IPv6_Security
IPv6_Security
This chapter describes how to configure the IPv6 First-Hop Security (FHS) features.
This chapter includes the following sections:
• Understanding IPv6 First-Hop Security features, page 41-1
• Configuring IPv6 FHS Features, page 41-6
• Verifying IPv6 FHS Configuration, page 41-6
IPv6 Snooping
IPv6 snooping captures the IPv6 traffic and helps in populating the binding table. It gathers addresses in
control messages such as Neighbor Discovery Protocol (NDP) or Dynamic Host Configuration Protocol
(DHCP) packets. Depending on the security level, it blocks unwanted messages such as Router
Advertisements (RA) or DHCP replies. This feature is a pre-requisite to the remaining security features
mentioned here.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
OL-10113-33 41-1
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
DHCPv6 Guard
The DHCPv6 Guard blocks DHCP replies or advertisements not originating from a DHCP server or
relay. It decides whether or not to switch or block the DHCP replies based on the device-role
configuration. It also verifies the information found in the message.
The DHCPv6 Guard classifies the information into one of the three DHCP type messages (client
message, server message, and relay message), and takes action depending on the device role. All client
messages are switched regardless of the device role, and the DHCP server messages are only processed
further if the device role is set to server.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
41-2 OL-10113-33
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
A corresponding entry is also installed in Network Processor Ternary Content-Addressable Memory (NP
TCAM) of the line card. A data packet that does not match any NP TCAM entry is dropped.
SG installs a “deny-all” Access Control Entry (ACE) on targets, except control packets, where the feature
is configured. SG also installs an IPv6, MAC address, Port, or VLAN ID filter to validate the binding
table entries learnt from the targets.
Table 41-1 lists the filters that SG applies to incoming network traffic.
SG is an ingress feature and filters incoming data packets alone. If SG is enabled, every ingress packet
on a switch port or Layer 2 VLAN is checked against entries in the IPv6 binding table. Initially, SG
blocks all IPv6 traffic on the target except for Dynamic Host Configuration Protocol (DHCP) or
Neighbor Discovery Protocol (NDP) packets that are used for IPv6 Snooping processes.
SG works in the policy mode. SG and snooping policies are configured in the global configuration mode.
The policies are applied to switch ports and VLANs. Validate Address, which inspects IPv6 addresses,
is enabled by default in the IPv6 Source Guard policy. The configurations only apply to the ports of ES
40 cards. Enabling IPv6 SG causes the attachment of ICMPv6 policies and DHCPv6 Snooping policies
on NP TCAM for the interface.
The configuration of IPv6 Snooping is a prerequisite for SG. SG requires the configuration of IPv6
Snooping on one of the following:
• Layer 2 access or trunk ports
• Layer 2 VLANs
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
OL-10113-33 41-3
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
Note Prefixes that are snooped from a DHCP REQUEST/REPLY sequence or a manual configuration are
bound to the MAC address or port. Only incoming traffic with snooped prefixes from that MAC address
or port is given network access.
PG in Enterprise Deployment
PG in an enterprise deployment involves the gleaning of prefixes in Router Advertisements (RA). PG
blocks traffic that originates from nodes with a source outside any known prefix.
Note Ensure that you attach the RA guard policy and a snooping policy to the ports of the switch on which
you learn bindings.
Note A prefix that is learnt from a multicast RA applies to an entire VLAN, and not to a specific port or MAC
address.
Data Gleaning
If a network receives valid data packets with binding information that is either lost or incorrectly set, the
process of data gleaning populates the binding table with binding information extracted from the data
packets.The process of punting or gleaning data packets from unknown hosts to get new bindings is
called data gleaning.
When an unknown host sends a data packet with IPv6 and MAC addresses along with its VLAN ID to
the network, the network processor checks if IPv6 SG is enabled for the port or VLAN. If the host is
trusted, and data gleaning is configured on the VLAN or port, new bindings are extracted from the data
packets.
Data gleaning is commonly used in conjunction with IPv6 Source and Prefix Guard. Data gleaning works
the same way as IPv6 SG works with the snooping feature configured. Data gleaning is a configuration
in the snooping policy.
When you use data gleaning, run the following command to limit the rate of data that is redirected to the
Route Processor (RP):
hw-module slot number rate-limit punt_rate
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
41-4 OL-10113-33
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
• The Ternary Content-Addressable Memory (TCAM) stores around 16,000 IPv6 ACL entries and
2000 masks. Therefore, an approximate number of 8000 IPv6 prefixes are supported for the FHS
features.
