Configuring IPv6 First-Hop Security
Introduction to First-Hop Security
- IPv6 Global Policies
- IPv6 First-Hop Security Binding Table
RA Guard
- Overview of IPv6 RA Guard
- Guidelines and Limitations of IPv6 RA Guard
DHCPv6 Guard
- Overview of DHCP—DHCPv6 Guard
- Guidelines and Limitations of DHCPv6 Guard
IPv6 Snooping
- Overview of IPv6 Snooping
- Guidelines and Limitations for IPv6 Snooping
How to Configure IPv6 FHS
Configuration Examples
Additional References for IPv6 First-Hop Security

Configuring IPv6 First-Hop Security

This chapter describes how to configure IPv6 First-Hop Security on Cisco NX-OS devices and includes the following sections:

Introduction to First-Hop Security

The Layer 2 and Layer 3 switches operate in the Layer 2 domains with technologies, such as server virtualization, Overlay Transport Virtualization (OTV), and Layer 2 mobility. These devices are sometimes referred to as "first hops", specifically when they are facing end nodes. The First-Hop Security feature provides end node protection and optimizes link operations on IPv6 or dual-stack networks.

First-Hop Security (FHS) is a set of features to optimize IPv6 link operation, as well as help with scale in large L2 domains. These features provide protection from a wide host of rogue or mis-configured users, and this can be extended with additional features for different deployment scenarios, or attack vectors.

Beginning with Cisco Nexus Release 7.0(3)I7(1), the following FHS features are supported:

IPv6 RA Guard
DHCPv6 Guard
IPv6 Snooping

Note

Use the feature dhcp command to enable the FHS feature.

IPv6 Global Policies

IPv6 global policies provide storage and access policy database services. IPv6 snooping, DHCPv6 guard, and IPv6 RA guard are IPv6 global policies features. Every time IPv6 snooping, DHCPv6 guard, or RA guard is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface or VLAN, and the software policy database entry is updated to include this interface to which the policy is applied.

All port level FHS policies are programmed in the ifacl region, while the VLAN level policies are programmed in the FHS region. Use the hardware profile tcam region fhs tcam_size command to configure the FHS region. The range for the TCAM size is 0-4096.

Note

When you upgrade the Cisco Nexus 3000 Series switch to Cisco NX-OS Release 7.0(3)I7(1), you must reload the Cisco NX-OS box before configuring the port level FHS policies.

All FHS packets take the copp-s-dhcpreq queue for software processing.

IPv6 First-Hop Security Binding Table

A database of table of IPv6 neighbors connected to the device is created from information sources, such as IPv6 snooping. This database, or binding, table is used by various IPv6 guard features to validate the link-layer address (LLA), the IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.

RA Guard

Overview of IPv6 RA Guard

The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

Guidelines and Limitations of IPv6 RA Guard

The guidelines and limitations of IPv6 RA Guard are as follows:

The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.
This feature is supported only in hardware when the ternary content addressable memory (TCAM) is programmed.
This feature can be configured on a switch port interface in the ingress direction.
This feature supports host mode and router mode.
This feature is supported only in the ingress direction; it is not supported in the egress direction.
This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of PVLANs, primary VLAN features are inherited and merged with port features.
Packets dropped by the IPv6 RA Guard feature can be spanned.
IPv6 RA Guard cannot be enabled if SFLOW is enabled.
IPv6 RA Guard cannot be enabled on VXLAN ports.
If the platform ipv6 acl icmp optimize neighbor-discovery command is configured, the IPv6 RA Guard feature cannot be configured and an error message will be displayed. This command adds default global Internet Control Message Protocol (ICMP) entries that will override the RA guard ICMP entries.

DHCPv6 Guard

Overview of DHCP—DHCPv6 Guard

The DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN.

Packets are classified into one of the three DHCP type messages. All client messages are always switched regardless of device role. DHCP server messages are only processed further if the device role is set to server. Further processing of DHCP server advertisements occurs for server preference checking.

If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device role configuration.

Guidelines and Limitations of DHCPv6 Guard

The guidelines and limitations of DHCPv6 Guard are as follows:

If a packet arriving from the DHCP server is a Relay Forward or a Relay Reply, only the device role is checked. In addition, IPv6 DHCP Guard does not apply the policy for a packet sent out by the local relay agent running on the switch.
DHCP Guard cannot be enabled if SFLOW is enabled.
DHCP Guard is not supported on VXLAN ports.

IPv6 Snooping

Overview of IPv6 Snooping

IPv6 "snooping," feature bundles several Layer 2 IPv6 first-hop security features, which operates at Layer 2, or between Layer 2 and Layer 3, and provides IPv6 features with security and scalability. This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.

IPv6 snooping learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables and analyzes snooping messages in order to build a trusted binding table. IPv6 snooping messages that do not have valid bindings are dropped. An IPv6 snooping message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.

