Prerequisites for First Hop Security in IPv6
You have configured the necessary IPv6 enabled SDM template.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You have configured the necessary IPv6 enabled SDM template.
The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
A physical port with an FHS policy attached cannot join an EtherChannel group.
An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel group.
By default, a snooping policy has a security-level of guard. When such a snooping policy is configured on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the following:
Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages ) on the uplink port.
Configure a snooping policy with a lower security-level, for example glean or inspect. However; configuring a lower security level is not recommended with such a snooping policy, because benefits of First Hop security features are not effective.
Host and Guard configuration on the same node is not supported.
For DHCPv6 guard to work, an SVI must be to configured on the corresponding vlan on the same switch.
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached to a physical interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are stored or updated in the software policy database, then applied as was specified. The following IPv6 policies are currently supported:
IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features available with FHS in IPv6.
Note |
IPv6 Snooping Policy feature is deprecated and the Switch Integrated Security Feature (SISF)-based device tracking feature replaces it. While the IPv6 Snooping Policy commands are still available on the CLI and the existing configuration continues to be supported, the commands will be removed from the CLI in a later release. For more information about the replacement feature, see the Configuring SISF-Based Device Tracking chapter in this guide. |
IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding, table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
Note |
IPv6 FHS Binding Table Content feature is supported through SISF-based device tracking. For more information, see the Configuring SISF-Based Device Tracking chapter in this guide. |
IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access Control (MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on DAD, address resolution, router discovery, and the neighbor cache.
Note |
Starting with Cisco IOS XE Amsterdam 17.1.1 the IPv6 ND Inspection feature is deprecated and the SISF- based device tracking feature replaces it. While the IPv6 ND Inspection commands are still available on the CLI and the existing configuration continues to be supported, the commands will be removed from the CLI in a later release. For more information about the replacement feature, see the Configuring SISF-Based Device Tracking chapter in this guide. |
IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 device with the information found in the received RA frame. Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature, configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command.
The IPv6 Snooping Policy feature has been deprecated. Although the commands are visible on the CLI and you can configure them, we recommend that you use the Switch Integrated Security Feature (SISF)-based Device Tracking feature instead.
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
ipv6 snooping policy policy-name Example:
|
Creates a snooping policy and enters IPv6 Snooping Policy Configuration mode. |
Step 3 |
{[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp} ] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] | enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] } Example:Example: |
Enables data address gleaning, validates messages against various criteria, specifies the security level for messages.
|
Step 4 |
end Example:
|
Exits configuration modes to Privileged EXEC mode. |
Step 5 |
show ipv6 snooping policy policy-name Example:
|
Displays the snooping policy configuration. |
Attach an IPv6 Snooping policy to interfaces or VLANs.
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an interface or VLAN:
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
interface Interface_type stack/module/port Example:
|
Specifies an interface type and identifier; enters the interface configuration mode. |
||
Step 3 |
switchport Example:
|
Enters the Switchport mode.
|
||
Step 4 |
ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example:
|
Attaches a custom ipv6 snooping policy to the interface or the specified VLANs on the interface. To attach the default policy to the interface, use the ipv6 snooping command without the attach-policy keyword. To attach the default policy to VLANs on the interface, use the ipv6 snooping vlan command. The default policy is, security-level guard, device-role node, protocol ndp and dhcp. |
||
Step 5 |
do show running-config Example:
|
Verifies that the policy is attached to the specified interface without exiting the interface configuration mode. |
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping policy on an EtherChannel interface or VLAN:
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
interface range Interface_name Example:
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
|
||
Step 3 |
ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example:
|
Attaches the IPv6 Snooping policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
||
Step 4 |
do show running-config interfaceportchannel_interface_name Example:
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy to VLANs across multiple interfaces:
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
vlan configuration vlan_list Example:
|
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
Step 3 |
ipv6 snooping [attach-policy policy_name] Example:
|
Attaches the IPv6 Snooping policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, security-level guard, device-role node, protocol ndp and dhcp. |
Step 4 |
do show running-config Example:
|
Verifies that the policy is attached to the specified VLANs without exiting the interface configuration mode. |
Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content :
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
[no] ipv6 neighbor binding [vlan vlan-id {ipv6-address interface interface_type stack/module/port hw_address [reachable-lifetimevalue [seconds | default | infinite] | [tracking{ [default | disable] [ reachable-lifetimevalue [seconds | default | infinite] | [enable [reachable-lifetimevalue [seconds | default | infinite] | [retry-interval {seconds| default [reachable-lifetimevalue [seconds | default | infinite] } ] Example:
|
Adds a static entry to the binding table database. |
Step 3 |
[no] ipv6 neighbor binding max-entries number [mac-limit number | port-limit number [mac-limit number] | vlan-limit number [ [mac-limit number] | [port-limit number [mac-limitnumber] ] ] ] Example:
|
Specifies the maximum number of entries that are allowed to be inserted in the binding table cache. |
Step 4 |
ipv6 neighbor binding logging Example:
|
Enables the logging of binding table main events. |
Step 5 |
exit Example:
|
Exits global configuration mode, and places the router in privileged EXEC mode. |
Step 6 |
show ipv6 neighbor binding Example:
|
Displays contents of a binding table. |
Starting with 17.1.1, the IPv6 ND Inspection feature is deprecated and the SISF- based device tracking feature replaces it. For the corresponding replacement task, see Creating a Custom Device Tracking Policy with Custom Settings under the Configuring SISF-Based Device Tracking chapter in this document.
