- Preface
- Using the Command-Line Interface
- Preventing Unauthorized Access
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Wireless Guest Access
- Configuring Intrusion Detection System
- Index
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)
- Updated:
- January 31, 2018
Chapter: Configuring IPv6 First Hop Security
- Finding Feature Information
- Prerequisites for First Hop Security in IPv6
- Restrictions for First Hop Security in IPv6
- Information about First Hop Security in IPv6
- How to Configure an IPv6 Snooping Policy
- How to Configure the IPv6 Binding Table Content
- How to Configure an IPv6 Neighbor Discovery Inspection Policy
- How to Configure an IPv6 Router Advertisement Guard Policy
- How to Configure an IPv6 DHCP Guard Policy
- Additional References
Configuring IPv6 First Hop Security
- Finding Feature Information
- Prerequisites for First Hop Security in IPv6
- Restrictions for First Hop Security in IPv6
- Information about First Hop Security in IPv6
- How to Configure an IPv6 Snooping Policy
- How to Configure the IPv6 Binding Table Content
- How to Configure an IPv6 Neighbor Discovery Inspection Policy
- How to Configure an IPv6 Router Advertisement Guard Policy
- How to Configure an IPv6 DHCP Guard Policy
- Additional References
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for First Hop Security in IPv6
Restrictions for First Hop Security in IPv6
-
The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
-
By default, a snooping policy has a security-level of guard. When such a snooping policy is configured on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the following: -
Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages ) on the uplink port.
-
Configure a snooping policy with a lower security-level, for example glean or inspect. However; configuring a lower security level is not recommended with such a snooping policy, because benefits of First Hop security features are not effective.
-
Information about First Hop Security in IPv6
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached to a physical interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, then applied as was specified. The following IPv6 policies are currently supported:
-
IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features available with FHS in IPv6.
- IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding, table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
- IPv6 Neighbor Discovery
Inspection—IPv6 ND inspection learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection
analyzes neighbor discovery messages in order to build a trusted binding table
database and IPv6 neighbor discovery messages that do not conform are dropped.
An ND message is considered trustworthy if its IPv6-to-Media Access Control
(MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on DAD, address resolution, router discovery, and the neighbor cache.
-
IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 device with the information found in the received RA frame. Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
-
IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature, configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command.
-
IPv6 Source Guard—Like IPv4 Source Guard, IPv6 Source Guard validates the source address or prefix to prevent source address spoofing.
A source guard programs the hardware to allow or deny traffic based on source or destination addresses. It deals exclusively with data packet traffic.
The IPv6 source guard feature provides the ability to store entries in the hardware TCAM table to prevent a host from sending packets with an invalid IPv6 source address.
To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.
Note
The IPv6 source guard and prefix guard features are supported only in the ingress direction; it is not supported in the egress direction.
The following restrictions apply:
-
An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.
-
When IPv6 source guard is enabled on a switch port, NDP or DHCP snooping must be enabled on the interface to which the switch port belongs. Otherwise, all data traffic from this port will be blocked.
-
An IPv6 source guard policy cannot be attached to a VLAN. It is supported only at the interface level.
-
When you configure IPv4 and IPv6 source guard together on an interface, it is recommended to use ip verify source mac-check instead of ip verify source . IPv4 connectivity on a given port might break due to two different filtering rules set — one for IPv4 (IP-filter) and the other for IPv6 (IP-MAC filter).
-
You cannot use IPv6 Source Guard and Prefix Guard together. When you attach the policy to an interface, it should be "validate address" or "validate prefix" but not both.
-
PVLAN and Source/Prefix Guard cannot be applied together.
For more information on IPv6 Source Guard, see the IPv6 Source Guard chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.
-
-
IPv6 Prefix Guard—The IPv6 prefix guard feature works within the IPv6 source guard feature, to enable the device to deny traffic originated from non-topologically correct addresses. IPv6 prefix guard is often used when IPv6 prefixes are delegated to devices (for example, home gateways) using DHCP prefix delegation. The feature discovers ranges of addresses assigned to the link and blocks any traffic sourced with an address outside this range.
