Configuring IPv6 Routing

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.

Information About Configuring IPv6 Host Functions

This chapter describes how to configure IPv6 host functions on the Catalyst 2960, 2960-S, and 2960-C.


Note

To use IPv6 Host Functions, the switch must be running the LAN Base image.

For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Configuring MLD Snooping.

To enable dual stack environments (supporting both IPv4 and IPv6) on a Catalyst 2960 switch, you must configure the switch to use the a dual IPv4 and IPv6 switch database management (SDM) template. See the "Dual IPv4 and IPv6 Protocol Stacks" section. This template is not required on Catalyst 2960-S switches.


Note
For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS documentation referenced in the procedures.

Understanding IPv6

IPv4 users can move to IPv6 and receive services such as end-to-end security, quality of service (QoS), and globally unique addresses. The IPv6 address space reduces the need for private addresses and Network Address Translation (NAT) processing by border routers at network edges.

For information about how Cisco Systems implements IPv6, go to:

http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

For information about IPv6 and other features in this chapter

  • See the Cisco IOS IPv6 Configuration Library.

  • Use the Search field on Cisco.com to locate the Cisco IOS software documentation. For example, if you want information about static routes, you can enter Implementing Static Routes for IPv6 in the search field to learn about static routes.

IPv6 Addresses

The switch supports only IPv6 unicast addresses. It does not support site-local unicast addresses, or anycast addresses.

The IPv6 128-bit addresses are represented as a series of eight 16-bit hexadecimal fields separated by colons in the format: n:n:n:n:n:n:n:n. This is an example of an IPv6 address:

2031:0000:130F:0000:0000:09C0:080F:130B

For easier implementation, leading zeros in each field are optional. This is the same address without leading zeros:

2031:0:130F:0:0:9C0:80F:130B

You can also use two colons (::) to represent successive hexadecimal fields of zeros, but you can use this short version only once in each address:

2031:0:130F::09C0:080F:130B

For more information about IPv6 address formats, address types, and the IPv6 packet header, see the http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3e/ip6b-xe-3e-book.html of Cisco IOS IPv6 Configuration Library on Cisco.com.

  • IPv6 Address Formats

  • IPv6 Address Type: Multicast

  • IPv6 Address Output Display

  • Simplified IPv6 Packet Header

Supported IPv6 Unicast Routing Features

These sections describe the IPv6 protocol features supported by the switch:

Support on the switch includes expanded address capability, header format simplification, improved support of extensions and options, and hardware parsing of the extension header. The switch supports hop-by-hop extension header packets, which are routed or bridged in software.

128-Bit Wide Unicast Addresses

The switch supports aggregatable global unicast addresses and link-local unicast addresses. It does not support site-local unicast addresses.

  • Aggregatable global unicast addresses are IPv6 addresses from the aggregatable global unicast prefix. The address structure enables strict aggregation of routing prefixes and limits the number of routing table entries in the global routing table. These addresses are used on links that are aggregated through organizations and eventually to the Internet service provider.

    These addresses are defined by a global routing prefix, a subnet ID, and an interface ID. Current global unicast address allocation uses the range of addresses that start with binary value 001 (2000::/3). Addresses with a prefix of 2000::/3(001) through E000::/3(111) must have 64-bit interface identifiers in the extended unique identifier (EUI)-64 format.

  • Link local unicast addresses can be automatically configured on any interface by using the link-local prefix FE80::/10(1111 1110 10) and the interface identifier in the modified EUI format. Link-local addresses are used in the neighbor discovery protocol (NDP) and the stateless autoconfiguration process. Nodes on a local link use link-local addresses and do not require globally unique addresses to communicate. IPv6 routers do not forward packets with link-local source or destination addresses to other links.

For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

DNS for IPv6

IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes. The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4. The switch supports DNS resolution for IPv4 and IPv6.

ICMPv6

The Internet Control Message Protocol (ICMP) in IPv6 generates error messages, such as ICMP destination unreachable messages, to report errors during processing and other diagnostic functions. In IPv6, ICMP packets are also used in the neighbor discovery protocol and path MTU discovery.

Neighbor Discovery

The switch supports NDP for IPv6, a protocol running on top of ICMPv6, and static neighbor entries for IPv6 stations that do not support NDP. The IPv6 neighbor discovery process uses ICMP messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), to verify the reachability of the neighbor, and to keep track of neighboring routers.

The switch supports ICMPv6 redirect for routes with mask lengths less than 64 bits. ICMP redirect is not supported for host routes or for summarized routes with mask lengths greater than 64 bits.

Neighbor discovery throttling ensures that the switch CPU is not unnecessarily burdened while it is in the process of obtaining the next hop forwarding information to route an IPv6 packet. The switch drops any additional IPv6 packets whose next hop is the same neighbor that the switch is actively trying to resolve. This drop avoids further load on the CPU.


Note

First Hop Security in IPv6 is not supported on EtherChannels.

