IPV6 Source Guard Key points

 

Key points

  • Control plane
  • Enable policy
  • Deny global-autoconf – Denies data traffic from autoconfigured global addressess
  • Prevent stateless autoconfiguration

 

Advertisements

IPV6 DHCPv6 Guard

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3se/3850/ip6f-xe-3se-3850-book/ip6-dhcpv6-guard.html

 

Key points

-Define Northbound and Southbound traffic.

-Drop DHCP traffic from Southbound

 

enable
configure terminal
ipv6 access-list acl1
 permit host FE80::A8BB:CCFF:FE01:F700 any
ipv6 prefix-list abc permit 2001:0DB8::/64 le 128	
ipv6 dhcp guard policy pol1
 device-role server
 match server access-list acl1
 match reply prefix-list abc
 preference min 0
 preference max 255
 trusted-port
interface GigabitEthernet 0/2/0
 switchport
 ipv6 dhcp guard attach-policy pol1 vlan add 1
 vlan 1
  ipv6 dhcp guard attach-policy pol1
show ipv6 dhcp guard policy pol1

IPV6 security RAguard config Key points

IPV6 RAguard – router advertisement guard

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3se/3850/ip6f-xe-3se-3850-book/ip6-ra-guard.html

Configuration

Key points

-Need the link local address that RA is coming from

-Need the payload prefix that it will be advertising

Configure interface role  – monitor | router | switch

Configuring the IPv6 RA Guard Policy on the Device

SUMMARY STEPS

  1.    enable
  2.    configure terminal
  3.    ipv6 nd raguard policy policy-name
  4.    device-role {host | router}
  5.    hop-limit {maximum | minimum limit}
  6.   managed-config-flag {on | off}
  7.    match ipv6 access-list ipv6-access-list-name
  8.    match ra prefix-list ipv6-prefix-list-name
  9.   other-config-flag {on | off}
  10.    router-preference maximum {high | low | medium}
  11.   trusted-port

12.   exit

Example: IPv6 RA Guard Configuration

Device(config)# interface fastethernet 3/13
Device(config-if)# ipv6 nd raguard attach-policy
Device# show running-config interface fastethernet 3/13
 
Building configuration... 
Current configuration : 129 bytes 
! 
interface FastEthernet3/13 
 switchport 
 switchport access vlan 222 
 switchport mode access 
 access-group mode prefer port 
 ipv6 nd raguard 
end

Verify

Device# show ipv6 snooping capture-policy interface ethernet 0/0

Hardware policy registered on Ethernet 0/0 
Protocol     Protocol value   Message   Value     Action    Feature 
ICMP         58               RS        85        punt      RA Guard 
                                                  punt      ND Inspection 
ICMP         58               RA        86        drop      RA guard 
                                                  punt      ND Inspection 
ICMP         58               NS        87        punt      ND Inspection 
ICM          58               NA        88        punt      ND Inspection 
ICMP         58               REDIR     89        drop      RA Guard 
                                                  punt      ND Inspection