Verify USGv6 Certification Support on ISE 3.3 Patch 4

Introduction

This document describes the USGv6 Certification Support Matrix for ISE 3.3 Patch 4.

Pre-Requisites

Cisco recommends that you have knowledge of these topics:

• Cisco Identity Services Engine (ISE) 3.3
• Basic knowledge about IPv6

Background Information

• The USGv6 (U.S. Government IPv6) (https://www.nist.gov/programs-projects/usgv6-program/usgv6) framework is a set of technical standards, testing, and purchasing requirements for IPv6 in the U.S. Federal Government.
• The framework goals are to:
  1. Advance the adoption of IPv6 in government system.
  2. Ensure the successful integration of IPv6.
  3. Ensure that certified products can be safely deployed in IPv6 environments

• The USGv6 framework includes:
  1. USGv6 Profile: A set of protocol specifications that includes basic IPv6 functionality, specific requirements, and optional capabilities.
  2. USGv6 Test Program: A program that aligns with existing industry-led efforts on product test and certification.
  3. Alignment with industry efforts

• The USGv6 framework aligns with existing industry-led efforts, such as:
  
  1. IPv6-Ready
  2. IPv6-Forum
  3. DODv6

Components Used

Cisco Identity Services Engine 3.3 Patch 4

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

High Level Flow Diagram

USGv6 Flow

Additional Details

• Supported on 3.3 Patch 4 as of now.
• When enabled or disabled, system goes for a reboot after making the necessary changes.
• USGv6 enable EUI64 is the default for the ipv6 address (using the system mac address)
• USGv6 enable opaque sets the stable secret for the ipv6 address.
• Admin can toggle between both EUI64 and opaque based on need. A reboot is performed every time.
• If enabled, USGv6 must be disabled post upgrade.
• The state of the USGv6 remains on a system remains the same if restore is performed on the system.

          Example: Any backup taken from a USGV6 disabled node, if restored on a USGv6 enabled node, the state of the restored node is USGv6-enabled only.

CLI Commands

• Usgv6

            Possible completions:

       disable   Set Usgv6 disable

       enable    Set Usgv6 enable

       status    Show Usgv6 status

•       Usgv6 enable

                Possible completions:

       EUI64      Set Usgv6 enable with EUI64

       Opaque   Set Usgv6 enable with Opaque

• Usgv6 disable
• Usgv6 status
• More on EUI64 and Opaque:

  EUI-64 (Extended Unique Identifier) is a method you can use to automatically configure IPv6 host addresses. An IPv6 device must use the MAC address of its interface to generate a unique 64-bit interface ID.

  Opaque/SLAAC is an IPv6 feature that allows hosts to automatically generate their own addresses instead of using the interface MAC Address.

User Execution Flow

CLI Commands

Troubleshooting and Logging

• No new log files are added for this feature.
• Logs for the feature execution are in the ADE.log

Log Snippets:

asc-ise33p4-1640/admin#usgv6 enable EUI64
%WARNING: This will enable the USGV6, EUI64 compatibility to the underlying OS, and will also reboot the node.
Do you want to proceed (y/n) y
System is going to Reboot now.

ADE logs:
2025-03-17T15:43:39.166258+00:00 asc-ise33p4-1640 root: Rebooting system usgv6enable, Opaque

asc-ise33p4-1640/admin#show application status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 4576
Database Server running 90 PROCESSES
Application Server not running
Profiler Database not running
ISE Indexing Engine not running
AD Connector not running
M&T Session Database not running
M&T Log Processor not running
Certificate Authority Service not running
EST Service not running
SXP Engine Service disabled
TC-NAC Service disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE Messaging Service running 8556
ISE API Gateway Database Service initializing
ISE API Gateway Service not running
ISE pxGrid Direct Service not running
Segmentation Policy Service disabled
REST Auth Service disabled
SSE Connector disabled
Hermes (pxGrid Cloud Agent) disabled
McTrust (Meraki Sync Service) disabled
MFA (Duo Sync Service) disabled
ISE Node Exporter not running
ISE Prometheus Service not running
ISE Grafana Service not running
ISE MNT LogAnalytics Elasticsearch not running
ISE Logstash Service not running
ISE Kibana Service not running
ISE Native IPSec Service not running
MFC Profiler not running

asc-ise33p4-1640/admin#usgv6 status
Usgv6 Enabled, EUI64

FAQ

Question: Does enabling USGv6 EUI64 involve a reboot of the ISE Node?

Answer: Yes

Question: Does enabling USGv6 Opaque involve a reboot of the ISE Node?

Answer: Yes

Question: Is USGv6 Enabled or Disabled by Default?

Answer: Disabled

Question: Which is the first ISE version to support USGv6?

Answer: This feature is currently supported on ISE version 3.3 Patch 4.

Reference

USGv6 Revision 1: https://www.nist.gov/programs-projects/usgv6-program/usgv6-revision-1

USGv6 Technical Details: https://www.nist.gov/programs-projects/usgv6-program/technical-details