For more information on IPv6 Prefix Guard, see the IPv6 Prefix Guard chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.
-
IPv6 Destination Guard—The IPv6 destination guard feature works with IPv6 neighbor discovery to ensure that the device performs address resolution only for those addresses that are known to be active on the link. It relies on the address glean functionality to populate all destinations active on the link into the binding table and then blocks resolutions before they happen when the destination is not found in the binding table.
Note
IPv6 Destination Guard is recommended to apply on Layer 2 VLAN with an SVI configured
For more information about IPv6 Destination Guard, see the IPv6 Destination Guard chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.
How to Configure an IPv6 Snooping Policy
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :
1.
configure terminal
2.
ipv6 snooping policy
policy-name
3.
{[default ] | [device-role {node
|
switch}] | [limit address-count
value]
| [no] | [protocol
{dhcp |
ndp} ]
| [security-level
{glean
|
guard
|
inspect} ] | [tracking {disable
[stale-lifetime
[seconds |
infinite] |
enable
[reachable-lifetime
[seconds |
infinite] } ] | [trusted-port ] }
4.
end
5.
show ipv6 snooping policy policy-name
DETAILED STEPS
Attach an IPv6 Snooping policy to interfaces or VLANs.
How to Attach an IPv6 Snooping Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an interface or VLAN:
1.
configure terminal
2.
interface Interface_type stack/module/port
3.
switchport
4.
ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
5.
do show running-config
DETAILED STEPS
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an EtherChannel interface or VLAN:
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. | ||
| Step 2 | interface range
Interface_name
Example: Switch(config)# interface range Po11
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
| ||
| Step 3 | ipv6
snooping [attach-policy
policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove
vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove
vlan_ids | all} ]
Example: Switch(config-if-range)# ipv6 snooping attach-policy example_policy or Switch(config-if-range)# ipv6 snooping attach-policy example_policy vlan 222,223,224 or Switch(config-if-range)#ipv6 snooping vlan 222, 223,224 |
Attaches the IPv6 Snooping policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. | ||
| Step 4 | do show running-config
interfaceportchannel_interface_name
Example: Switch#(config-if-range)# do show running-config int po11
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
How to Attach an IPv6 Snooping Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy to VLANs across multiple interfaces:
1.
configure terminal
2.
vlan configuration vlan_list
3.
ipv6 snooping [attach-policy policy_name]
4.
do show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | vlan configuration vlan_list Example: Switch(config)# vlan configuration 333
| Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
| Step 3 | ipv6 snooping [attach-policy policy_name] Example: Switch(config-vlan-config)#ipv6 snooping attach-policy example_policy
| Attaches the IPv6 Snooping policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, security-level guard, device-role node, protocol ndp and dhcp. |
| Step 4 | do show running-config Example: Switch#(config-if)# do show running-config
| Verifies that the policy is attached to the specified VLANs without exiting the interface configuration mode. |
How to Configure the IPv6 Binding Table Content
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :
1.
configure terminal
2.
[no]
ipv6
neighbor binding [vlan
vlan-id
{ipv6-address
interface interface_type
stack/module/port
hw_address [reachable-lifetimevalue
[seconds |
default |
infinite] | [tracking{ [default | disable] [
reachable-lifetimevalue
[seconds |
default |
infinite] | [enable [reachable-lifetimevalue
[seconds |
default |
infinite] | [retry-interval {seconds|
default [reachable-lifetimevalue
[seconds |
default |
infinite] } ]
3.
[no]
ipv6
neighbor binding max-entries
number
[mac-limit
number
|
port-limit
number
[mac-limit
number] | vlan-limit
number
[ [mac-limit
number] | [port-limit
number
[mac-limitnumber] ] ] ]
4.
ipv6 neighbor binding
logging
5.
exit
6.
