Information About First Hop Security In Ipv6; How To Configure An Ipv6 Snooping Policy - Cisco Catalyst 2960-XR Security Configuration Manual

Information about First Hop Security in IPv6

Information about First Hop Security in IPv6
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features that can be applied to an interface or
a VLAN. An IPv6 software policy database service stores and accesses these policies. When a policy is
configured or modified, the attributes of the policy are stored or updated in the software policy database, then
applied as was specified. The following IPv6 policies are currently supported:
• IPv6 Snooping Policy—IPv6 Snooping Policy acts as a container policy that enables most of the features
• IPv6 Binding Table Content—A database table of IPv6 neighbors connected to the switch is created
• IPv6 Neighbor Discovery Inspection—IPv6 ND inspection learns and secures bindings for stateless
• IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the
• IPv6 DHCP Guard—You can use the DHCP guard to prevent forged messages from being entered in

How to Configure an IPv6 Snooping Policy

Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy :
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
352
available with FHS in IPv6.
from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding,
table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer
address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and
redirect attacks.
autoconfiguration addresses in L2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery
messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that
do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access
Control (MAC) mapping is verifiable.
network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network
switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature
analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router
advertisement and router redirect messages are disallowed on the port. The RA guard feature compares
configuration information on the L2 device with the information found in the received RA frame. Once
the L2 device has validated the content of the RA frame and router redirect frame against the configuration,
it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the
RA is dropped.
the binding table. The DHCP guard blocks DHCP server messages when they are received on ports that
are not explicitly configured as facing a DHCP server or DHCP relay. To use this feature, configure a
policy and attach it to a DHCP guard. To debug DHCP guard packets, use the debug ipv6 snooping
dhcp-guard privileged EXEC command.
Configuring IPv6 First Hop Security
OL-29434-01