When IPv6 snooping is configured on a target (which varies depending on platform target support and may include device ports, switch ports, Layer 2 interfaces, Layer 3 interfaces, and VLANs), capture instructions are downloaded to the hardware to redirect the snooping protocol and Dynamic Host Configuration Protocol (DHCP) for IPv6 traffic up to the switch integrated security features (SISF) infrastructure in the routing device. For snooping traffic, Neighbor Discovery Protocol (NDP) messages are directed to SISF. For DHCPv6, UDP messages sourced from dhcvp6_client and dhcvp_server ports are redirected.

IPv6 snooping registers its "capture rules" to the classifier, which aggregates all rules from all features on a given target and installs the corresponding ACL down into the platform-dependent modules. Upon receiving redirected traffic, the classifier calls all entry points from any registered feature (for the target on which the traffic is being received), including the IPv6 snooping entry point. This entry point is the last to be called, so any decision (such as drop) made by another feature supersedes the IPv6 snooping decision.

IPv6 snooping provides IPv6 host liveness tracking so that a neighbor table can be immediately updated when an IPv6 host disappears.

Additionally, IPv6 snooping is the foundation for many other IPv6 features that depend on an accurate binding table. It inspects snooping and DHCP messages on a link to glean addresses, and then populates the binding table with these addresses. This feature also enforces address ownership and limits the number of addresses any given node is allowed to claim.

Guidelines and Limitations for IPv6 Snooping

The guidelines and limitations of IPv6 Snooping are as follows:

You must perform the same configurations on both the vPC peers. Cisco NX-OS Release 7.0(3)I7(1) does not support automatic consistency checker for IPv6 First-Hop Security.
The IPv6 Snooping feature is supported only in the hardware when the ternary content addressable memory (TCAM) is programmed.
The IPv6 Snooping feature can be configured on a switch port interface or on the VLAN only ingress port.
The tracking functionality of the IPv6 snooping policy will not work if the Neighbor Discovery protocol is disabled in the configured IPv6 snooping policy.
For the IPv6 Snooping to learn DHCP bindings, it must see both, the server and the client replies. A IPv6 snooping policy must be attached to both the client facing interface (or VLAN), as well as the DHCP server facing interface (or VLAN). In the case of a DHCP Relay, a IPv6 snooping policy must be attached at the VLAN level to see the server replies.

How to Configure IPv6 FHS

Configuring the IPv6 RA Guard Policy on the Device

Note

When the ipv6 nd raguard command is configured on ports, router solicitation messages are not replicated to these ports. To replicate router solicitation messages, all ports that face routers must be set to the router role.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	ipv6 nd raguard policy `policy-name` Example: `Device(config)# ipv6 nd raguard policy policy1`	Defines the RA guard policy name and enters RA guard policy configuration mode.
Step 3	device-role {host \| router \| monitor \| switch} Example: `Device(config-ra-guard)# device-role router`	Specifies the role of the device attached to the port.
Step 4	hop-limit {maximum \| minimum `limit`} Example: `Device(config-ra-guard)# hop-limit minimum 3`	(Optional) Enables verification of the advertised hop count limit. If not configured, this check will be bypassed.
Step 5	managed-config-flag {on \| off} Example: `Device(config-ra-guard)# managed-config-flag on`	(Optional) Enables verification that the advertised managed address configuration flag is on. If not configured, this check will be bypassed.
Step 6	other-config-flag {on \| off} Example: `Device(config-ra-guard)# other-config-flag on`	(Optional) Enables verification of the advertised “other” configuration parameter.
Step 7	router-preference maximum {high \| low \| medium} Example: `Device(config-ra-guard)# router-preference maximum high`	(Optional) Enables verification that the advertised default router preference parameter value is lower than or equal to a specified limit.
Step 8	trusted-port Example: `Device(config-ra-guard)# trusted-port`	(Optional) Specifies that this policy is being applied to trusted ports. All RA guard policing will be disabled.
Step 9	exit Example: `Device(config-ra-guard)# exit`	Exits RA guard policy configuration mode and returns to global configuration mode.

Configuring IPv6 RA Guard on an Interface

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	interface `type` `number` Example: `Device(config)# interface fastethernet 3/13`	Specifies an interface type and number, and places the device in interface configuration mode.
Step 3	ipv6 nd raguard attach-policy [`policy-name` ] Example: `Device(config-if)# ipv6 nd raguard attach-policy`	Applies the IPv6 RA Guard feature to a specified interface.
Step 4	exit Example: `Device(config-if)# exit`	Exits interface configuration mode.
Step 5	show ipv6 nd raguard policy [`policy-name` ] Example: `switch# show ipv6 nd raguard policy host Policy host configuration: device-role host Policy applied on the following interfaces: Et0/0 vlan all Et1/0 vlan all`	Displays the RA guard policy on all interfaces configured with the RA guard.
Step 6	debug ipv6 snooping raguard [`filter` \| `interface` \| `vlanid` ] Example: `Device# debug ipv6 snooping raguard`	Enables debugging for IPv6 RA guard snooping information.