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 ND Inspection Policy:
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
[no]ipv6 nd inspection policy policy-name Example:
|
Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode. |
Step 3 |
device-role {host | switch} Example:
|
Specifies the role of the device attached to the port. The default is host. |
Step 4 |
limit address-count value Example:
|
Enter 1–10,000. |
Step 5 |
tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]} Example:
|
Overrides the default tracking policy on a port. |
Step 6 |
trusted-port Example:
|
Configures a port to become a trusted port. |
Step 7 |
validate source-mac Example:
|
Checks the source media access control (MAC) address against the link-layer address. |
Step 8 |
no {device-role | limit address-count | tracking | trusted-port | validate source-mac} Example:
|
Remove the current configuration of a parameter with the no form of the command. |
Step 9 |
default {device-role | limit address-count | tracking | trusted-port | validate source-mac} Example:
|
Restores configuration to the default values. |
Step 10 |
do show ipv6 nd inspection policy policy_name Example:
|
Verifies the ND Inspection Configuration without exiting ND inspection configuration mode. |
Starting with 17.1.1, the IPv6 ND Inspection feature is deprecated and the SISF- based device tracking feature replaces it. For the corresponding replacement task, see Attaching a Device Tracking Policy to an Interface under the Configuring SISF-Based Device Tracking chapter in this document.
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to an interface or VLANs on an interface :
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
interface Interface_type stack/module/port Example:
|
Specifies an interface type and identifier; enters the interface configuration mode. |
Step 3 |
ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example:
|
Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
Step 4 |
do show running-config Example:
|
Verifies that the policy is attached to the specified interface without exiting the interface configuration mode. |
Starting with 17.1.1 the IPv6 ND Inspection feature is deprecated and the SISF- based device tracking feature replaces it. For the corresponding replacement task, see Attaching a Device Tracking Policy to an Interface under the Configuring SISF-Based Device Tracking chapter in this document.
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Neighbor Discovery Inspection policy on an EtherChannel interface or VLAN:
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
interface range Interface_name Example:
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
|
||
Step 3 |
ipv6 nd inspection [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example:
|
Attaches the ND Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
||
Step 4 |
do show running-config interfaceportchannel_interface_name Example:
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
Starting with 17.1.1, the IPv6 ND Inspection feature is deprecated and the SISF- based device tracking feature replaces it. For the corresponding replacement task, see Attaching a Device Tracking Policy to a VLAN under the Configuring SISF-Based Device Tracking chapter in this document.
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 ND Inspection policy to VLANs across multiple interfaces:
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
vlan configuration vlan_list Example:
|
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
Step 3 |
ipv6 nd inspection [attach-policy policy_name] Example:
|
Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role host, no drop-unsecure, limit address-count disabled, sec-level minimum is disabled, tracking is disabled, no trusted-port, no validate source-mac. |
Step 4 |
do show running-config Example:
|
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode. |
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 Router Advertisement policy :
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
[no]ipv6 nd raguard policy policy-name Example:
|
Specifies the RA Guard policy name and enters RA Guard Policy configuration mode. |
||
Step 3 |
[no]device-role {host | monitor | router | switch} Example:
|
Specifies the role of the device attached to the port. The default is host.