• The c7600 does not support per-port and VLAN Access Control List (PVACL).
• The c7600 does not support the IPv6 address if it is not compressed. Use the mls ipv6 acl compress
address unicast command to compress the IPv6 address.
• The c7600 supports a maximum of 16 broadcast groups.
• The IPv6 FHS features are SSO compliant.
• The c7600 internally creates a Switch Virtual Interface (SVI) of the layer 2 VLAN for the access
port. But for the trunk ports, you need to create a SVI of the layer 2 VLAN to prevent traffic from
dropping.
• All the FHS configurations are supported only in the ingress direction.
• The FHS configurations are supported on the trunk-port only in the port prefer mode.
• The Destination Guard is applicable only on the VLAN mode.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
OL-10113-33 41-5
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
Note For more information on network processors, see Network Processors: Programmable Technology for
Building Network Systems.
• The show ipv6 snooping messages command displays the latest messages that were processed by
ipv6 snooping.
Router# show ipv6 snooping messages
• The show ipv6 snooping messages detailed N command displays a defined number of messages as
specified.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
41-6 OL-10113-33
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
On VLAN 100, From Et0/0 seclvl [glean], MAC AABB.C901.6601: DHCPv6::SOL, no IPv6
target. packet ignored.
On VLAN 100, From Et0/0 seclvl [glean], MAC AABB.CC01.F500: DHCPv6::REN, no IPv6
target. packet ignored.
On VLAN 100, From Et1/0 seclvl [glean], about Et0/0, MAC AABB.CC01.F500: DHCPv6::REP,
3 addresses advertised:
IPv6 addr: 2001:600::60AF:3195:BC06:EAFB, protocol lifetime: 0x5==5,
IPv6 addr: 2001:400::A1C9:9B4F:2D34:C621, protocol lifetime: 0x5==5,
IPv6 addr: 2001:500::2, protocol lifetime: 0x5==5,
• The show ipv6 snooping counters target command displays the drop counters statistics. Whenever
any feature drops a received packet, the counters are incremented.
Router# show ipv6 snooping counters vlan 100
Received messages on vlan 100 :
Protocol Protocol message
NDP RA[58] NS[23] NA[14]
DHCPv6 SOL[7] ADV[6] REQ[1] REN[6] REP[7]
On the port:
SWITCH#show ipv6 snooping counters int e 1/0
Received messages on Et1/0:
Protocol Protocol message
NDP RA[63] NA[13]
DHCPv6 ADV[1] REP[10]
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
OL-10113-33 41-7
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
• The show ipv6 destination-guard command displays the destination guard policy configuration,
and all the interfaces where the policy is applied.
Router# show ipv6 destination-guard
? Shows the policy configuration as well as all the interfaces where the policy is
applied:
• The show ipv6 neighbors binding command displays the binding table entries populated by the
snooping policy.
Router# show ipv6 neighbors binding
Binding Table has 1 entries, 1 dynamic
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet,
API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:HCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
• The show ipv6 nd raguard policy command displays the RA guard policy configuration, and all
the interfaces where the policy is applied.
Router# show ipv6 nd raguard policy
Policy raguard configuration:
device-role host
Policy raguard is applied on the following targets:
Target Type Policy Feature Target range
Gi3/7 PORT raguard RA guard vlan all
• The show ipv6 dhcp guard policy command displays the DHCP guard policy configuration, and all
the interfaces where the policy is applied.
Router# show ipv6 dhcp guard
Dhcp guard policy: dhcp
Device Role: dhcp client
Target: Gi3/7
• The show tcam interface command displays the following output when the IPv6 snooping is
configured on an interface.
Router# show tcam interface gigabitEthernet 3/3 acl in ipv6
-------------------------------------------------------
ICMP Neighbor Discovery Packet Types:
na - neighbor advertisement ra - router advertisement
ns - neighbor solicit rs - router solicit
r - redirect
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
41-8 OL-10113-33
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
Troubleshooting Tips
Problem Solution
The IPv6 snooping feature is not working. • Use the debug ipv6 snooping command to
check if the TCAM is programmed in the
hardware.
Packets are not switching as expected during • Use the show ipv6 neighbors binding and
router reboot. debug ipv6 neighbor discovery commands
to check the configuration.
The Switch Integrated Security Features (SISF) • Use the debug fm sisf command to print the
does not work as expected. debugs for the feature manager.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
OL-10113-33 41-9
Chapter 41 IPv6 First-Hop Security Features
Understanding IPv6 First-Hop Security features
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 15 S
41-10 OL-10113-33