DETAILED STEPS
PurposeCommand or Action
Enters global configuration mode.configure terminal
Example:
Step 1
Device# configure terminal
Configures an IPv6 snooping policy and enters IPv6
snooping configuration mode.
ipv6 snooping policy policy-name
Example:
Step 2
Device(config)# ipv6 snooping policy policy1
Specifies the role of the device attached to the target
(interface or VLAN):
device-role { node | switch }
Example:
Step 3
• node—is the default. Bindings are created and entries
are probed.
Device(config-snoop-policy)# device-node switch
• switch—Entries are not probed and when a trusted
port is enabled, bindings are not created.
Limits the number of binding entries, a no limit
address-count means no limit.
[no] limit address-count
Example:
Step 4
Device(config-snoop-policy)# limit address-count
500
Turns on or switches off either DHCP or NDP gleaning.
[no] protocol dhcp | ndp
Example:
Step 5
Device(config-snoop-policy)# protocol dhcp
Device(config-snoop-policy)# protocol ndp
Specifies that the policy be applied to a trusted port. If an
entry is a trusted-port, none of it's traffic will be blocked
or dropped.
trusted-port
Example:
Device(config-snoop-policy)# trusted-port
Step 6
Specifies the type of security applied to the policy: glean,
guard, or inspect. Here is what each security level means:
security-level glean | guard | inspect
Example:
Step 7
• glean—learns bindings but does not drop packets.
Device(config-snoop-policy)# security-level guard
• inspect—learns bindings and drops packets in case it
detects an issue, such as address theft.
• guard—works like inspect, but in addition drops IPv6,
ND, RA, and IPv6 DHCP Server packets in case of
a threat.
Enables tracking.tracking
Example:
Step 8
Device(config-snoop-policy)# tracking enable
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
383
Configuring IPv6 First Hop Security
Configuring IPv6 Snooping
To Next Page
Loading...
