Cisco Catalyst 2960-XR Security Configuration Manual page 375
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Configuring IPv6 First Hop Security
SUMMARY STEPS
1. configure terminal
2. ipv6 snooping policypolicy-name
3. {[default ] | [device-role {node | switch}] | [limit address-count value] | [no] | [protocol {dhcp | ndp}
] | [security-level {glean | guard | inspect} ] | [tracking {disable [stale-lifetime [seconds | infinite] |
enable [reachable-lifetime [seconds | infinite] } ] | [trusted-port ] }
4. end
5. show ipv6 snooping policy policy-name
DETAILED STEPS
Command or Action
Step 1
configure terminal
Example:
Switch# configure terminal
Step 2
ipv6 snooping policypolicy-name
Example:
Switch(config)# ipv6 snooping policy
example_policy
Step 3
{[default ] | [device-role {node | switch}] |
[limit address-count value] | [no] | [protocol
{dhcp | ndp} ] | [security-level {glean | guard
| inspect} ] | [tracking {disable [stale-lifetime
[seconds | infinite] | enable
[reachable-lifetime [seconds | infinite] } ] |
[trusted-port ] }
Example:
Switch(config-ipv6-snooping)# security-level
inspect
Example:
Switch(config-ipv6-snooping)# trusted-port
OL-29434-01
Purpose
Enters the global configuration mode.
Creates a snooping policy and enters IPv6 Snooping Policy Configuration
mode.
Enables data address gleaning, validates messages against various criteria,
specifies the security level for messages.
• (Optional) default—Sets all to default options.
• (Optional) device-role{node] | switch}—Specifies the role of the
device attached to the port. Default is node.
• (Optional) limit address-count value—Limits the number of
addresses allowed per target.
• (Optional) no—Negates a command or sets it to defaults.
• (Optional) protocol{dhcp | ndp}—Specifies which protocol should
be redirected to the snooping feature for analysis. The default, is dhcp
and ndp. To change the default, use the no protocol command.
• (Optional) security-level{glean|guard|inspect}—Specifies the level
of security enforced by the feature. Default is guard.
glean—Gleans addresses from messages and populates the binding
table without any verification.
guard—Gleans addresses and inspects messages. In addition, it
rejects RA and DHCP server messages. This is the default option.
inspect—Gleans addresses, validates messages for consistency
and conformance, and enforces address ownership.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
How to Configure an IPv6 Snooping Policy
353
Hide quick links:
Advertisement
Table of Contents