|
||
Step 4 |
[no]hop-limit {maximum | minimum} value Example:
|
(1–255) Range for Maximum and Minimum Hop Limit values. Enables filtering of Router Advertisement messages by the Hop Limit value. A rogue RA message may have a low Hop Limit value (equivalent to the IPv4 Time to Live) that when accepted by the host, prevents the host from generating traffic to destinations beyond the rogue RA message generator. An RA message with an unspecified Hop Limit value is blocked. If not configured, this filter is disabled. Configure minimum to block RA messages with Hop Limit values lower than the value you specify. Configure maximumto block RA messages with Hop Limit values greater than the value you specify. |
||
Step 5 |
[no]managed-config-flag {off | on} Example:
|
Enables filtering of Router Advertisement messages by the Managed Address Configuration, or "M" flag field. A rouge RA message with an M field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled. On—Accepts and forwards RA messages with an M value of 1, blocks those with 0. Off—Accepts and forwards RA messages with an M value of 0, blocks those with 1. |
||
Step 6 |
[no]match {ipv6 access-list list | ra prefix-list list} Example:
|
Matches a specified prefix list or access list. |
||
Step 7 |
[no]other-config-flag {on | off} Example:
|
Enables filtering of Router Advertisement messages by the Other Configuration, or "O" flag field. A rouge RA message with an O field of 1 can cause a host to use a rogue DHCPv6 server. If not configured, this filter is disabled. On—Accepts and forwards RA messages with an O value of 1, blocks those with 0. Off—Accepts and forwards RA messages with an O value of 0, blocks those with 1. |
||
Step 8 |
[no]router-preference maximum {high | medium | low} Example:
|
Enables filtering of Router Advertisement messages by the Router Preference flag. If not configured, this filter is disabled.
|
||
Step 9 |
[no]trusted-port Example:
|
When configured as a trusted port, all attached devices are trusted, and no further message verification is performed. |
||
Step 10 |
default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port} Example:
|
Restores a command to its default value. |
||
Step 11 |
do show ipv6 nd raguard policy policy_name Example:
|
(Optional)—Displays the ND Guard Policy configuration without exiting the RA Guard policy configuration mode. |
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface :
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
interface Interface_type stack/module/port Example:
|
Specifies an interface type and identifier; enters the interface configuration mode. |
Step 3 |
ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example:
|
Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
Step 4 |
do show running-config Example:
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy on an EtherChannel interface or VLAN:
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
interface range Interface_name Example:
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
|
||
Step 3 |
ipv6 nd raguard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example:
|
Attaches the RA Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
||
Step 4 |
do show running-config interfaceportchannel_interface_name Example:
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to VLANs regardless of interface:
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
vlan configuration vlan_list Example:
|
Specifies the VLANs to which the IPv6 RA Guard policy will be attached ; enters the VLAN interface configuration mode. |
Step 3 |
ipv6 dhcp guard [attach-policy policy_name] Example:
|
Attaches the IPv6 RA Guard policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. |
Step 4 |
do show running-config Example:
|
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode. |
Beginning in privileged EXEC mode, follow these steps to configure an IPv6 DHCP (DHCPv6) Guard policy:
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
[no]ipv6 dhcp guard policy policy-name Example:
|
Specifies the DHCPv6 Guard policy name and enters DHCPv6 Guard Policy configuration mode. |
||
Step 3 |
[no]device-role {client | server} Example:
|
(Optional) Filters out DHCPv6 replies and DHCPv6 advertisements on the port that are not from a device of the specified role. Default is client.
|
||
Step 4 |
[no] match server access-list ipv6-access-list-name Example:
|
(Optional). Enables verification that the advertised DHCPv6 server or relay address is from an authorized server access list (The destination address in the access list is 'any'). If not configured, this check will be bypassed. An empty access list is treated as a permit all. |
||
Step 5 |
[no] match reply prefix-list ipv6-prefix-list-name Example:
|
(Optional) Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit. |
||
Step 6 |
[no]preference{ max limit | min limit } Example:
|
Configure max and min when device-role is serverto filter DCHPv6 server advertisements by the server preference value. The defaults permit all advertisements. max limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. Default is 255. If not specified, this check will be bypassed. min limit—(0 to 255) (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. Default is 0. If not specified, this check will be bypassed. |
||
Step 7 |
[no] trusted-port Example:
|
(Optional) trusted-port—Sets the port to a trusted mode. No further policing takes place on the port.
|
||
Step 8 |
default {device-role | trusted-port} Example:
|
(Optional) default—Sets a command to its defaults. |
||
Step 9 |
do show ipv6 dhcp guard policy policy_name Example:
|
(Optional) Displays the configuration of the IPv6 DHCP guard policy without leaving the configuration submode. Omitting the policy_name variable displays all DHCPv6 policies. |
enable
configure terminal
ipv6 access-list acl1
permit host FE80::A8BB:CCFF:FE01:F700 any
ipv6 prefix-list abc permit 2001:0DB8::/64 le 128
ipv6 dhcp guard policy pol1
device-role server
match server access-list acl1
match reply prefix-list abc
preference min 0
preference max 255
trusted-port
interface GigabitEthernet 0/2/0
switchport
ipv6 dhcp guard attach-policy pol1 vlan add 1
vlan 1
ipv6 dhcp guard attach-policy pol1
show ipv6 dhcp guard policy pol1
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
vlan configuration vlan_list Example:
|
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
Step 3 |
ipv6 dhcp guard [attach-policy policy_name] Example:
|
Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port. |
Step 4 |
do show running-config Example:
|
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode. |
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy on an EtherChannel interface or VLAN:
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
interface range Interface_name Example:
|
Specify the port-channel interface name assigned when the EtherChannel was created. Enters the interface range configuration mode.