IPv6 Stateless Autoconfiguration and Duplicate Address Detection

The switch uses stateless autoconfiguration to manage link, subnet, and site addressing changes, such as management of host and mobile IP addresses. A host autonomously configures its own link-local address, and booting nodes send router solicitations to request router advertisements for configuring interfaces.

For more information about autoconfiguration and duplicate address detection, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com.

IPv6 Applications

The switch has IPv6 support for these applications:

  • Ping, traceroute, Telnet

  • Secure Shell (SSH) over an IPv6 transport

  • HTTP server access over IPv6 transport

  • DNS resolver for AAAA over IPv4 transport

  • Cisco Discovery Protocol (CDP) support for IPv6 addresses

For more information about managing these applications, see the Cisco IOS IPv6 Configuration Library on Cisco.com.

Dual IPv4 and IPv6 Protocol Stacks

This figure shows a router forwarding both IPv4 and IPv6 traffic through the same interface, based on the IP packet and destination addresses.

Figure 1. Dual IPv4 and IPv6 Support on an Interface

Use the dual IPv4 and IPv6 switch database management (SDM) template to enable IPv6 routing dual stack environments (supporting both IPv4 and IPv6). For more information about the dual IPv4 and IPv6 SDM template, see Configuring SDM Templates.

The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments.

  • If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message appears.

  • In IPv4-only environments, the switch routes IPv4 packets and applies IPv4 QoS and ACLs in hardware. IPv6 packets are not supported.

  • In dual IPv4 and IPv6 environments, the switch applies IPv4 QoS and ACLs in hardware .

  • If you do not plan to use IPv6, do not use the dual stack template because this template results in less hardware memory capacity for each resource.

For more information about IPv4 and IPv6 protocol stacks, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com.

SNMP and Syslog Over IPv6

To support both IPv4 and IPv6, IPv6 network management requires both IPv6 and IPv4 transports. Syslog over IPv6 supports address data types for these transports.

Simple Network Management Protocol (SNMP) and syslog over IPv6 provide these features:

  • Support for both IPv4 and IPv6

  • IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host

  • SNMP- and syslog-related MIBs to support IPv6 addressing

  • Configuration of IPv6 hosts as trap receivers

For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and IPv6. These SNMP actions support IPv6 transport management:

  • Opens User Datagram Protocol (UDP) SNMP socket with default settings

  • Provides a new transport mechanism called SR_IPV6_TRANSPORT

  • Sends SNMP notifications over IPv6 transport

  • Supports SNMP-named access lists for IPv6 transport

  • Supports SNMP proxy forwarding using IPv6 transport

  • Verifies SNMP Manager feature works with IPv6 transport

For information on SNMP over IPv6, including configuration procedures, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

HTTP(S) Over IPv6

The HTTP client sends requests to both IPv4 and IPv6 HTTP servers, which respond to requests from both IPv4 and IPv6 HTTP clients. URLs with literal IPv6 addresses must be specified in hexadecimal using 16-bit values between colons.

The accept socket call chooses an IPv4 or IPv6 address family. The accept socket is either an IPv4 or IPv6 socket. The listening socket continues to listen for both IPv4 and IPv6 signals that indicate a connection. The IPv6 listening socket is bound to an IPv6 wildcard address.

The underlying TCP/IP stack supports a dual-stack environment. HTTP relies on the TCP/IP stack and the sockets for processing network-layer interactions.

Basic network connectivity (ping ) must exist between the client and the server hosts before HTTP connections can be made.

For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

Configuring IPv6

Default IPv6 Configuration

Table 1. Default IPv6 Configuration

Feature

Default Setting

SDM template

Advance desktop. Default is advanced template

IPv6 addresses

None configured

Configuring IPv6 Addressing and Enabling IPv6 Routing

This section describes how to assign IPv6 addresses to individual Layer 3 interfaces and to globally forward IPv6 traffic on the switch.

Before configuring IPv6 on the switch, consider these guidelines:

  • Be sure to select a dual IPv4 and IPv6 SDM template.

  • In the ipv6 address interface configuration command, you must enter the ipv6-address and ipv6-prefix variables with the address specified in hexadecimal using 16-bit values between colons. The prefix-length variable (preceded by a slash [/]) is a decimal value that shows how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address).

To forward IPv6 traffic on an interface, you must configure a global IPv6 address on that interface. Configuring an IPv6 address on an interface automatically configures a link-local address and activates IPv6 for the interface. The configured interface automatically joins these required multicast groups for that link:

  • solicited-node multicast group FF02:0:0:0:0:1:ff00::/104 for each unicast address assigned to the interface (this address is used in the neighbor discovery process.)

  • all-nodes link-local multicast group FF02::1

  • all-routers link-local multicast group FF02::2

For more information about configuring IPv6 routing, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 forwarding:

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.
Step 2

sdm prefer dual-ipv4-and-ipv6 {default}

Example:


Switch(config)# sdm prefer dual-ipv4-and-ipv6 default

Selects an SDM template that supports IPv4 and IPv6.

