IPv6 FHS

Feature history for IPv6 First Hop Security

This table provides release and platform support information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.


Release	Feature name and description	Supported platform
Cisco IOS XE 26.1.1	IPv6 Source Guard: This feature validates the source of IPv6 traffic to prevent source address spoofing.	Cisco C9350 Series Smart Switches
Cisco IOS XE 17.18.1	IPv6 First Hop Security: IPv6 First Hop Security is a set of IPv6 security features that protects networks by mitigating such security breaches.	Cisco C9350 Series Smart Switches

Understand IPv6 First Hop Security

IPv6 networks face security threats and breaches in the form of router impersonation (man-in-the-middle attacks), address theft, address spoofing, misconfigurations errors, and so on. The First Hop Security in IPv6 (IPv6 FHS) is a set of IPv6 security features that protects networks by mitigating such security breaches. It does this by establishing security at the first switch connecting the end-hosts. The first hop for a host is very often a Layer 2 switch.

IPv6 FHS consists of the IPv6 Router Advertisement Guard and IPv6 DHCP Guard security features. Each of these security features addresses a different aspect of first hop security. To use a security feature, configure the corresponding policy.

Policies specify a particular behavior and must be attached to a target, which can be a physical interface, an EtherChannel interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, and applied as specified.

In addition to the security features, the IPv6 FHS Binding Table contains IPv6 neighbors connected to the device. A binding entry includes: IP and MAC address of the host, interface, VLAN, state of the entry, etc. This database or binding table is used by other features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and the prefix binding of neighbors, to prevent spoofing and redirect attacks. The binding table updates via the IPv6 Snooping feature and manually added static binding entries.

Note

The IPv6 FHS Binding Table is supported through the Switch Integrated Security Feature (SISF) feature. For more information, refer the Switch Integrated Security Features chapter.

IPv6 Router Advertisement Guard

This feature enables the network administrator to block or reject unwanted or rogue Router Advertisement (RA) guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The RA Guard feature processes the RAs and filters out invalid RAs sent by unauthorized devices. In host mode, all router-advertisement and router-redirect messages are disallowed on the port. The RA Guard feature compares the configuration data on the Layer 2 device with the incoming RA frame information. Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

The SISF-based device-tracking mechanism operates by forwarding router solicitation packets on interfaces configured with RA guard policies and designated as router-facing. If no such interface exists, the router solicitation messages are dropped, which might delay the router discovery for onboarding hosts as they will be unable to discover the router until it sends a periodic unsolicited router advertisement.

IPv6 DHCP Guard

The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay.

To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command.

IPv6 source guard

The IPv6 Source Guard feature validates the source of IPv6 traffic to prevent source address spoofing. It deals exclusively with data packet traffic. Use this feature to deny traffic from unknown sources or from sources not assigned by a DHCP server.

A hardware-programmed (TCAM table) filter allows or denies traffic based on the source address. Ensure the binding table includes an entry for the source address to allow the filter to work properly. If the source address is in the binding table, the filter allows the packet into the network. If the address is not in the binding table, the filter denies entry and drops the packet. If you remove an entry from the binding table, the filter is removed and packets with that source address are dropped.

The IPv6 source guard feature requires device-tracking (SISF) to work. Device-tracking database supports static bindings for IPv4/IPv6, VLAN, interface, and optional MAC addresses. IP device tracking is used to obtain and maintain a list of devices that are connected to the device using an IP address. Device tracking listens to Neighbor Discovery Protocol (NDP) messages like router solicitation, neighbor solicitation, or DHCPv6 packets and builds a binding table, mapping the IPv6 address, MAC address, VLAN, and port of the device. IPV6 source guard relies on this binding table information to generate the IP source guard table to permit, punt, and drop packets.

The IPv6 source guard feature supports 4,000 entries per device.

When configuring this feature, consider these:

An IPv6 source guard policy cannot be attached to a VLAN. It is supported only at the interface level.
When you configure IPv4 and IPv6 source guard together on an interface, use the ip verify source mac-check command instead of the ip verify source tracking mac-check command. IPv4 connectivity on a given port might be interrupted due to two different sets of filtering rules: one for IPv4 (IP-filter) and one for IPv6 (IP-MAC filter).
When IPv6 source guard is enabled on a switch port, NDP or DHCP snooping must be enabled on the interface to which the switch port belongs. Otherwise, all data traffic from this port will be blocked.

To use this feature, you must configure an IPv6 source guard policy and attach it to a target.

To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.

Prerequisites for IPv6 First Hop Security

Configure the necessary IPv6 enabled SDM template.

