Cisco Catalyst 2960-X Security Configuration Manual page 465

Configuring IPv6 First Hop Security
from being entered in the binding table and block DHCPv6 server messages when they are received on
ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature,
configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the
debug ipv6 snooping dhcp-guard privileged EXEC command.
• IPv6 Source Guard—Like IPv4 Source Guard, IPv6 Source Guard validates the source address or prefix
to prevent source address spoofing.
A source guard programs the hardware to allow or deny traffic based on source or destination addresses.
It deals exclusively with data packet traffic.
The IPv6 source guard feature provides the ability to use the IPv6 binding table to install PACLs to
prevent a host from sending packets with an invalid IPv6 source address.
To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.
The following restrictions apply:
For more information on IPv6 Source Guard, see the
Configuration Guide Library on Cisco.com.
• IPv6 Prefix Guard—The IPv6 prefix guard feature works within the IPv6 source guard feature, to enable
the device to deny traffic originated from non-topologically correct addresses. IPv6 prefix guard is often
used when IPv6 prefixes are delegated to devices (for example, home gateways) using DHCP prefix
delegation. The feature discovers ranges of addresses assigned to the link and blocks any traffic sourced
with an address outside this range.
For more information on IPv6 Prefix Guard, see the
Configuration Guide Library on Cisco.com.
• IPv6 Destination Guard—The IPv6 destination guard feature works with IPv6 neighbor discovery to
ensure that the device performs address resolution only for those addresses that are known to be active
on the link. It relies on the address glean functionality to populate all destinations active on the link into
the binding table and then blocks resolutions before they happen when the destination is not found in
the binding table.
OL-29048-01
The IPv6 PACL feature is supported only in the ingress direction; it is not supported in
Note
the egress direction.
◦ An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.
◦ When IPv6 source guard is enabled on a switch port, NDP or DHCP snooping must be enabled on
the interface to which the switch port belongs. Otherwise, all data traffic from this port will be
blocked.
◦ An IPv6 source guard policy cannot be attached to a VLAN. It is supported only at the interface
level.
◦ You cannot use IPv6 Source Guard and Prefix Guard together. When you attach the policy to an
interface, it should be "validate address" or "validate prefix" but not both.
◦ PVLAN and Source/Prefix Guard cannot be applied together.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Information about First Hop Security in IPv6
IPv6 Source Guard chapter of the Cisco IOS IPv6
IPv6 Prefix Guard chapter of the Cisco IOS IPv6
441