The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following prerequisites are applicable when configuring IPv6 neighbor discovery proxy:
Ensure that IPv6 is enabled on the Switch Virtual Interface (SVI).
When you configure Duplicate Address Detection (DAD) proxy, ensure that device tracking is configured on the device.
IPv6 routing proxy is not supported on layer 3 interfaces.
The IPv6 DAD proxy and routing proxy features are not supported on etherchannel ports.
IPv6 neighbor discovery proxy restricts IPv6 hosts within a VLAN from communicating directly with each other and allows them to communicate only via the gateway. A device operating as an IPv6 neighbor discovery proxy responds to packets on behalf of the target.
IPv6 neighbor discovery proxy operations are achieved using the following implementations:
IPv6 Routing-Proxy
A device operating as an IPv6 routing proxy listens to all neighbor discovery proxy messages sent on the link and responds unconditionally to neighbor solicitation lookup and neighbor-unreachability-detection messages with neighbor advertisement (setting the SVI MAC address in the TLLA option) on behalf of the destination hosts to attract the traffic to itself.
IPv6 DAD Proxy
IPv6 DAD proxy feature responds to DAD queries on behalf of a node that owns the queried address. IPv6 DAD proxy depends on a device tracking database to ensure uniqueness of IPv6 addresses.
When receiving a DAD request from a host for a target, the DAD proxy performs a lookup into the binding table, and if the lookup returns a location, it sends an neighbor solicitation neighbor-unreachability-detection message to verify that the target is still alive.
If the target replies to the neighbor-unreachability-detection message, the DAD proxy sends back an neighbor advertisement to the host (setting the SVI MAC address in the TLLA option).
If the device does not respond to the neighbor-unreachability-detection message, the DAD proxy does not send any response to DAD request.
Device# enable
Device# configure terminal
Device(config)# interface vlan vlan-id
Device(config-if)# no ipv6 redirects
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 address ipv6-addressTo configure IPv6 routing proxy in VLAN configuration mode, follow this procedure:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
vlan configuration vlan-id Example: |
Enters the VLAN configuration mode. This mode allows you to name, set the state, disable, and shut down the VLAN or range of VLANs. |
|
Step 4 |
[no] ipv6 nd routing-proxy Example: |
Specifies if the neighbor discovery suppress must operate in routing proxy mode. |
|
Step 5 |
end Example: |
Exits VLAN configuration mode and returns to privileged EXEC mode. |
Device# enable
Device# configure terminal
Device(config)# interface vlan vlan-id
Device(config-if)# no ipv6 redirects
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 address ipv6-addressTo configure IPv6 routing proxy on an interface, follow this procedure:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
interface interface-id Example: |
Specifies an interface type and number, and enters interface configuration mode. |
|
Step 4 |
switchport access vlan vlan-id Example: |
Assigns the port or range of ports into access ports. |
|
Step 5 |
switchport mode access Example: |
Specifies which VLAN the interface belongs. |
|
Step 6 |
[no] ipv6 nd routing-proxy Example: |
Specifies if the neighbor discovery suppress must operate in routing proxy mode. |
|
Step 7 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
Device# enable
Device# configure terminal
Device(config)# interface vlan vlan-id
Device(config-if)# no ipv6 redirects
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 address ipv6-addressAttach a device tracking policy to the VLAN. For detailed steps, see the Configuring Switch Integrated Security Features chapter of the Security Configuration Guide.
To configure IPv6 DAD proxy in VLAN configuration mode, follow this procedure:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
vlan configuration vlan-id Example: |
Enters the VLAN configuration mode. This mode allows you to name, set the state, disable, and shut down the VLAN or range of VLANs. |
|
Step 4 |
[no] ipv6 nd dad-proxy Example: |
Specifies if the neighbor discovery suppress must operate in DAD proxy mode. |
|
Step 5 |
end Example: |
Exits VLAN configuration mode and returns to privileged EXEC mode. |
Device# enable
Device# configure terminal
Device(config)# interface vlan vlan-id
Device(config-if)# no ipv6 redirects
Device(config-if)# ipv6 enable
Device(config-if)# ipv6 address ipv6-addressAttach a device tracking policy to the layer 2 interface. For detailed steps, see the Configuring Switch Integrated Security Features chapter of the Security Configuration Guide.
To configure IPv6 DAD proxy on an interface, follow this procedure:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
interface interface-id Example: |
Specifies an interface type and number, and enters interface configuration mode. |
|
Step 4 |
switchport access vlan vlan-id Example: |
Assigns the port or range of ports into access ports. |
|
Step 5 |
switchport mode access Example: |
Specifies which VLAN the interface belongs. |
|
Step 6 |
[no] ipv6 nd dad-proxy Example: |
Specifies if the neighbor discovery suppress must operate in DAD proxy mode. |
|
Step 7 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
Use the privileged EXEC or user EXEC commands in the table below to verify IPv6 neighbor discovery proxy information.
|
Commands |
Description |
|---|---|
|
show flooding-suppression |
Displays flooding suppress policy (DAD proxy) configuration, and all the applied targets. |
|
show ipv6 nd routing-proxy |
Displays routing proxy default configuration, and all the applied targets . |
|
show device-tracking policies |
Displays device-tracking policy configuration, and all the applied targets. |
The following example shows the configuration of IPv6 routing proxy on a VLAN:
Device> enable
Device# configure terminal
Device(config)# vlan configuration 15
Device(config-vlan)# ipv6 nd routing-proxy
Device(config-vlan)# end
The following example shows the configuration of IPv6 DAD proxy on a VLAN:
Device> enable
Device# configure terminal
Device(config)# vlan configuration 15
Device(config-vlan)# ipv6 nd dad-proxy
Device(config-vlan)# end
The following example shows the output of the show flooding-suppression command in privileged EXEC mode:
Device# show flooding-suppression
Flooding suppress policy DAD_PROXY configuration:
Suppressing NDP
mode:DAD proxy- RFC6957
Policy DAD_PROXY is applied on the following targets:
Target Type Policy Feature Target range
vlan 15 VLAN DAD_PROXY Flooding Suppress vlan allThe following example shows the output of the show ipv6 nd routing-proxy command in privileged EXEC mode:
Device# show ipv6 nd routing-proxy
Routing Proxy default configuration:
Proxying NDP
Policy default is applied on the following targets:
Target Type Policy Feature Target range
vlan 15 VLAN default Routing Proxy vlan allThis table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
|
Release |
Feature |
Feature Information |
|---|---|---|
|
Cisco IOS XE 17.13.1 |
IPv6 Neighbor Discovery Proxy |
Support for IPv6 Neighbor Discovery Proxy was introduced on all models of Cisco Catalyst 9300 Series Switches. |
Use Cisco Feature Navigator to find information about platform and software image support.
Feedback