Cisco Catalyst 2960-X Security Configuration Manual page 467
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Configuring IPv6 First Hop Security
Command or Action
Step 2
ipv6 snooping policy policy-name
Example:
Switch(config)# ipv6 snooping policy
example_policy
Step 3
{[default ] | [device-role {node | switch}] |
[limit address-count value] | [no] | [protocol
{dhcp | ndp} ] | [security-level {glean | guard
| inspect} ] | [tracking {disable [stale-lifetime
[seconds | infinite] | enable
[reachable-lifetime [seconds | infinite] } ] |
[trusted-port ] }
Example:
Switch(config-ipv6-snooping)# security-level
inspect
Example:
Switch(config-ipv6-snooping)# trusted-port
Step 4
end
Example:
Switch(config-ipv6-snooping)# exit
Step 5
show ipv6 snooping policy policy-name
Example:
Switch#show ipv6 snooping policy
example_policy
OL-29048-01
Purpose
Creates a snooping policy and enters IPv6 Snooping Policy Configuration
mode.
Enables data address gleaning, validates messages against various criteria,
specifies the security level for messages.
• (Optional) default—Sets all to default options.
• (Optional) device-role{node] | switch}—Specifies the role of the
device attached to the port. Default is node.
• (Optional) limit address-count value—Limits the number of
addresses allowed per target.
• (Optional) no—Negates a command or sets it to defaults.
• (Optional) protocol{dhcp | ndp}—Specifies which protocol should
be redirected to the snooping feature for analysis. The default, is dhcp
and ndp. To change the default, use the no protocol command.
• (Optional) security-level{glean|guard|inspect}—Specifies the level
of security enforced by the feature. Default is guard.
glean—Gleans addresses from messages and populates the binding
table without any verification.
guard—Gleans addresses and inspects messages. In addition, it
rejects RA and DHCP server messages. This is the default option.
inspect—Gleans addresses, validates messages for consistency
and conformance, and enforces address ownership.
• (Optional) tracking {disable | enable}—Overrides the default
tracking behavior and specifies a tracking option.
• (Optional) trusted-port—Sets up a trusted port. It disables the guard
on applicable targets. Bindings learned through a trusted port have
preference over bindings learned through any other port. A trusted
port is given preference in case of a collision while making an entry
in the table.
Exits configuration modes to Privileged EXEC mode.
Displays the snooping policy configuration.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
How to Configure an IPv6 Snooping Policy
443
Hide quick links:
Advertisement
Table of Contents