show ipv6 neighbor binding
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | [no]
ipv6
neighbor binding [vlan
vlan-id
{ipv6-address
interface interface_type
stack/module/port
hw_address [reachable-lifetimevalue
[seconds |
default |
infinite] | [tracking{ [default | disable] [
reachable-lifetimevalue
[seconds |
default |
infinite] | [enable [reachable-lifetimevalue
[seconds |
default |
infinite] | [retry-interval {seconds|
default [reachable-lifetimevalue
[seconds |
default |
infinite] } ]
Example: Switch(config)# ipv6 neighbor binding
|
Adds a static entry to the binding table database. |
| Step 3 | [no]
ipv6
neighbor binding max-entries
number
[mac-limit
number
|
port-limit
number
[mac-limit
number] | vlan-limit
number
[ [mac-limit
number] | [port-limit
number
[mac-limitnumber] ] ] ]
Example: Switch(config)# ipv6 neighbor binding max-entries 30000
|
Specifies the maximum number of entries that are allowed to be inserted in the binding table cache. |
| Step 4 | ipv6 neighbor binding
logging
Example: Switch(config)# ipv6 neighbor binding logging
|
Enables the logging of binding table main events. |
| Step 5 | exit
Example: Switch(config)# exit
|
Exits global configuration mode, and places the router in privileged EXEC mode. |
| Step 6 | show ipv6 neighbor binding
Example: Switch# show ipv6 neighbor binding
|
Displays contents of a binding table. |
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:
1.
configure terminal
2.
[no]ipv6 nd inspection
policy
policy-name
3.
device-role {host |
monitor |
router
|
switch}
4.
drop-unsecure
5.
limit
address-count
value
6.
sec-level
minimum
value
7.
tracking {enable [reachable-lifetime
{value |
infinite}] |
disable [stale-lifetime {value |
infinite}]}
8.
trusted-port
9.
validate source-mac
10.
no {device-role |
drop-unsecure |
limit
address-count |
sec-level
minimum |
tracking |
trusted-port |
validate
source-mac}
11.
default {device-role |
drop-unsecure |
limit
address-count |
sec-level
minimum |
tracking |
trusted-port |
validate
source-mac}
12.
do show ipv6 nd inspection policy
policy_name
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | [no]ipv6 nd inspection
policy
policy-name
Example: Switch(config)# ipv6 nd inspection policy example_policy
|
Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode. |
| Step 3 |
device-role {host |
monitor |
router
|
switch}
Example: Switch(config-nd-inspection)# device-role switch
|
Specifies the role of the device attached to the port. The default is host. |
| Step 4 |
drop-unsecure
Example: Switch(config-nd-inspection)# drop-unsecure
|
Drops messages with no or invalid options or an invalid signature. |
| Step 5 |
limit
address-count
value
Example: Switch(config-nd-inspection)# limit address-count 1000
|
Enter 1–10,000. |
| Step 6 |
sec-level
minimum
value
Example: Switch(config-nd-inspection)# limit address-count 1000
|
Specifies the minimum security level parameter value when Cryptographically Generated Address (CGA) options are used. |
| Step 7 | tracking {enable [reachable-lifetime
{value |
infinite}] |
disable [stale-lifetime {value |
infinite}]}
Example: Switch(config-nd-inspection)# tracking disable stale-lifetime infinite
|
Overrides the default tracking policy on a port. |
| Step 8 |
trusted-port
Example: Switch(config-nd-inspection)# trusted-port
|
Configures a port to become a trusted port. |
| Step 9 | validate source-mac
Example: Switch(config-nd-inspection)# validate source-mac
|
Checks the source media access control (MAC) address against the link-layer address. |
| Step 10 | no {device-role |
drop-unsecure |
limit
address-count |
sec-level
minimum |
tracking |
trusted-port |
validate
source-mac}
Example: Switch(config-nd-inspection)# no validate source-mac
|
Remove the current configuration of a parameter with the no form of the command. |
| Step 11 | default {device-role |
drop-unsecure |
limit
address-count |
sec-level
minimum |
tracking |
trusted-port |
validate
source-mac}
Example: Switch(config-nd-inspection)# default limit address-count
|
Restores configuration to the default values. |
| Step 12 | do show ipv6 nd inspection policy
policy_name
Example: Switch(config-nd-inspection)# do show ipv6 nd inspection policy example_policy
|
Verifies the ND Inspection Configuration without exiting ND inspection configuration mode. |
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface or VLANs on an interface :
1.
configure terminal
2.
interface Interface_type stack/module/port
3.
ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
4.
do show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | interface Interface_type stack/module/port Example: Switch(config)# interface gigabitethernet 1/1/4
| Specifies an interface type and identifier; enters the interface configuration mode. |
| Step 3 | ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example: Switch(config-if)# ipv6 nd inspection attach-policy example_policy or Switch(config-if)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224 or Switch(config-if)# ipv6 nd inspection vlan 222, 223,224 | Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
| Step 4 | do show running-config Example: Switch#(config-if)# do show running-config
| Verifies that the policy is attached to the specified interface without exiting the interface configuration mode. |
How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Neighbor Discovery Inspection policy on an EtherChannel interface or VLAN:
1.
configure terminal
2.
interface range
Interface_name
3.
ipv6
nd
inspection [attach-policy
policy_name [
vlan
{vlan_ids |
add vlan_ids
|
except vlan_ids |
none |
remove
vlan_ids |
all} ]
|
vlan [
{vlan_ids |
add vlan_ids
|
exceptvlan_ids |
none |
remove
vlan_ids |
all}
]
4.
do show running-config
interfaceportchannel_interface_name
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. | ||
| Step 2 | interface range
Interface_name
Example: Switch(config)# interface Po11
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
| ||
| Step 3 | ipv6
nd
inspection [attach-policy
policy_name [
vlan
{vlan_ids |
add vlan_ids
|
except vlan_ids |
none |
remove
vlan_ids |
all} ]
|
vlan [
{vlan_ids |
add vlan_ids
|
exceptvlan_ids |
none |
remove
vlan_ids |
all}
]
Example: Switch(config-if-range)# ipv6 nd inspection attach-policy example_policy or Switch(config-if-range)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224 or Switch(config-if-range)#ipv6 nd inspection vlan 222, 223,224 |
Attaches the ND Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. | ||
| Step 4 | do show running-config
interfaceportchannel_interface_name
Example: Switch#(config-if-range)# do show running-config int po11
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to VLANs across multiple interfaces:
1.
configure terminal
2.
vlan configuration vlan_list
3.
ipv6 nd inspection [attach-policy policy_name]
4.
do show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | vlan configuration vlan_list Example: Switch(config)# vlan configuration 334
| Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
| Step 3 | ipv6 nd inspection [attach-policy policy_name] Example: Switch(config-vlan-config)#ipv6 nd inspection attach-policy example_policy
| Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role host, no drop-unsecure, limit address-count disabled, sec-level minimum is disabled, tracking is disabled, no trusted-port, no validate source-mac. |
| Step 4 | do show running-config Example: Switch#(config-if)# do show running-config
| Confirms that the policy is attached to the specified VLANs without exiting the configuration mode. |
How to Configure an IPv6 Router Advertisement Guard Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :
1.
configure terminal
2.
[no]ipv6 nd raguard
policy
policy-name
3.
[no]device-role {host |
monitor |
router
|
switch}
4.
[no]hop-limit {maximum |
minimum}
value
5.
[no]managed-config-flag
{off |
on}
6.
[no]match {ipv6 access-list
list |
ra
prefix-list
list}
7.
[no]other-config-flag {on |
off}
8.
[no]router-preference
maximum {high |
medium |
low}
9.
[no]trusted-port
10.
default {device-role |
hop-limit {maximum |
minimum} |
managed-config-flag |
match {ipv6 access-list |
ra
prefix-list } |
other-config-flag |
router-preference maximum|
trusted-port}
11.