Restrictions for IPv6 First Hop Security

Legacy deprecated configurations from older platforms or releases will not work on newer platforms or releases. We recommend you convert legacy commands to the SISF-based device tracking CLI commands. For more information, refer Switch Integrated Security Features chapter.

These restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):

A physical port with an FHS policy attached cannot join an EtherChannel group.
An FHS policy cannot be attached to a physical port when it is a member of an EtherChannel group.

Configure IPv6 First Hop Security

This section provides information about the various tasks to configure IPv6 first hop security.

Configure the IPv6 binding table content

Follow these steps to configure IPv6 binding table content:

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal` Enters global configuration mode.
Step 3	[no] ipv6 neighbor binding [vlan `vlan-id` {`ipv6-address` interface `interface_type` `stack/module/port` `hw_address` [reachable-lifetimevalue [`seconds` \| default \| infinite] \| [tracking{ [default \| disable] [ reachable-lifetimevalue [`seconds` \| default \| infinite] \| [enable [reachable-lifetimevalue [`seconds` \| default \| infinite] \| [retry-interval {`seconds` \| default [reachable-lifetimevalue [`seconds` \| default \| infinite]}] Example: `Device(config)# ipv6 neighbor binding` Adds a static entry to the binding table database.
Step 4	[no] ipv6 neighbor binding max-entries `number` [mac-limit `number` \| port-limit `number` [mac-limit `number`] \| vlan-limit `number` [[mac-limit `number`] \| [port-limit `number` [mac-limit`number`]]] Example: `Device(config)# ipv6 neighbor binding max-entries 30000` Specifies the maximum number of entries that are allowed to be inserted in the binding table cache.
Step 5	ipv6 neighbor binding logging Example: `Device(config)# ipv6 neighbor binding logging` Enables the logging of binding table main events.
Step 6	exit Example: `Device(config)# exit` Exits global configuration mode and returns to privileged EXEC mode.
Step 7	show ipv6 neighbor binding Example: `Device# show ipv6 neighbor binding` Displays contents of a binding table.

Configure an IPv6 router advertisement guard policy

Follow these steps to configure an IPv6 router advertisement policy:

Procedure

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ipv6 nd raguard policy policy-name

Example:

Device(config)# ipv6 nd raguard policy example_policy

Specifies the RA guard policy name and enters RA guard policy configuration mode.

Step 4

[no]device-role {host | monitor | router | switch}

Example:

Device(config-nd-raguard)# device-role switch

Specifies the role of the device attached to the port. The default is host.

Note

For a network with both host-facing ports and router-facing ports, along with a RA guard policy configured with device-role host on host-facing ports or vlan, it is mandatory to configure a RA guard policy with device-role router on router-facing ports to allow the RA Guard feature to work properly.

Step 5

hop-limit {maximum | minimum} value

Example:

Device(config-nd-raguard)# hop-limit maximum 33

Enables filtering of Router Advertisement messages by the Hop Limit value. A rogue RA message may have a low Hop Limit value (equivalent to the IPv4 Time to Live) that when accepted by the host, prevents the host from generating traffic to destinations beyond the rogue RA message generator. An RA message with an unspecified Hop Limit value is blocked.

The range for Maximum and Minimum Hop Limit values is 1 to 255.

If not configured, this filter is disabled. Configure minimum to block RA messages with Hop Limit values lower than the value you specify. Configure maximum to block RA messages with Hop Limit values greater than the value you specify.

Step 6

managed-config-flag {off | on}

Example:

Device(config-nd-raguard)# managed-config-flag on

Enables filtering of Router Advertisement messages by the managed address configuration, or "M" flag field. A rouge RA message with an M field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

On : Accepts and forwards RA messages with an M value of 1, blocks those with 0.
Off : Accepts and forwards RA messages with an M value of 0, blocks those with 1.

Step 7

match {ipv6 access-list list | ra prefix-list list}

Example:

Device(config-nd-raguard)# match ipv6 access-list example_list

Matches a specified prefix list or access list.

Step 8

other-config-flag {on | off}

Example:

Device(config-nd-raguard)# other-config-flag on

Enables filtering of Router Advertisement messages by the Other Configuration, or "O" flag field. A rouge RA message with an O field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

On : Accepts and forwards RA messages with an O value of 1, blocks those with 0.
Off : Accepts and forwards RA messages with an O value of 0, blocks those with 1.

Step 9

[no]router-preference maximum {high | medium | low}

Example:

Device(config-nd-raguard)# router-preference maximum high

Enables filtering of Router Advertisement messages by the router preference flag. If not configured, this filter is disabled.

high : Accepts RA messages with the router preference set to high, medium, or low.
medium : Blocks RA messages with the router preference set to high.
low : Blocks RA messages with the router preference set to medium and high.

