Prerequisites For First Hop Security In Ipv6 - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Prerequisites for First Hop Security in IPv6
Prerequisites for First Hop Security in IPv6
• You have configured the necessary IPv6 enabled SDM template.
• You should be familiar with the IPv6 neighbor discovery feature.
Restrictions for First Hop Security in IPv6
• The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
• By default, a snooping policy has a security-level of guard. When such a snooping policy is configured
Information about First Hop Security in IPv6
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached
to a physical interface, an EtherChannel interface, or a VLAN. An IPv6 software policy database service
stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are
stored or updated in the software policy database, then applied as was specified. The following IPv6 policies
are currently supported:
• IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features
• IPv6 FHS Binding Table Content—A database table of IPv6 neighbors connected to the switch is created
• IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
678
◦ A physical port with an FHS policy attached cannot join an EtherChannel group.
◦ An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.
on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP
server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the
following:
• Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages
) on the uplink port.
• Configure a snooping policy with a lower security-level, for example glean or inspect. However;
configuring a lower security level is not recommended with such a snooping policy, because
benefits of First Hop security features are not effective.
available with FHS in IPv6.
from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding,
table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer
address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and
redirect attacks.
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery
messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