do show ipv6 nd raguard policy
policy_name
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | [no]ipv6 nd raguard
policy
policy-name
Example: Switch(config)# ipv6 nd raguard policy example_policy
|
Specifies the RA Guard policy name and enters RA Guard Policy configuration mode. |
| Step 3 | [no]device-role {host |
monitor |
router
|
switch}
Example: Switch(config-nd-raguard)# device-role switch
|
Specifies the role of the device attached to the port. The default is host. |
| Step 4 | [no]hop-limit {maximum |
minimum}
value
Example: Switch(config-nd-raguard)# hop-limit maximum 33
|
(1–255) Range for Maximum and Minimum Hop Limit values. Enables filtering of Router Advertisement messages by the Hop Limit value. A rogue RA message may have a low Hop Limit value (equivalent to the IPv4 Time to Live) that when accepted by the host, prevents the host from generating traffic to destinations beyond the rogue RA message generator. An RA message with an unspecified Hop Limit value is blocked. If not configured, this filter is disabled. Configure minimum to block RA messages with Hop Limit values lower than the value you specify. Configure maximumto block RA messages with Hop Limit values greater than the value you specify. |
| Step 5 | [no]managed-config-flag
{off |
on}
Example: Switch(config-nd-raguard)# managed-config-flag on
|
Enables filtering of Router Advertisement messages by the Managed Address Configuration, or "M" flag field. A rouge RA message with an M field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled. On—Accepts and forwards RA messages with an M value of 1, blocks those with 0. Off—Accepts and forwards RA messages with an M value of 0, blocks those with 1. |
| Step 6 | [no]match {ipv6 access-list
list |
ra
prefix-list
list}
Example: Switch(config-nd-raguard)# match ipv6 access-list example_list
|
Matches a specified prefix list or access list. |
| Step 7 | [no]other-config-flag {on |
off}
Example: Switch(config-nd-raguard)# other-config-flag on
|
Enables filtering of Router Advertisement messages by the Other Configuration, or "O" flag field. A rouge RA message with an O field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled. On—Accepts and forwards RA messages with an O value of 1, blocks those with 0. Off—Accepts and forwards RA messages with an O value of 0, blocks those with 1. |
| Step 8 | [no]router-preference
maximum {high |
medium |
low}
Example: Switch(config-nd-raguard)# router-preference maximum high
|
Enables filtering of Router Advertisement messages by the Router Preference flag. If not configured, this filter is disabled. |
| Step 9 | [no]trusted-port
Example: Switch(config-nd-raguard)# trusted-port
|
When configured as a trusted port, all attached devices are trusted, and no further message verification is performed. |
| Step 10 | default {device-role |
hop-limit {maximum |
minimum} |
managed-config-flag |
match {ipv6 access-list |
ra
prefix-list } |
other-config-flag |
router-preference maximum|
trusted-port}
Example: Switch(config-nd-raguard)# default hop-limit
|
Restores a command to its default value. |
| Step 11 | do show ipv6 nd raguard policy
policy_name
Example: Switch(config-nd-raguard)# do show ipv6 nd raguard policy example_policy
|
(Optional)—Displays the ND Guard Policy configuration without exiting the RA Guard policy configuration mode. |
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface :
1.
configure terminal
2.
interface Interface_type stack/module/port
3.
ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
4.
do show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | interface Interface_type stack/module/port Example: Switch(config)# interface gigabitethernet 1/1/4
| Specifies an interface type and identifier; enters the interface configuration mode. |
| Step 3 | ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example: Switch(config-if)# ipv6 nd raguard attach-policy example_policy or Switch(config-if)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224 or Switch(config-if)# ipv6 nd raguard vlan 222, 223,224 | Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
| Step 4 | do show running-config Example: Switch#(config-if)# do show running-config
| Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy on an EtherChannel interface or VLAN:
1.
configure terminal
2.
interface range
Interface_name
3.
ipv6
nd
raguard [attach-policy
policy_name [
vlan
{vlan_ids |
add vlan_ids
|
except vlan_ids |
none |
remove
vlan_ids |
all} ]
|
vlan [
{vlan_ids |
add vlan_ids
|
exceptvlan_ids |
none |
remove
vlan_ids |
all}
]
4.