Step 10

trusted-port

Example:

Device(config-nd-raguard)# trusted-port

When configured as a trusted port, all attached devices are trusted, and no further message verification is performed.

Step 11

default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list} | other-config-flag | router-preference maximum | trusted-port}

Example:

Device(config-nd-raguard)# default hop-limit

Restores a command to its default value.

Step 12

end

Example:

Device(config-nd-raguard)# end

Exits RA Guard policy configuration mode and returns to privileged EXEC mode.

Step 13

show ipv6 nd raguard policy policy_name

Example:

Device# show ipv6 nd raguard policy example_policy

(Optional) Displays the ND guard policy configuration.

Attach an IPv6 router advertisement guard policy to an interface

Follow these steps to attach an IPv6 router advertisement policy to an interface or to VLANs on the interface:

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal` Enters global configuration mode.
Step 3	interface `type number` Example: `Device(config)# interface gigabitethernet 1/1/4` Specifies an interface type and identifier; enters the interface configuration mode.
Step 4	ipv6 nd raguard [attach-policy `policy_name` [ vlan {`vlan_ids` \| add `vlan_ids` \| except `vlan_ids` \| none \| remove `vlan_ids` \| all} ] \| vlan [{`vlan_ids` \| add `vlan_ids` \| except `vlan_ids` \| none \| remove `vlan_ids` \| all}] Example: `Device(config-if)# ipv6 nd raguard attach-policy example_policy` `Device(config-if)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224` `Device(config-if)# ipv6 nd raguard vlan 222, 223,224` Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Step 5	end Example: `Device(config-if)# end` Exits interface configuration mode and returns to privileged EXEC mode.

Attach an IPv6 router advertisement guard policy to a Layer 2 EtherChannel

Follow these steps to attach an IPv6 router advertisement guard policy on an EtherChannel interface or VLAN:

Procedure

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface range type number

Example:

Device(config)# interface range Port-channel 11

Specifies the port-channel interface name assigned when the EtherChannel was created. Enters interface range configuration mode.

Tip

Enter the show interfaces summary command in privileged EXEC mode for quick reference to interface names and types.

Step 4

ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all}] | vlan [{vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all}]

Example:

Device(config-if-range)# ipv6 nd raguard attach-policy example_policy

Device(config-if-range)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224

Device(config-if-range)# ipv6 nd raguard vlan 222, 223,224

Attaches the RA Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 5

end

Example:

Device(config-if-range)# end

Exits interface range configuration mode and returns to privileged EXEC mode.

Attach an IPv6 router advertisement guard policy to VLANs globally

Follow these steps to attach an IPv6 router advertisement policy to VLANs regardless of interface:

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal` Enters global configuration mode.
Step 3	vlan configuration `vlan_list` Example: `Device(config)# vlan configuration 335` Specifies the VLANs to which the IPv6 RA Guard policy will be attached, and enters VLAN interface configuration mode.
Step 4	ipv6 dhcp guard [attach-policy `policy_name`] Example: `Device(config-vlan-config)# ipv6 nd raguard attach-policy example_policy` Attaches the IPv6 RA Guard policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.
Step 5	end Example: `Device(config-vlan-config)# end` Exits VLAN interface configuration mode and returns to privileged EXEC mode.

Configure an IPv6 DHCP guard policy

Follow these steps to configure an IPv6 DHCP (DHCPv6) guard policy:

Procedure

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ipv6 dhcp guard policy policy-name

Example:

Device(config)# ipv6 dhcp guard policy example_policy

Specifies the DHCPv6 Guard policy name and enters DHCPv6 Guard Policy configuration mode.

Step 4

device-role {client | server}

Example:

Device(config-dhcp-guard)# device-role server

(Optional) Filters out DHCPv6 replies and DHCPv6 advertisements on the port that are not from a device of the specified role. Default is client .

client : Default value, specifies that the attached device is a client. Server messages are dropped on this port.
server : Specifies that the attached device is a DHCPv6 server. Server messages are allowed on this port.

Step 5

match server access-list ipv6-access-list-name

Example:

;;Assume a preconfigured IPv6 Access List as follows:
Device(config)# ipv6 access-list my_acls
Device(config-ipv6-acl)# permit host 2001:BD8:::1 any
 
;;configure DCHPv6 Guard to match approved access list.
Device(config-dhcp-guard)# match server access-list my_acls

(Optional). Enables verification that the advertised DHCPv6 server or relay address is from an authorized server access list (The destination address in the access list is 'any'). If not configured, this check will be bypassed. An empty access list is treated as a permit all.