  • default —Sets the switch to the default template to balance system resources.

Step 3

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.
Step 4

reload

Example:


Switch# reload

Reloads the operating system.

Step 5

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode after the switch reloads.
Step 6

interface interface-id

Example:


Switch(config)# interface gigabitethernet 1/0/1

Enters interface configuration mode, and specifies the Layer 3 interface to configure.
Step 7

Use one of the following:

  • ipv6 address ipv6-prefix/prefix length eui-64
  • ipv6 address ipv6-address/prefix length
  • ipv6 address ipv6-address link-local
  • ipv6 enable

Example:

Switch(config-if)# ipv6 address 2001:0DB8:c18:1::/64 eui 64


Switch(config-if)# ipv6 address 2001:0DB8:c18:1::/64


Switch(config-if)# ipv6 address 2001:0DB8:c18:1:: link-local


Switch(config-if)# ipv6 enable

  • Specifies a global IPv6 address with an extended unique identifier (EUI) in the low-order 64 bits of the IPv6 address. Specify only the network prefix; the last 64 bits are automatically computed from the switch MAC address. This enables IPv6 processing on the interface.

  • Manually configures an IPv6 address on the interface.

  • Specifies a link-local address on the interface to be used instead of the link-local address that is automatically configured when IPv6 is enabled on the interface. This command enables IPv6 processing on the interface.

  • Automatically configures an IPv6 link-local address on the interface, and enables the interface for IPv6 processing. The link-local address can only be used to communicate with nodes on the same link.

Step 8

exit

Example:


Switch(config-if)# exit

Returns to global configuration mode.
Step 9

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.
Step 10

show ipv6 interface interface-id

Example:


Switch# show ipv6 interface gigabitethernet 1/0/1

Verifies your entries.
Step 11

copy running-config startup-config

Example:

Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Configuring IPv6 ICMP Rate Limiting

ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10.

To change the ICMP rate-limiting parameters, perform this procedure:

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Switch> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 3

ipv6 icmp error-interval interval [bucketsize]

Example:


Switch(config)# ipv6 icmp error-interval 50 20

Configures the interval and bucket size for IPv6 ICMP error messages:

  • interval —The interval (in milliseconds) between tokens being added to the bucket. The range is from 0 to 2147483647 milliseconds.

  • bucketsize —(Optional) The maximum number of tokens stored in the bucket. The range is from 1 to 200.

Step 4

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.

Step 5

show ipv6 interface [interface-id]

Example:


Switch# show ipv6 interface gigabitethernet0/1

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Configuring Static Routing for IPv6

For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

To configure static IPv6 routing, perform this procedure:

Before you begin

You must enable routing by using the ip routing global configuration command, enable the forwarding of IPv6 packets by using the ipv6 unicast-routing global configuration command, and enable IPv6 on at least one Layer 3 interface by configuring an IPv6 address on the interface.

Procedure

  Command or Action Purpose
Step 1

enable

Example:


Switch> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 3

ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance]

Example:


Switch(config)# ipv6 route 2001:0DB8::/32 gigabitethernet2/0/1 130

Configures a static IPv6 route.

  • ipv6-prefix —The IPv6 network that is the destination of the static route. It can also be a hostname when static host routes are configured.

  • /prefix lengthThe length of the IPv6 prefix. A decimal value that shows how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

  • ipv6-address —The IPv6 address of the next hop that can be used to reach the specified network. The IPv6 address of the next hop need not be directly connected; recursion is done to find the IPv6 address of the directly connected next hop. The address must be in the form documented in RFC 2373, specified in hexadecimal using 16-bit values between colons.

  • interface-id —Specifies direct static routes from point-to-point and broadcast interfaces. With point-to-point interfaces, there is no need to specify the IPv6 address of the next hop. With broadcast interfaces, you should always specify the IPv6 address of the next hop, or ensure that the specified prefix is assigned to the link, specifying a link-local address as the next hop. You can optionally specify the IPv6 address of the next hop to which packets are sent.

Note 

You must specify an interface-id when using a link-local address as the next hop (the link-local next hop must also be an adjacent router).

  • administrative distance —(Optional) An administrative distance. The range is 1 to 254; the default value is 1, which gives static routes precedence over any other type of route except connected routes. To configure a floating static route, use an administrative distance greater than that of the dynamic routing protocol.

Step 4

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.

Step 5

Use one of the following:

  • show ipv6 static [ ipv6-address | ipv6-prefix/prefix length ] [interface interface-id ] [detail]][recursive] [detail]
  • show ipv6 route static [updated]

Example:

Switch# show ipv6 static 2001:0DB8::/32 interface gigabitethernet2/0/1

or 

Switch# show ipv6 route static

Verifies your entries by displaying the contents of the IPv6 routing table.