do show running-config
interfaceportchannel_interface_name
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. | ||
| Step 2 | interface range
Interface_name
Example: Switch(config)# interface Po11
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
| ||
| Step 3 | ipv6
nd
raguard [attach-policy
policy_name [
vlan
{vlan_ids |
add vlan_ids
|
except vlan_ids |
none |
remove
vlan_ids |
all} ]
|
vlan [
{vlan_ids |
add vlan_ids
|
exceptvlan_ids |
none |
remove
vlan_ids |
all}
]
Example: Switch(config-if-range)# ipv6 nd raguard attach-policy example_policy or Switch(config-if-range)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224 or Switch(config-if-range)#ipv6 nd raguard vlan 222, 223,224 |
Attaches the RA Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. | ||
| Step 4 | do show running-config
interfaceportchannel_interface_name
Example: Switch#(config-if-range)# do show running-config int po11
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to VLANs regardless of interface:
1.
configure terminal
2.
vlan configuration
vlan_list
3.
ipv6
dhcp
guard [attach-policy
policy_name]
4.
do show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters global configuration mode. |
| Step 2 | vlan configuration
vlan_list
Example: Switch(config)# vlan configuration 335
|
Specifies the VLANs to which the IPv6 RA Guard policy will be attached ; enters the VLAN interface configuration mode. |
| Step 3 | ipv6
dhcp
guard [attach-policy
policy_name]
Example: Switch(config-vlan-config)#ipv6 nd raguard attach-policy example_policy
|
Attaches the IPv6 RA Guard policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. |
| Step 4 | do show running-config
Example: Switch#(config-if)# do show running-config
|
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode. |
How to Configure an IPv6 DHCP Guard Policy
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 DHCP (DHCPv6) Guard policy:
1.
configure terminal
2.
[no]ipv6 dhcp guard
policy
policy-name
3.
[no]device-role {client |
server}
4.
[no]
match
server
access-list
ipv6-access-list-name
5.
[no]
match
reply
prefix-list
ipv6-prefix-list-name
6.
[no]preference{
max
limit |
min
limit }
7.
[no]
trusted-port
8.
default {device-role |
trusted-port}
9.
do show ipv6 dhcp guard policy
policy_name
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. | ||
| Step 2 | [no]ipv6 dhcp guard
policy
policy-name
Example: Switch(config)# ipv6 dhcp guard policy example_policy
|
Specifies the DHCPv6 Guard policy name and enters DHCPv6 Guard Policy configuration mode. | ||
| Step 3 | [no]device-role {client |
server}
Example: Switch(config-dhcp-guard)# device-role server
|
(Optional) Filters out DHCPv6 replies and DHCPv6 advertisements on the port that are not from a device of the specified role. Default is client. | ||
| Step 4 | [no]
match
server
access-list
ipv6-access-list-name
Example: ;;Assume a preconfigured IPv6 Access List as follows: Switch(config)# ipv6 access-list my_acls Switch(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any ;;configure DCHPv6 Guard to match approved access list. Switch(config-dhcp-guard)# match server access-list my_acls |
(Optional). Enables verification that the advertised DHCPv6 server or relay address is from an authorized server access list (The destination address in the access list is 'any'). If not configured, this check will be bypassed. An empty access list is treated as a permit all. | ||
| Step 5 | [no]
match
reply
prefix-list
ipv6-prefix-list-name
Example: ;;Assume a preconfigured IPv6 prefix list as follows: Switch(config)# ipv6 prefix-list my_prefix permit 2001:0DB8::/64 le 128 ;; Configure DCHPv6 Guard to match prefix Switch(config-dhcp-guard)# match reply prefix-list my_prefix |
(Optional) Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit. | ||
| Step 6 | [no]preference{
max
limit |
min
limit }
Example: Switch(config-dhcp-guard)# preference max 250 Switch(config-dhcp-guard)#preference min 150 |
Configure max and min when device-role is serverto filter DCHPv6 server advertisements by the server preference value. The defaults permit all advertisements. max limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. Default is 255. If not specified, this check will be bypassed. min limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. Default is 0. If not specified, this check will be bypassed. | ||
| Step 7 | [no]
trusted-port
Example: Switch(config-dhcp-guard)# trusted-port
|
(Optional) trusted-port—Sets the port to a trusted mode. No further policing takes place on the port.
