Prerequisites for First Hop Security in IPv6
•
You have configured the necessary IPv6 enabled SDM template.
•
You should be familiar with the IPv6 neighbor discovery feature.
Restrictions for First Hop Security in IPv6
•
The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
◦
A physical port with an FHS policy attached cannot join an EtherChannel group.
◦
An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.
•
By default, a snooping policy has a security-level of guard. When such a snooping policy is configured
on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP
server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the
following:
•
Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages
) on the uplink port.
•
Configure a snooping policy with a lower security-level, for example glean or inspect. However;
configuring a lower security level is not recommended with such a snooping policy, because
benefits of First Hop security features are not effective.
Information about First Hop Security in IPv6
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached
to a physical interface, an EtherChannel interface, or a VLAN. An IPv6 software policy database service
stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are
stored or updated in the software policy database, then applied as was specified. The following IPv6 policies
are currently supported:
•
IPv6 Snooping Policy
—
IPv6 Snooping Policy acts as a container policy that enables most of the features
available with FHS in IPv6.
•
IPv6 FHS Binding Table Content
—
A database table of IPv6 neighbors connected to the switch is created
from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding,
table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer
address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and
redirect attacks.
•
IPv6 Neighbor Discovery Inspection
—
IPv6 ND inspection learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery
messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
678
Prerequisites for First Hop Security in IPv6
Содержание Catalyst 2960 Series
Страница 78: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches lxxviii Contents ...
Страница 96: ......
Страница 184: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 102 Additional References ...
Страница 195: ...P A R T II IP Multicast Routing Configuring IGMP Snooping and Multicast VLAN Registration page 115 ...
Страница 196: ......
Страница 250: ......
Страница 292: ......
Страница 488: ......
Страница 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Страница 590: ......
Страница 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Страница 620: ......
Страница 749: ...P A R T VIII Routing Configuring IP Unicast Routing page 669 Configuring IPv6 First Hop Security page 677 ...
Страница 750: ......
Страница 796: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 714 Additional References ...
Страница 856: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 774 Additional References ...
Страница 1400: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1318 Additional References ...
Страница 1546: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1464 Auto Identity ...
Страница 1596: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1514 Additional References ...
Страница 1604: ......
Страница 1740: ......
Страница 1764: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1682 Additional References ...
Страница 1942: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1860 cli_write ...
Страница 1950: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1868 context_save ...
Страница 2058: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1976 event_register_wdsysmon ...
Страница 2076: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1994 smtp_subst ...
Страница 2090: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2008 sys_reqinfo_syslog_history ...
Страница 2104: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2022 unregister_counter ...
Страница 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Страница 2106: ......
Страница 2118: ......
Страница 2164: ......