  • interface interface-id —(Optional) Displays only those static routes with the specified interface as an egress interface.

  • recursive —(Optional) Displays only recursive static routes. The recursive keyword is mutually exclusive with the interface keyword, but it can be used with or without the IPv6 prefix included in the command syntax.

  • detail —(Optional) Displays this additional information:

    • For valid recursive routes, the output path set, and maximum resolution depth.

    • For invalid routes, the reason why the route is not valid.

Step 6

copy running-config startup-config

Example:


Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Configuring IPv6 First Hop Security

Prerequisites for First Hop Security in IPv6

  • You have configured the necessary IPv6 enabled SDM template.

Restrictions for First Hop Security in IPv6

  • The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):

    • A physical port with an FHS policy attached cannot join an EtherChannel group.

    • An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.

  • By default, a snooping policy has a security-level of guard. When such a snooping policy is configured on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the following:

    • Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages ) on the uplink port.

    • Configure a snooping policy with a lower security-level, for example glean or inspect. However; configuring a lower security level is not recommended with such a snooping policy, because benefits of First Hop security features are not effective.

Information about First Hop Security in IPv6

First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached to a physical interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, then applied as was specified. The following IPv6 policies are currently supported:

  • IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features available with FHS in IPv6.

  • IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding, table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
  • IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access Control (MAC) mapping is verifiable.

    This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on DAD, address resolution, router discovery, and the neighbor cache.

    For detailed information about IPv6 Neighbor Discovery Inspection, see the “IPv6 Neighbor Discovery Inspection” chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

  • IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 device with the information found in the received RA frame. Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

    For detailed information about IPv6 Router Advertisement Guard, see the “IPv6 Router Advertisement Guard" chapter of the Cisco IOS IPv6 Configuration Guide Library on Cisco.com.

  • IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature, configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command.

How to Configure an IPv6 Snooping Policy

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :

SUMMARY STEPS

  1. configure terminal
  2. ipv6 snooping policy policy-name
  3. {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }
  4. end
  5. show ipv6 snooping policy policy-name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters the global configuration mode.

Step 2

ipv6 snooping policy policy-name

Example:

Switch(config)# ipv6 snooping policy example_policy

Creates a snooping policy and enters IPv6 Snooping Policy Configuration mode.

Step 3

{[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }

Example:

Switch(config-ipv6-snooping)# security-level inspect

Example:

Switch(config-ipv6-snooping)# trusted-port

Enables data address gleaning, validates messages against various criteria, specifies the security level for messages.

  • (Optional) default—Sets all to default options.

  • (Optional) device-role{node] | switch}—Specifies the role of the device attached to the port. Default is node.

  • (Optional) limit address-count value—Limits the number of addresses allowed per target.

  • (Optional) no—Negates a command or sets it to defaults.

  • (Optional) protocol{dhcp | ndp}—Specifies which protocol should be redirected to the snooping feature for analysis. The default, is dhcp and ndp. To change the default, use the no protocol command.

  • (Optional) security-level{glean|guard|inspect}—Specifies the level of security enforced by the feature. Default is guard.

    • glean—Gleans addresses from messages and populates the binding table without any verification.
    • guard—Gleans addresses and inspects messages. In addition, it rejects RA and DHCP server messages. This is the default option.
    • inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership.

  • (Optional) tracking {disable | enable}—Overrides the default tracking behavior and specifies a tracking option.

  • (Optional) trusted-port—Sets up a trusted port. It disables the guard on applicable targets. Bindings learned through a trusted port have preference over bindings learned through any other port. A trusted port is given preference in case of a collision while making an entry in the table.

Step 4

end

Example:

Switch(config-ipv6-snooping)# exit

Exits configuration modes to Privileged EXEC mode.

Step 5

show ipv6 snooping policy policy-name

Example:

Switch#show ipv6 snooping policy example_policy

Displays the snooping policy configuration.

What to do next

Attach an IPv6 Snooping policy to interfaces or VLANs.

How to Attach an IPv6 Snooping Policy to an Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an interface or VLAN:

SUMMARY STEPS

  1. configure terminal
  2. interface Interface_type stack/module/port
  3. switchport
  4. ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
  5. do show running-config

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.
Step 2

interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4

Specifies an interface type and identifier; enters the interface configuration mode.
Step 3

switchport

Example:
Switch(config-if)# switchport

Enters the Switchport mode.

Note 

To configure Layer 2 parameters, if the interface is in Layer 3 mode, you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode. This shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. The command prompt displays as (config-if)# in Switchport configuration mode.

Step 4

ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 snooping 

or 

Switch(config-if)# ipv6 snooping attach-policy example_policy

or
Switch(config-if)# ipv6 snooping vlan 111,112

or 

Switch(config-if)# ipv6 snooping attach-policy example_policy vlan 111,112

Attaches a custom ipv6 snooping policy to the interface or the specified VLANs on the interface. To attach the default policy to the interface, use the ipv6 snooping command without the attach-policy keyword. To attach the default policy to VLANs on the interface, use the ipv6 snooping vlan command. The default policy is, security-level guard, device-role node, protocol ndp and dhcp.