Step 6

match reply prefix-list ipv6-prefix-list-name

Example:

;;Assume a preconfigured IPv6 prefix list as follows:
Device(config)# ipv6 prefix-list my_prefix permit 2001:DB8::/64 le 128

;; Configure DCHPv6 Guard to match prefix
Device(config-dhcp-guard)#  match reply prefix-list my_prefix

(Optional) Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit.

Step 7

preference {max limit | min limit}

Example:

Device(config-dhcp-guard)# preference max 250
Device(config-dhcp-guard)#preference min 150

Configure max and min when device-role is server to filter DCHPv6 server advertisements by the server preference value. The defaults permit all advertisements.

max limit : (0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. Default is 255. If not specified, this check will be bypassed.
min limit : (0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. Default is 0. If not specified, this check will be bypassed.

Step 8

trusted-port

Example:

Device(config-dhcp-guard)# trusted-port

(Optional) trusted-port : Sets the port to a trusted mode. No further policing takes place on the port.

Note

If you configure a trusted port then the device-role option is not available.

Step 9

default {device-role | trusted-port}

Example:

Device(config-dhcp-guard)# default device-role

(Optional) default : Sets a command to its defaults.

Step 10

end

Example:

Device(config-dhcp-guard)# end

Exits DHCPv6 Guard Policy configuration mode and returns to privileged EXEC mode.

Step 11

show ipv6 dhcp guard policy policy_name

Example:

Device# show ipv6 dhcp guard policy example_policy

(Optional) Displays the configuration of the IPv6 DHCP guard policy. Omitting the policy_name variable displays all DHCPv6 policies.

Attach an IPv6 DHCP guard policy to an interface

Follow these steps to to attach an IPv6 DHCP guard policy to an interface or a VLAN:

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal` Enters global configuration mode.
Step 3	interface `type number` Example: `Device(config)# interface gigabitethernet 1/1/4` Specifies an interface type and identifier, and enters interface configuration mode.
Step 4	ipv6 dhcp guard [attach-policy `policy_name` [ vlan {`vlan_ids` \| add `vlan_ids` \| except `vlan_ids` \| none \| remove `vlan_ids` \| all}] \| vlan [{`vlan_ids` \| add `vlan_ids` \| except `vlan_ids` \| none \| remove `vlan_ids` \| all}] Example: `Device(config-if)# ipv6 dhcp guard attach-policy example_policy` `Device(config-if)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224` `Device(config-if)# ipv6 dhcp guard vlan 222, 223,224` Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.
Step 5	end Example: `Device(config-if)# end` Exits interface configuration mode and returns to privileged EXEC mode.

Attach an IPv6 DHCP guard policy to a Layer 2 EtherChannel

Follow these steps to attach an IPv6 DHCP guard policy on an EtherChannel interface or VLAN:

Procedure

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface range interface_name

Example:

Device(config)# interface range Port-channel 11

Specify the port-channel interface name assigned when the EtherChannel was created. Enters interface range configuration mode.

Tip

Enter the show interfaces summary command in privileged EXEC mode for quick reference to interface names and types.

Step 4

ipv6 dhcp guard [attach-policy policy_name [vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all}] | vlan [{vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all}]

Example:

Device(config-if-range)# ipv6 dhcp guard attach-policy example_policy

Device(config-if-range)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224

Device(config-if-range)# ipv6 dhcp guard vlan 222, 223,224

Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 5

end

Example:

Device(config-if-range)# end

Exits interface range configuration mode and returns to privileged EXEC mode.

Attach an IPv6 DHCP guard policy to VLANs globally

Follow these steps to attach an IPv6 DHCP guard policy to VLANs across multiple interfaces:

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal` Enters global configuration mode.
Step 3	vlan configuration `vlan_list` Example: `Device(config)# vlan configuration 334` Specifies the VLANs to which the IPv6 Snooping policy will be attached, and enters VLAN interface configuration mode.
Step 4	ipv6 dhcp guard [attach-policy `policy_name`] Example: `Device(config-vlan-config)# ipv6 dhcp guard attach-policy example_policy` Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used.
Step 5	end Example: `Device(config-vlan-config)# end` Exits VLAN interface configuration mode and returns to privileged EXEC mode.

Configure an IPv6 source guard policy

Follow these steps to configure an IPv6 source guard policy:

Procedure

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

device-tracking binding vlan vlan_id {ipv4_add | ipv6_add} [interface inteface_type_no] [48-bit-hardware-address]

Example:

Device(config)# device-tracking binding vlan 100 192.0.2.1 interface tengigabitethernet1/0/1 00:00:5e:00:53:af

Creates a static device-tracking binding entry.

