Configuring IPv6 First Hop Security
How to Configure IPv6 FHS
Configuring the IPv6 RA Guard Policy on the Device
Note
When the ipv6 nd raguard command is configured on ports, router solicitation messages are not replicated
to these ports. To replicate router solicitation messages, all ports that face routers must be set to the router
role.
SUMMARY STEPS
1. configure terminal
2. ipv6 nd raguard policy policy-name
3. device-role {host | router | monitor | switch}
4. hop-limit {maximum | minimum limit}
5. managed-config-flag {on | off}
6. other-config-flag {on | off}
7. router-preference maximum {high | low | medium}
8. trusted-port
9. exit
DETAILED STEPS
Command or Action
Step 1
configure terminal
Example:
Device# configure terminal
Step 2
ipv6 nd raguard policy policy-name
Example:
Device(config)# ipv6 nd raguard policy policy1
Step 3
device-role {host | router | monitor | switch}
Example:
Device(config-ra-guard)# device-role router
Purpose
Enters global configuration mode.
Defines the RA guard policy name and enters RA guard
policy configuration mode.
Specifies the role of the device attached to the port.
• device-role host—Interface or VLAN where you
connect a regular node or host. This where you apply
the IPV6 RA Guard policy. The device-role host allows
incoming RS packets, and blocks incoming RA or RR
packets. RS packets that are received on another
interface, are not redirected to the device-role host.
Only RA and RR packets (that are allowed) are
redirected to the device-role host.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
How to Configure IPv6 FHS
377