Step 5

do show running-config

Example:
Switch#(config-if)#  do show running-config

Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.

How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an EtherChannel interface or VLAN:

Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.

Step 2

interface range Interface_name

Example:
Switch(config)#  interface range Po11

Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

Tip 

Enter the do show interfaces summary command for quick reference to interface names and types.

Step 3

ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if-range)# ipv6 snooping attach-policy example_policy

or

Switch(config-if-range)# ipv6 snooping attach-policy example_policy vlan 222,223,224

or 

Switch(config-if-range)#ipv6 snooping vlan 222, 223,224

Attaches the IPv6 Snooping policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 4

do show running-config interfaceportchannel_interface_name

Example:
Switch#(config-if-range)#  do show running-config int po11

Confirms that the policy is attached to the specified interface without exiting the configuration mode.

How to Configure the IPv6 Binding Table Content

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

SUMMARY STEPS

  1. configure terminal
  2. [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]
  3. [no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]
  4. ipv6 neighbor binding logging
  5. exit
  6. show ipv6 neighbor binding

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters the global configuration mode.

Step 2

[no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ]

Example:

Switch(config)#  ipv6 neighbor binding

Adds a static entry to the binding table database.

Step 3

[no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ]

Example:

Switch(config)#  ipv6 neighbor binding max-entries 30000

Specifies the maximum number of entries that are allowed to be inserted in the binding table cache.

Step 4

ipv6 neighbor binding logging

Example:

Switch(config)# ipv6 neighbor binding logging

Enables the logging of binding table main events.

Step 5

exit

Example:

Switch(config)# exit

Exits global configuration mode, and places the router in privileged EXEC mode.

Step 6

show ipv6 neighbor binding

Example:

Switch#  show ipv6 neighbor binding

Displays contents of a binding table.

How to Configure an IPv6 Neighbor Discovery Inspection Policy

Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:

SUMMARY STEPS

  1. configure terminal
  2. [no]ipv6 nd inspection policy policy-name
  3. device-role {host | monitor | router | switch}
  4. drop-unsecure
  5. limit address-count value
  6. sec-level minimum value
  7. tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}
  8. trusted-port
  9. validate source-mac
  10. no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}
  11. default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}
  12. do show ipv6 nd inspection policy policy_name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters the global configuration mode.

Step 2

[no]ipv6 nd inspection policy policy-name

Example:

Switch(config)# ipv6 nd inspection policy example_policy

Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode.

Step 3

device-role {host | monitor | router | switch}

Example:

Switch(config-nd-inspection)# device-role switch

Specifies the role of the device attached to the port. The default is host.

Step 4

drop-unsecure

Example:

Switch(config-nd-inspection)# drop-unsecure

Drops messages with no or invalid options or an invalid signature.

Step 5

limit address-count value

Example:

Switch(config-nd-inspection)# limit address-count 1000

Enter 1–10,000.

Step 6

sec-level minimum value

Example:

Switch(config-nd-inspection)# limit address-count 1000

Specifies the minimum security level parameter value when Cryptographically Generated Address (CGA) options are used.

Step 7

tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}

Example:

Switch(config-nd-inspection)# tracking disable stale-lifetime infinite

Overrides the default tracking policy on a port.

Step 8

trusted-port

Example:

Switch(config-nd-inspection)# trusted-port

Configures a port to become a trusted port.

Step 9

validate source-mac

Example:

Switch(config-nd-inspection)# validate source-mac

Checks the source media access control (MAC) address against the link-layer address.

Step 10

no {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

Example:

Switch(config-nd-inspection)# no validate source-mac

Remove the current configuration of a parameter with the no form of the command.

Step 11

default {device-role | drop-unsecure | limit address-count | sec-level minimum | tracking | trusted-port | validate source-mac}

Example:

Switch(config-nd-inspection)# default limit address-count

Restores configuration to the default values.

Step 12

do show ipv6 nd inspection policy policy_name

Example:

Switch(config-nd-inspection)# do show ipv6 nd inspection policy example_policy

Verifies the ND Inspection Configuration without exiting ND inspection configuration mode.

How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface

Starting with Cisco IOS XE Amsterdam 17.1.1 the IPv6 ND Inspection feature is deprecated and the SISF- based device tracking feature replaces it. For the corresponding replacement task, see Attaching a Device Tracking Policy to an Interface under the Configuring SISF-Based Device Tracking chapter in this document.

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface or VLANs on an interface :

SUMMARY STEPS

  1. configure terminal
  2. interface Interface_type stack/module/port
  3. ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
  4. do show running-config

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.
Step 2

interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4

Specifies an interface type and identifier; enters the interface configuration mode.
Step 3

ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 nd inspection attach-policy example_policy

or

Switch(config-if)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224

or 

Switch(config-if)# ipv6 nd inspection vlan 222, 223,224

Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 4

do show running-config

Example:
Switch#(config-if)#  do show running-config

Verifies that the policy is attached to the specified interface without exiting the interface configuration mode.