|
||
Step 3 |
ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example:
|
Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. |
||
Step 4 |
do show running-config interfaceportchannel_interface_name Example:
|
Confirms that the policy is attached to the specified interface without exiting the configuration mode. |
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces:
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
vlan configuration vlan_list Example:
|
Specifies the VLANs to which the IPv6 Snooping policy will be attached ; enters the VLAN interface configuration mode. |
Step 3 |
ipv6 dhcp guard [attach-policy policy_name] Example:
|
Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. The default policy is, device-role client, no trusted-port. |
Step 4 |
do show running-config Example:
|
Confirms that the policy is attached to the specified VLANs without exiting the configuration mode. |
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
||
Step 2 |
[no] ipv6 source-guard policy policy_name Example:
|
Specifies the IPv6 Source Guard policy name and enters IPv6 Source Guard policy configuration mode. |
||
Step 3 |
[deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }] Example:
|
(Optional) Defines the IPv6 Source Guard policy.
|
||
Step 4 |
end Example:
|
Exits out of IPv6 Source Guard policy configuration mode. |
||
Step 5 |
show ipv6 source-guard policy policy_name Example:
|
Shows the policy configuration and all the interfaces where the policy is applied. |
Apply the IPv6 Source Guard policy to an interface.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
interface Interface_type stack/module/port Example:
|
Specifies an interface type and identifier; enters the interface configuration mode. |
Step 3 |
ipv6 source-guard [ attach-policy <policy_name> ] Example:
|
Attaches the IPv6 Source Guard policy to the interface. The default policy is attached if the attach-policy option is not used. |
Step 4 |
show ipv6 source-guard policy policy_name Example:
|
Shows the policy configuration and all the interfaces where the policy is applied. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
interface port-channel port-channel-number Example:
|
Specifies an interface type and port number and places the switch in the port channel configuration mode. |
Step 3 |
ipv6 source-guard [ attach-policy <policy_name> ] Example:
|
Attaches the IPv6 Source Guard policy to the interface. The default policy is attached if the attach-policy option is not used. |
Step 4 |
show ipv6 source-guard policy policy_name Example:
|
Shows the policy configuration and all the interfaces where the policy is applied. |
Note |
To allow routing protocol control packets sourced by a link-local address when prefix guard is applied, enable the permit link-local command in the source-guard policy configuration mode. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
[ no] ipv6 source-guard policy source-guard-policy Example:
|
Defines an IPv6 source-guard policy name and enters switch integrated security features source-guard policy configuration mode. |
Step 2 |
[ no ] validate address Example:
|
Disables the validate address feature and enables the IPv6 prefix guard feature to be configured. |
Step 3 |
validate prefix Example:
|
Enables IPv6 source guard to perform the IPv6 prefix-guard operation. |
Step 4 |
exit Example:
|
Exits switch integrated security features source-guard policy configuration mode and returns to privileged EXEC mode. |
Step 5 |
show ipv6 source-guard policy [ source-guard-policy] Example:
|
Displays the IPv6 source-guard policy configuration. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
interface Interface_type stack/module/port Example:
|
Specifies an interface type and identifier; enters the interface configuration mode. |
Step 3 |
ipv6 source-guard attach-policy policy_name Example:
|
Attaches the IPv6 Source Guard policy to the interface. The default policy is attached if the attach-policy option is not used. |
Step 4 |
show ipv6 source-guard policy policy_name Example:
|
Shows the policy configuration and all the interfaces where the policy is applied. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 2 |
interface port-channel port-channel-number Example:
|
Specifies an interface type and port number and places the switch in the port channel configuration mode. |
Step 3 |
ipv6 source-guard [ attach-policy <policy_name> ] Example:
|
Attaches the IPv6 Source Guard policy to the interface. The default policy is attached if the attach-policy option is not used. |
Step 4 |
show ipv6 source-guard policy policy_name Example:
|
Shows the policy configuration and all the interfaces where the policy is applied. |
The following example shows how to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface:
Switch# configure terminal
Switch(config)# ipv6 source-guard policy POL
Switch(config-sisf-sourceguard) # validate address
switch(config-sisf-sourceguard)# exit
Switch(config)# interface Po4
Switch(config)# ipv6 snooping
Switch(config-if)# ipv6 source-guard attach-policy POL
Switch(config-if)# exit
switch(config)#
The following example shows how to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface:
Switch# configure terminal
Switch(config)# ipv6 source-guard policy POL
Switch (config-sisf-sourceguard)# no validate address
Switch((config-sisf-sourceguard)# validate prefix
Switch(config)# interface Po4
Switch(config-if)# ipv6 snooping
Switch(config-if)# ipv6 source-guard attach-policy POL