 64-bit interface ID.
Opaque/SLAAC is an IPv6 feature that allows hosts to automatically generate their own addresses instead of using the interface MAC Address.
User Execution Flow
CLI Commands
Troubleshooting and Logging
- No new log files are added for this feature.
- Logs for the feature execution are in the ADE.log
Log Snippets:
asc-ise33p4-1640/admin#usgv6 enable EUI64
%WARNING: This will enable the USGV6, EUI64 compatibility to the underlying OS, and will also reboot the node.
Do you want to proceed (y/n) y
System is going to Reboot now.
ADE logs:
2025-03-17T15:43:39.166258+00:00 asc-ise33p4-1640 root: Rebooting system usgv6enable, Opaque
asc-ise33p4-1640/admin#show application status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 4576
Database Server running 90 PROCESSES
Application Server not running
Profiler Database not running
ISE Indexing Engine not running
AD Connector not running
M&T Session Database not running
M&T Log Processor not running
Certificate Authority Service not running
EST Service not running
SXP Engine Service disabled
TC-NAC Service disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE Messaging Service running 8556
ISE API Gateway Database Service initializing
ISE API Gateway Service not running
ISE pxGrid Direct Service not running
Segmentation Policy Service disabled
REST Auth Service disabled
SSE Connector disabled
Hermes (pxGrid Cloud Agent) disabled
McTrust (Meraki Sync Service) disabled
MFA (Duo Sync Service) disabled
ISE Node Exporter not running
ISE Prometheus Service not running
ISE Grafana Service not running
ISE MNT LogAnalytics Elasticsearch not running
ISE Logstash Service not running
ISE Kibana Service not running
ISE Native IPSec Service not running
MFC Profiler not running
asc-ise33p4-1640/admin#usgv6 status
Usgv6 Enabled, EUI64
FAQ
Question: Does enabling USGv6 EUI64 involve a reboot of the ISE Node?
Answer: Yes
Question: Does enabling USGv6 Opaque involve a reboot of the ISE Node?
Answer: Yes
Question: Is USGv6 Enabled or Disabled by Default?
Answer: Disabled
Question: Which is the first ISE version to support USGv6?
Answer: This feature is currently supported on ISE version 3.3 Patch 4.
Reference
USGv6 Revision 1: https://www.nist.gov/programs-projects/usgv6-program/usgv6-revision-1
USGv6 Technical Details: https://www.nist.gov/programs-projects/usgv6-program/technical-details