Restrictions for First Hop Security in IPv6
•
The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
◦
A physical port with an FHS policy attached cannot join an EtherChannel group.
◦
An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.
•
When an IPv6 snooping policy is configured on an access switch, Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) relay packets are blocked, even though the uplink port to the corresponding
distribution switch is configured as a trusted port. When a client requests for an IPv6 address through
DHCPv6, advertise messages from the server is received; however, reply messages are blocked. As a
workaround for this issue, remove the IPv6 snooping policy.
Information about First Hop Security in IPv6
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached
to a physical interface, or a VLAN. An IPv6 software policy database service stores and accesses these policies.
When a policy is configured or modified, the attributes of the policy are stored or updated in the software
policy database, then applied as was specified. The following IPv6 policies are currently supported:
•
IPv6 Snooping Policy
—
IPv6 Snooping Policy acts as a container policy that enables most of the features
available with FHS in IPv6.
•
IPv6 FHS Binding Table Content
—
A database table of IPv6 neighbors connected to the switch is created
from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding,
table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer
address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and
redirect attacks.
•
IPv6 Neighbor Discovery Inspection
—
IPv6 ND inspection learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery
messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that
do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access
Control (MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on
DAD, address resolution, router discovery, and the neighbor cache.
•
IPv6 Router Advertisement Guard
—
The IPv6 Router Advertisement (RA) guard feature enables the
network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network
switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature
analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router
advertisement and router redirect messages are disallowed on the port. The RA guard feature compares
configuration information on the Layer 2 device with the information found in the received RA frame.
Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the
configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not
validated, the RA is dropped.
•
IPv6 DHCP Guard
—
The IPv6 DHCP Guard feature blocks reply and advertisement messages that come
from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
440
OL-29048-01
Configuring IPv6 First Hop Security
Restrictions for First Hop Security in IPv6