Configuring DHCP—DHCPv6 Guard

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	ipv6 dhcp guard policy `policy-name` Example: `Device(config)# ipv6 dhcp guard policy pol1`	Defines the DHCPv6 guard policy name and enters DHCP guard configuration mode.
Step 3	device-role {client \| server} Example: `Device(config-dhcp-guard)# device-role server`	Specifies the device role of the device attached to the target (interface or VLAN).
Step 4	preference min `limit` Example: `Device(config-dhcp-guard)# preference min 0`	(Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. If not specified, this check will be bypassed.
Step 5	preference max `limit` Example: `Device(config-dhcp-guard)# preference max 255`	(Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. If not specified, this check will be bypassed.
Step 6	trusted-port Example: `Device(config-dhcp-guard)# trusted-port`	(Optional) Specifies that this policy is being applied to trusted ports. All DHCP guard policing will be disabled.
Step 7	exit Example: `Device(config-dhcp-guard)# exit`	Exits DHCP guard configuration mode and returns to global configuration mode.
Step 8	interface `type` `number` Example: `Device(config)# interface GigabitEthernet 0/2/0`	Specifies an interface and enters interface configuration mode.
Step 9	switchport Example: `Device(config-if)# switchport`	Puts an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration.
Step 10	ipv6 dhcp guard [attach-policy `policy-name`] Example: `Device(config-if)# ipv6 dhcp guard attach-policy pol1`	Attaches a DHCPv6 guard policy to an interface.
Step 11	exit Example: `Device(config-if)# exit`	Exits interface configuration mode and returns to global configuration mode.
Step 12	vlan configuration `vlan-id` Example: `Device(config)# vlan configuration 1`	Specifies a VLAN and enters VLAN configuration mode.
Step 13	ipv6 dhcp guard [attach-policy `policy-name`] Example: `Device(config-vlan-config)# ipv6 dhcp guard attach-policy pol1`	Attaches a DHCPv6 guard policy to a VLAN.
Step 14	exit Example: `Device(config-vlan-config)# exit`	Exits VLAN configuration mode and returns to global configuration mode.
Step 15	exit Example: `Device(config)# exit`	Exits global configuration mode and returns to privileged EXEC mode.
Step 16	show ipv6 dhcp guard policy [`policy-name`] Example: `Device# show ipv6 dhcp policy guard pol1`	(Optional) Displays the policy configuration as well as all the interfaces where the policy is applied.

Configuring IPv6 Snooping

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	ipv6 snooping policy `policy-name` Example: `Device(config)# ipv6 snooping policy policy1`	Configures an IPv6 snooping policy and enters IPv6 snooping configuration mode.
Step 3	device-role { node \| switch } Example: `Device(config-snoop-policy)# device-node switch`	Specifies the role of the device attached to the target (interface or VLAN): node—Is the default. Bindings are created and entries are probed. switch—Entries are not probed and when a trusted port is enabled, bindings are not created.
Step 4	[no] limit address-count Example: `Device(config-snoop-policy)# limit address-count 500`	Limits the number of binding entries, a no limit address-count means no limit.
Step 5	[no] protocol `dhcp` \| `ndp` Example: `Device(config-snoop-policy)# protocol dhcp` `Device(config-snoop-policy)# protocol ndp`	Turns on or switches off either DHCP or NDP gleaning.
Step 6	trusted-port Example: `Device(config-snoop-policy)# trusted-port`	Specifies that the policy be applied to a trusted port. If an entry is a trusted-port, none of it's traffic will be blocked or dropped.
Step 7	security-level `glean` \| `guard` \| `inspect` Example: `Device(config-snoop-policy)# security-level guard`	Specifies the type of security level applied to the policy, such as: glean—learns bindings but does not drop packets. inspect—learns bindings and drops packets in case it detects an issue, such as an address theft. guard—works like inspect, but in addition drops IPv6, ND, RA, and IPv6 DHCP server packets in case of a threat.
Step 8	tracking Example: `Device(config-snoop-policy)# tracking enable`	Enables tracking.
Step 9	exit Example: `Device(config-snoop-policy)# exit`	Exits snooping configuration mode and returns to global configuration mode.
Step 10	interface `type-number` Example: `Device(config-if)# interface ethernet 1/25`	Specifies an interface and enters interface configuration mode.
Step 11	[no] switchport Example: `Device(config-if)# switchport`	Switches between Layer 2 and Layer 3 mode.
Step 12	ipv6 snooping attach-policy `policy-name` Example: `Device(config-if)# ipv6 snooping attach-policy policy1`	Attaches the IPv6 snooping policy to an interface.
Step 13	exit Example: `Device(config-if)# exit`	Exits interface configuration mode and returns to global configuration mode.
Step 14	vlan configuration `vlan-id` Example: `Device(config)# vlan configuration 333`	Specifies a VLAN and enters VLAN configuration mode.
Step 15	ipv6 snooping attach-policy `policy-name` Example: `Device(config-vlan-config)# ipv6 snooping attach-policy policy1`	Attaches the IPv6 snooping policy to a VLAN.
Step 16	exit Example: `Device(config-vlan-config)# exit`	Exits VLAN configuration mode and returns to global configuration mode.
Step 17	exit Example: `Device(config)# exit`	Exits global configuration mode and returns to privileged EXEC mode.
Step 18	show ipv6 snooping policy `policy-name` Example: `Device(config)# show ipv6 snooping policy policy1`	Displays the policy configuration and the interfaces where the policy is applied.