| ||
| Step 8 | default {device-role |
trusted-port}
Example: Switch(config-dhcp-guard)# default device-role
|
(Optional) default—Sets a command to its defaults. | ||
| Step 9 | do show ipv6 dhcp guard policy
policy_name
Example: Switch(config-dhcp-guard)# do show ipv6 dhcp guard policy example_policy
|
(Optional) Displays the configuration of the IPv6 DHCP guard policy without leaving the configuration submode. Omitting the policy_name variable displays all DHCPv6 policies. |
Example of DHCPv6 Guard Configuration
enable configure terminal ipv6 access-list acl1 permit host FE80::A8BB:CCFF:FE01:F700 any ipv6 prefix-list abc permit 2001:0DB8::/64 le 128 ipv6 dhcp guard policy pol1 device-role server match server access-list acl1 match reply prefix-list abc preference min 0 preference max 255 trusted-port interface GigabitEthernet 0/2/0 switchport ipv6 dhcp guard attach-policy pol1 vlan add 1 vlan 1 ipv6 dhcp guard attach-policy pol1 show ipv6 dhcp guard policy pol1
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :
1.
configure terminal
2.
interface Interface_type stack/module/port
3.
ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
4.
do show running-config interface Interface_type stack/module/port
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | interface Interface_type stack/module/port Example: Switch(config)# interface gigabitethernet 1/1/4
| Specifies an interface type and identifier; enters the interface configuration mode. |
| Step 3 | ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example: Switch(config-if)# ipv6 dhcp guard attach-policy example_policy or Switch(config-if)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224 or Switch(config-if)# ipv6 dhcp guard vlan 222, 223,224 | Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
| Step 4 | do show running-config interface Interface_type stack/module/port Example: Switch#(config-if)# do show running-config gig 1/1/4
| Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy on an EtherChannel interface or VLAN:
1.
configure terminal
2.
interface range
Interface_name
3.
ipv6
dhcp
guard
[attach-policy
policy_name [
vlan
{vlan_ids |
add vlan_ids
|
except vlan_ids |
none |
remove
vlan_ids |
all} ]
|
vlan [
{vlan_ids |
add vlan_ids
|
exceptvlan_ids |
none |
remove
vlan_ids |
all}
]
4.
do show running-config
interfaceportchannel_interface_name
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure terminal
Example: Switch# configure terminal
|
Enters the global configuration mode. | ||
| Step 2 | interface range
Interface_name
Example: Switch(config)# interface Po11
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
| ||
| Step 3 | ipv6
dhcp
guard
[attach-policy
policy_name [
vlan
{vlan_ids |
add vlan_ids
|
except vlan_ids |
none |
remove
vlan_ids |
all} ]
|
vlan [
{vlan_ids |
add vlan_ids
|
exceptvlan_ids |
none |
remove
vlan_ids |
all}
]
Example: Switch(config-if-range)# ipv6 dhcp guard attach-policy example_policy or Switch(config-if-range)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224 or Switch(config-if-range)#ipv6 dhcp guard vlan 222, 223,224 |
Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. | ||
| Step 4 | do show running-config
interfaceportchannel_interface_name
Example: Switch#(config-if-range)# do show running-config int po11
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:
1.
configure terminal
2.
vlan configuration vlan_list
3.
ipv6 dhcp guard [attach-policy policy_name]
4.
do show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters the global configuration mode. |
| Step 2 | vlan configuration vlan_list Example: Switch(config)# vlan configuration 334
| Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
| Step 3 | ipv6 dhcp guard [attach-policy policy_name] Example: Switch(config-vlan-config)#ipv6 dhcp guard attach-policy example_policy
| Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port. |
| Step 4 | do show running-config Example: Switch#(config-if)# do show running-config
| Confirms that the policy is attached to the specified VLANs without exiting the configuration mode. |
Additional References
Related Documents
| Related Topic | Document Title |
|---|---|
|
Implementing IPv6 Addressing and Basic Connectivity |
|
|
IPv6 network management and security topics |
IPv6 Configuration Library, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) |
|
IPv6 Command Reference |
IPv6 Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/command/ipv6-xe-3se-3850-cr-book.html |
Error Message Decoder
| Description | Link |
|---|---|
|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
Technical Assistance
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feedback