IPv6 Destination Guard

Last Updated: November 29, 2012

The IPv6 Destination Guard feature blocks any data traffic from an unknown source, and filters IPv6 traffic based on the destination address.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for IPv6 Destination Guard

  • You should be familiar with the IPv6 Neighbor Discovery feature. For information about IPv6 neighbor discovery, see the "Implementing IPv6 Addressing and Basic Connectivity" module.

  • You should be familiar with the IPv6 First-Hop Security Binding Table feature. For information, see the "IPv6 First-Hop Security Binding Table" module.

Information About IPv6 Destination Guard

IPv6 Destination Guard Overview

The IPv6 Destination Guard feature blocks data traffic from an unknown source and filters IPv6 traffic based on the destination address. It populates all active destinations into the IPv6 first-hop security binding table, and blocks data traffic when the destination is not identifiied.

How to Configure the IPv6 Destination Guard

Configuring IPv6 Destination Guard

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 destination-guard policy policy-name

4.   enforcement {always | stressed}

5.   exit

6.    vlan configuration vlan-list

7.    ipv6 destination-guard attach-policy [policy-name]

8.    exit

9.    show ipv6 destination-guard policy [policy-name]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 destination-guard policy policy-name


Example:

Device(config)# ipv6 destination-guard policy pol1

 

Defines the destination guard policy name and enters destination-guard configuration mode.

 
Step 4
enforcement {always | stressed}


Example:

Device(config-destguard)# enforcement always

 

Sets the enforcement level for the target address.

 
Step 5
exit


Example:

Device(config-destguard)# exit

 

Exits destination-guard configuration mode and returns to global configuration mode.

 
Step 6
vlan configuration vlan-list


Example:

Device(config)# vlan configuration 1

 

Enters VLAN configuration mode.

 
Step 7
ipv6 destination-guard attach-policy [policy-name]


Example:

Device(config-vlan-config)# ipv6 destination-guard attach-policy pol1

 

Attaches a destination guard policy to a VLAN.

 
Step 8
exit


Example:

Device(config-vlan-config)# end

 

Exits VLAN configuration mode and rreturns to privileged EXEC configuration mode.

 
Step 9
show ipv6 destination-guard policy [policy-name]


Example:

Device# show ipv6 destination-guard policy pol1

 

(Optional) Displays the policy configuration and all interfaces where the policy is applied.

 

Configuration Examples for IPv6 Destination Guard

Example: Configuring an IPv6 Destination Guard Policy

The following example shows how to configure a destination guard policy: 

 Router> enable
Router# configure terminal
Router(config)# vlan configuration 300
Router(config-vlan-config)# ipv6 destination-guard attach-policy destination
% Warning - 'ipv6 snooping' should be configured before destination-guard


Router(config-vlan-config)# ipv6 snooping attach-policy ND
Router(config)# vlan configuration 300
Router(config-vlan-config)# ipv6 destination-guard attach-policy destination
Router(config-vlan-config)#

Router# show ipv6 destination-guard policy destination
Destination guard policy Destination: 
  enforcement always
        Target: vlan 300

Additional References

Related Documents

Related Topic Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

IPv6 commands: complete command syntax, command mode, defaults, usage guidelines, and examples

Cisco IOS IPv6 Command Reference

IPv6 neighbor discovery

"Implementing IPv6 Addressing and Basic Connectivity" module

IPv6 First-Hop Security Binding Table

" IPV6 First-Hop Security Binding Table" module

Standards and RFCs

Standard/RFC Title

RFC 3756

IPv6 Neighbor Discovery (ND) Trust Models and Threats

RFC 3971

Secure Neighbor Discovery (SeND)

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 Destination Guard

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for IPv6 Destination Guard
Feature Name Releases Feature Information

IPv6 Destination Guard

15.2(4)S

15.1(2)SG

The IPv6 Destination Guard feature blocks data traffic from an unknown source and filters IPv6 traffic based on the destination address.

The following commands were introduced or modified: enforcement, ipv6 destination-guard attach-policy, ipv6 destination-guard policy, show ipv6 destination-guard policy.

.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.