How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface

Starting with Cisco IOS XE Amsterdam 17.1.1 the IPv6 ND Inspection feature is deprecated and the SISF- based device tracking feature replaces it. For the corresponding replacement task, see Attaching a Device Tracking Policy to an Interface under the Configuring SISF-Based Device Tracking chapter in this document.

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Neighbor Discovery Inspection policy on an EtherChannel interface or VLAN:

SUMMARY STEPS

  1. configure terminal
  2. interface range Interface_name
  3. ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
  4. do show running-config interfaceportchannel_interface_name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.

Step 2

interface range Interface_name

Example:
Switch(config)#  interface Po11

Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

Tip 

Enter the do show interfaces summary command for quick reference to interface names and types.

Step 3

ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if-range)# ipv6 nd inspection attach-policy example_policy

or

Switch(config-if-range)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224

or 

Switch(config-if-range)#ipv6 nd inspection vlan 222, 223,224

Attaches the ND Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 4

do show running-config interfaceportchannel_interface_name

Example:
Switch#(config-if-range)#  do show running-config int po11

Confirms that the policy is attached to the specified interface without exiting the configuration mode.

How to Configure an IPv6 Router Advertisement Guard Policy

Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :

SUMMARY STEPS

  1. configure terminal
  2. [no]ipv6 nd raguard policy policy-name
  3. [no]device-role {host | monitor | router | switch}
  4. [no]hop-limit {maximum | minimum} value
  5. [no]managed-config-flag {off | on}
  6. [no]match {ipv6 access-list list | ra prefix-list list}
  7. [no]other-config-flag {on | off}
  8. [no]router-preference maximum {high | medium | low}
  9. [no]trusted-port
  10. default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}
  11. do show ipv6 nd raguard policy policy_name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters the global configuration mode.

Step 2

[no]ipv6 nd raguard policy policy-name

Example:

Switch(config)# ipv6 nd raguard policy example_policy

Specifies the RA Guard policy name and enters RA Guard Policy configuration mode.

Step 3

[no]device-role {host | monitor | router | switch}

Example:

Switch(config-nd-raguard)# device-role switch

Specifies the role of the device attached to the port. The default is host.

Step 4

[no]hop-limit {maximum | minimum} value

Example:

Switch(config-nd-raguard)# hop-limit maximum 33

(1–255) Range for Maximum and Minimum Hop Limit values.

Enables filtering of Router Advertisement messages by the Hop Limit value. A rogue RA message may have a low Hop Limit value (equivalent to the IPv4 Time to Live) that when accepted by the host, prevents the host from generating traffic to destinations beyond the rogue RA message generator. An RA message with an unspecified Hop Limit value is blocked.

If not configured, this filter is disabled. Configure minimum to block RA messages with Hop Limit values lower than the value you specify. Configure maximumto block RA messages with Hop Limit values greater than the value you specify.

Step 5

[no]managed-config-flag {off | on}

Example:

Switch(config-nd-raguard)# managed-config-flag on

Enables filtering of Router Advertisement messages by the Managed Address Configuration, or "M" flag field. A rouge RA message with an M field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

On—Accepts and forwards RA messages with an M value of 1, blocks those with 0.

Off—Accepts and forwards RA messages with an M value of 0, blocks those with 1.

Step 6

[no]match {ipv6 access-list list | ra prefix-list list}

Example:

Switch(config-nd-raguard)# match ipv6 access-list example_list

Matches a specified prefix list or access list.

Step 7

[no]other-config-flag {on | off}

Example:

Switch(config-nd-raguard)# other-config-flag on

Enables filtering of Router Advertisement messages by the Other Configuration, or "O" flag field. A rouge RA message with an O field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled.

On—Accepts and forwards RA messages with an O value of 1, blocks those with 0.

Off—Accepts and forwards RA messages with an O value of 0, blocks those with 1.

Step 8

[no]router-preference maximum {high | medium | low}

Example:

Switch(config-nd-raguard)# router-preference maximum high

Enables filtering of Router Advertisement messages by the Router Preference flag. If not configured, this filter is disabled.

  • high—Accepts RA messages with the Router Preference set to high, medium, or low.

  • medium—Blocks RA messages with the Router Preference set to high.

  • low—Blocks RA messages with the Router Preference set to medium and high.

Step 9

[no]trusted-port

Example:

Switch(config-nd-raguard)# trusted-port

When configured as a trusted port, all attached devices are trusted, and no further message verification is performed.

Step 10

default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port}

Example:

Switch(config-nd-raguard)# default hop-limit

Restores a command to its default value.

