EasyManua.ls Logo

Cisco Nexus 7000 Series - Configuring Ipv6 Packet Verification

Cisco Nexus 7000 Series
536 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Send document comments to nexus7k-docfeedback@cisco.com.
3-23
Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.x
OL-20002-02
Chapter 3 Configuring IPv6
Configuring IPv6
Configuring IPv6 Packet Verification
Cisco NX-OS supports an Intrusion Detection System (IDS) that checks for IPv6 packet verification.
You can enable or disable these IDS checks.
To enable IDS checks, use the following commands in global configuration mode:
Use the show hardware forwarding ip verify command to display the IPv6 packet verification
configuration.
Command Purpose
hardware ip verify address {destination
zero | identical | reserved | source
multicast}
Performs the following IDS checks on the IPv6 address:
destination zero—Drops IPv6 packets if the
destination IP address is ::.
identical—Drops IPv6 packets if the source IPv6
address is identical to the destination IPv6 address.
reserved—Drops IPv6 packets if the IPv6 address is
in the ::1 range.
source multicast—Drops IPv6 packets if the IPv6
source address is in the FF00::/8 range (multicast).
hardware ip verify checksum Drops IPv6 packets if the packet checksum is invalid.
hardware ip verify fragment Drops IPv6 packets if the packet fragment has a nonzero
offset and the DF bit is active.
hardware ipv6 verify length {consistent |
maximum {max-frag | max-tcp | udp}}
Performs the following IDS checks on the IPv6 address:
consistent—Drops IPv6 packets where the Ethernet
frame size is greater than or equal to the IPv6 packet
length plus the Ethernet header.
maximum max-frag—Drops IPv6 packets if the
formula (IPv6 Payload Length – IPv6 Extension
Header Bytes) + (Fragment Offset * 8) is greater than
65536.
maximum max-tcp—Drops IPv6 packets if the TCP
length is greater than the IP payload length.
maximum udp—Drops IPv6 packets if the IPv6
payload length is less than the UDP packet length.
hardware ipv6 verify tcp tiny-frag Drops TCP packets if the IPv6 fragment offset is 1, or if
the IPv6 fragment offset is 0 and the IP payload length is
less than 16.
hardware ipv6 verify version Drops IPv6 packets if the ethertype is not set to 6 (IPv6).

Table of Contents

Other manuals for Cisco Nexus 7000 Series

Preview: Quick Start Guide
Quick Start Guide10 pages
Preview: Command Reference
Command Reference1018 pages
Preview: Reference Guide
Reference Guide746 pages
Preview: Hardware Installation And Reference Guide
Hardware Installation And Reference Guide402 pages
Preview: Troubleshooting
Troubleshooting10 pages
Preview: Configuring
Configuring8 pages

Related product manuals