Step 4

ipv6 source-guard policy policy_name

Example:

Device(config)# ipv6 source-guard policy example_policy

Specifies the IPv6 source guard policy name and enters IPv6 source guard policy configuration mode.

Step 5

[deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }]

Example:

Device(config-sisf-sourceguard)# deny global-autoconf

(Optional) Defines the IPv6 Source Guard policy.

deny global-autoconf : Denies data traffic from auto-configured global addresses. This is useful when all global addresses on a link are DHCP-assigned and the administrator wants to block hosts with self-configured addresses to send traffic.
permit link-local : Allows all data traffic that is sourced by a link-local address.

Note

Trusted option under source guard policy is not supported.

Step 6

validate {address | prefix}

Example:

Device(config-sisf-sourceguard)# validate address

(Optional) Validates against addresses or prefixes.

address : Validates against addresses learned in NDP/DHCP traffic.
prefix : Validates against prefixes learned in RA or DHCP-PD traffic.

Step 7

end

Example:

Device(config-sisf-sourceguard)# end

Exits IPv6 Source Guard policy configuration mode and returns to privileged EXEC mode.

Step 8

show ipv6 source-guard policy policy_name

Example:

Device# show ipv6 source-guard policy example_policy

Shows the policy configuration and all the interfaces where the policy is applied.

Attach an IPv6 source guard policy to an interface

Before you begin

IPv6 source guard learns entries from device-tracking database, and so enable device-tracking on the interface for IPv6 source guard to work properly.

Follow these steps to to attach an IPv6 source guard policy to an interface:

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal` Enters global configuration mode.
Step 3	interface `type number` Example: `Device(config)# interface gigabitethernet 1/1/4` Specifies an interface type and identifier; enters interface configuration mode.
Step 4	ipv6 source-guard [attach-policy `<policy_name>`] Example: `Device(config-if)# ipv6 source-guard attach-policy example_policy` Attaches the IPv6 source guard policy to the interface. The default policy is attached if the attach-policy option is not used.
Step 5	end Example: `Device(config-if)# end` Exits interface configuration mode and returns to privileged EXEC mode.
Step 6	show ipv6 source-guard policy `policy_name` Example: `Device#(config)# show ipv6 source-guard policy example_policy` Shows the policy configuration and all the interfaces where the policy is applied.

Attach an IPv6 source guard policy to a Layer 2 EtherChannel interface

Before you begin

IPv6 source guard learns entries from device-tracking database, and so enable device-tracking on the interface for IPv6 source guard to work properly.

Follow these steps to to attach an IPv6 source guard policy to a Layer 2 EtherChannel interface:

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal` Enters global configuration mode.
Step 3	interface port-channel `port-channel-number` Example: `Device(config)# interface Port-channel 4` Specifies an interface type and port number and places the switch in the port channel configuration mode.
Step 4	ipv6 source-guard [attach-policy `<policy_name>`] Example: `Device(config-if)# ipv6 source-guard attach-policy example_policy` Attaches the IPv6 source guard policy to the interface. The default policy is attached if the attach-policy option is not used.
Step 5	end Example: `Device(config-if)# end` Exits interface configuration mode and returns to privileged EXEC mode.
Step 6	show ipv6 source-guard policy `policy_name` Example: `Device# show ipv6 source-guard policy example_policy` Shows the policy configuration and all the interfaces where the policy is applied.

FHS and SISF Configuration Guide

Bias-Free Language

Results

Chapter: IPv6 FHS

IPv6 FHS

Feature history for IPv6 First Hop Security

Understand IPv6 First Hop Security

IPv6 Router Advertisement Guard

IPv6 DHCP Guard

IPv6 source guard

Prerequisites for IPv6 First Hop Security

Restrictions for IPv6 First Hop Security

Configure IPv6 First Hop Security

Configure the IPv6 binding table content

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure an IPv6 router advertisement guard policy

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Attach an IPv6 router advertisement guard policy to an interface

Procedure

Example:

Example:

Example:

Example:

Example:

Attach an IPv6 router advertisement guard policy to a Layer 2 EtherChannel

Procedure

Example:

Example:

Example:

Example:

Example:

Attach an IPv6 router advertisement guard policy to VLANs globally

Procedure

Example:

Example:

Example:

Example:

Example:

Configure an IPv6 DHCP guard policy

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Attach an IPv6 DHCP guard policy to an interface

Procedure

Example:

Example:

Example:

Example:

Example:

Attach an IPv6 DHCP guard policy to a Layer 2 EtherChannel

Procedure