Step 11

do show ipv6 nd raguard policy policy_name

Example:

Switch(config-nd-raguard)# do show ipv6 nd raguard policy example_policy

(Optional)—Displays the ND Guard Policy configuration without exiting the RA Guard policy configuration mode.

How to Attach an IPv6 Router Advertisement Guard Policy to an Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface :

SUMMARY STEPS

  1. configure terminal
  2. interface Interface_type stack/module/port
  3. ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
  4. do show running-config

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.
Step 2

interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4

Specifies an interface type and identifier; enters the interface configuration mode.
Step 3

ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 nd raguard attach-policy example_policy

or

Switch(config-if)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224

or 

Switch(config-if)# ipv6 nd raguard vlan 222, 223,224

Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 4

do show running-config

Example:
Switch#(config-if)#  do show running-config

Confirms that the policy is attached to the specified interface without exiting the configuration mode.

How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy on an EtherChannel interface or VLAN:

SUMMARY STEPS

  1. configure terminal
  2. interface range Interface_name
  3. ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
  4. do show running-config interfaceportchannel_interface_name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.

Step 2

interface range Interface_name

Example:
Switch(config)#  interface Po11

Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

Tip 

Enter the do show interfaces summary command for quick reference to interface names and types.

Step 3

ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if-range)# ipv6 nd raguard attach-policy example_policy

or

Switch(config-if-range)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224

or 

Switch(config-if-range)#ipv6 nd raguard vlan 222, 223,224

Attaches the RA Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 4

do show running-config interfaceportchannel_interface_name

Example:
Switch#(config-if-range)#  do show running-config int po11

Confirms that the policy is attached to the specified interface without exiting the configuration mode.

How to Configure an IPv6 DHCP Guard Policy

Beginning in privileged EXEC mode, follow these steps to configure an IPv6 DHCP (DHCPv6) Guard policy:

SUMMARY STEPS

  1. configure terminal
  2. [no]ipv6 dhcp guard policy policy-name
  3. [no]device-role {client | server}
  4. [no] match server access-list ipv6-access-list-name
  5. [no] match reply prefix-list ipv6-prefix-list-name
  6. [no]preference{ max limit | min limit }
  7. [no] trusted-port
  8. default {device-role | trusted-port}
  9. do show ipv6 dhcp guard policy policy_name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters the global configuration mode.

Step 2

[no]ipv6 dhcp guard policy policy-name

Example:

Switch(config)# ipv6 dhcp guard policy example_policy

Specifies the DHCPv6 Guard policy name and enters DHCPv6 Guard Policy configuration mode.

Step 3

[no]device-role {client | server}

Example:

Switch(config-dhcp-guard)# device-role server

(Optional) Filters out DHCPv6 replies and DHCPv6 advertisements on the port that are not from a device of the specified role. Default is client.

  • client—Default value, specifies that the attached device is a client. Server messages are dropped on this port.

  • server—Specifies that the attached device is a DHCPv6 server. Server messages are allowed on this port.

Step 4

[no] match server access-list ipv6-access-list-name

Example:


;;Assume a preconfigured IPv6 Access List as follows:
Switch(config)# ipv6 access-list my_acls
Switch(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
 
;;configure DCHPv6 Guard to match approved access list.
Switch(config-dhcp-guard)#  match server access-list my_acls

(Optional). Enables verification that the advertised DHCPv6 server or relay address is from an authorized server access list (The destination address in the access list is 'any'). If not configured, this check will be bypassed. An empty access list is treated as a permit all.

Step 5

[no] match reply prefix-list ipv6-prefix-list-name

Example:


;;Assume a preconfigured IPv6 prefix list as follows:
Switch(config)# ipv6 prefix-list my_prefix permit 2001:0DB8::/64 le 128

;; Configure DCHPv6 Guard to match prefix
Switch(config-dhcp-guard)#  match reply prefix-list my_prefix

(Optional) Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit.

Step 6

[no]preference{ max limit | min limit }

Example:

Switch(config-dhcp-guard)# preference max 250
Switch(config-dhcp-guard)#preference min 150

Configure max and min when device-role is serverto filter DCHPv6 server advertisements by the server preference value. The defaults permit all advertisements.

max limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. Default is 255. If not specified, this check will be bypassed.

min limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. Default is 0. If not specified, this check will be bypassed.

Step 7

[no] trusted-port

Example:

Switch(config-dhcp-guard)# trusted-port

(Optional) trusted-port—Sets the port to a trusted mode. No further policing takes place on the port.

Note 

If you configure a trusted port then the device-role option is not available.

Step 8

default {device-role | trusted-port}

Example:

Switch(config-dhcp-guard)# default device-role

(Optional) default—Sets a command to its defaults.

Step 9

do show ipv6 dhcp guard policy policy_name

Example:

Switch(config-dhcp-guard)# do show ipv6 dhcp guard policy example_policy

(Optional) Displays the configuration of the IPv6 DHCP guard policy without leaving the configuration submode. Omitting the policy_name variable displays all DHCPv6 policies.

