EasyManua.ls Logo

Cisco Catalyst 2960 Series

Cisco Catalyst 2960 Series
2288 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Prerequisites for First Hop Security in IPv6
You have configured the necessary IPv6 enabled SDM template.
You should be familiar with the IPv6 neighbor discovery feature.
Restrictions for First Hop Security in IPv6
The following restrictions apply when applying FHS policies to EtherChannel interfaces (Port Channels):
A physical port with an FHS policy attached cannot join an EtherChannel group.
An FHS policy cannot be attached to an physical port when it is a member of an EtherChannel
group.
By default, a snooping policy has a security-level of guard. When such a snooping policy is configured
on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP
server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the
following:
Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages
) on the uplink port.
Configure a snooping policy with a lower security-level, for example glean or inspect. However;
configuring a lower security level is not recommended with such a snooping policy, because
benefits of First Hop security features are not effective.
Information about First Hop Security in IPv6
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, the policies of which can be attached
to a physical interface, an EtherChannel interface, or a VLAN. An IPv6 software policy database service
stores and accesses these policies. When a policy is configured or modified, the attributes of the policy are
stored or updated in the software policy database, then applied as was specified. The following IPv6 policies
are currently supported:
IPv6 Snooping PolicyIPv6 Snooping Policy acts as a container policy that enables most of the features
available with FHS in IPv6.
IPv6 FHS Binding Table ContentA database table of IPv6 neighbors connected to the switch is created
from information sources such as Neighbor Discovery (ND) protocol snooping. This database, or binding,
table is used by various IPv6 guard features (such as IPv6 ND Inspection) to validate the link-layer
address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and
redirect attacks.
IPv6 Neighbor Discovery InspectionIPv6 ND inspection learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery
messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
678
Prerequisites for First Hop Security in IPv6

Table of Contents

Other manuals for Cisco Catalyst 2960 Series

Preview: Datasheet
Datasheet21 pages
Preview: Brochure & Specs
Brochure & Specs10 pages
Preview: Product Bulletin
Product Bulletin5 pages
Preview: Specifications
Specifications2 pages

Related product manuals