Example of DHCPv6 Guard Configuration 

enable
configure terminal
ipv6 access-list acl1
 permit host FE80::A8BB:CCFF:FE01:F700 any
ipv6 prefix-list abc permit 2001:0DB8::/64 le 128	
ipv6 dhcp guard policy pol1
 device-role server
 match server access-list acl1
 match reply prefix-list abc
 preference min 0
 preference max 255
 trusted-port
interface GigabitEthernet 0/2/0
 switchport
 ipv6 dhcp guard attach-policy pol1 vlan add 1
 vlan 1
  ipv6 dhcp guard attach-policy pol1
show ipv6 dhcp guard policy pol1

How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :

SUMMARY STEPS

  1. configure terminal
  2. interface Interface_type stack/module/port
  3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
  4. do show running-config interface Interface_type stack/module/port

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.
Step 2

interface Interface_type stack/module/port

Example:
Switch(config)#  interface gigabitethernet 1/1/4

Specifies an interface type and identifier; enters the interface configuration mode.
Step 3

ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if)# ipv6 dhcp guard attach-policy example_policy

or

Switch(config-if)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224

or 

Switch(config-if)# ipv6 dhcp guard vlan 222, 223,224

Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 4

do show running-config interface Interface_type stack/module/port

Example:
Switch#(config-if)#  do show running-config gig 1/1/4

Confirms that the policy is attached to the specified interface without exiting the configuration mode.

How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface

Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy on an EtherChannel interface or VLAN:

SUMMARY STEPS

  1. configure terminal
  2. interface range Interface_name
  3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]
  4. do show running-config interfaceportchannel_interface_name

DETAILED STEPS

  Command or Action Purpose
Step 1

configure terminal

Example:
Switch# configure terminal

Enters the global configuration mode.

Step 2

interface range Interface_name

Example:
Switch(config)#  interface Po11

Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.

Tip 

Enter the do show interfaces summary command for quick reference to interface names and types.

Step 3

ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ]

Example:
Switch(config-if-range)# ipv6 dhcp guard attach-policy example_policy

or

Switch(config-if-range)# ipv6 dhcp guard attach-policy example_policy vlan 222,223,224

or 

Switch(config-if-range)#ipv6 dhcp guard vlan 222, 223,224

Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used.

Step 4

do show running-config interfaceportchannel_interface_name

Example:
Switch#(config-if-range)#  do show running-config int po11

Confirms that the policy is attached to the specified interface without exiting the configuration mode.

Displaying IPv6

For complete syntax and usage information on these commands, see the Cisco IOS command reference publications.

Table 2. Command for Monitoring IPv6

Command

Purpose

show ipv6 access-list

Displays a summary of access lists.

show ipv6 cef

Displays Cisco Express Forwarding for IPv6.

show ipv6 interface interface-id

Displays IPv6 interface status and configuration.

show ipv6 mtu

Displays IPv6 MTU per destination cache.

show ipv6 neighbors

Displays IPv6 neighbor cache entries.

show ipv6 prefix-list

Displays a list of IPv6 prefix lists.

show ipv6 protocols

Displays a list of IPv6 routing protocols on the switch.

show ipv6 rip

Displays IPv6 RIP routing protocol status.

show ipv6 route

Displays IPv6 route table entries.

show ipv6 static

Displays IPv6 static routes.

show ipv6 traffic

Displays IPv6 traffic statistics.

Configuration Examples for IPv6 Unicast Routing

Configuring IPv6 Addressing and Enabling IPv6 Routing: Example

This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64. The EUI-64 interface ID is used in the low-order 64 bits of both addresses. Output from the show ipv6 interface EXEC command is included to show how the interface ID (20B:46FF:FE2F:D940) is appended to the link-local prefix FE80::/64 of the interface. 


Switch(config)# ipv6 unicast-routing
Switch(config)# interface gigabitethernet0/11

Switch(config-if)# ipv6 address 2001:0DB8:c18:1::/64 eui 64
Switch(config-if)# end
Switch# show ipv6 interface gigabitethernet0/11
GigabitEthernet0/11 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940
  Global unicast address(es):
  2001:0DB8:c18:1:20B:46FF:FE2F:D940, subnet is 2001:0DB8:c18:1::/64 [EUI]
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF2F:D940
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

Configuring IPv6 ICMP Rate Limiting: Example

This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens.


Switch(config)#ipv6 icmp error-interval 50 20

Configuring Static Routing for IPv6: Example

This example shows how to configure a floating static route to an interface with an administrative distance of 130:


Switch(config)# ipv6 route 2001:0DB8::/32 gigabitethernet 1/0/1 130

Displaying IPv6: Example

This is an example of the output from the show ipv6 interface privileged EXEC command: 


Switch# show ipv6 interface
Vlan1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940
  Global unicast address(es):
    3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI]
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF2F:D940
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
<output truncated>