IPv6 Last Hope Security
IPv6 First Hop Security
IPv6 addressing is continously growing and replacing legacy IPv4 in campus and datacenter. This new method of addressing devices also introduces new challenges regarding network security.
Several mechanism are available to address those challenges:
IPv6 Prefix Glean / Destination Glean
Inspect ND and DHCP messages. Populates binding table
IPv6 Snooping
Router(config)# ipv6 snooping policy policy1
Router(config-ipv6-snooping)#?
IPv6 snooping policy configuration mode:
data-glean binding recovery by data traffic source address gleaning
default Set a command to its defaults
destination-glean binding recovery by data traffic destination address
gleaning
exit Exit from snooping policy configuration mode
limit Specifies a limit
no Negate a command or set its defaults
prefix-glean Glean prefixes in RA and DHCP-PD traffic
protocol Sets the protocol to glean (default all)
security-level setup security level
tracking Override default tracking behavior
trusted-port setup trusted port
Router(config-ipv6-snooping)#security-level ?
glean Glean addresses
guard inspect and drop un-authorized messages (default)
inspect glean and Validate message
Router(config-ipv6-snooping)# exit
Router(config)# interface Gigabitethernet 0/0/1
Router(config-if)# ipv6 snooping attach-policy policy1
.
.
.
Device# show ipv6 snooping policies interface gigabitethernet 0/0/1
Target Type Policy Feature Target range
Gi0/0/1 PORT my_policy Destination Gu vlan all
Gi0/0/1 PORT policy1 Snooping vlan all
IPv6 Source Guard / Prefix Guard
Router(config)#ipv6 source-guard policy source01
Router(config-sisf-sourceguard)#?
IPv6 sourceguard policy configuration mode:
default Set a command to its defaults
deny Block data traffic
exit Exit from sourceguard policy configuration mode
no Negate a command or set its defaults
permit Allow data traffic
trusted Bridge all data traffic
validate Validate the src of the received data traffic
IPv6 Destination Guard
Router> enable
Router# configure terminal
Router(config)# ipv6 destination-guard policy destination01
Router(config)# interface GigabitEthernet 1
Router(config-if)# ipv6 destination-guard attach-policy destination01
Router# show ipv6 destination-guard policy destination01
Destination guard policy Destination:
enforcement always
Target: Gi1
IPv6 RA Guard
Not avalaible on routers.
Switch(config)#ipv6 nd raguard policy rapolicy
Switch(config-nd-raguard)#?
IPv6 RA guard policy configuration mode:
default Set a command to its defaults
device-role Sets the role of the device attached to the port
exit Exit from RA guard policy configuration mode
hop-limit Enable verification of the advertised Hop count limit
managed-config-flag Enable verification of the advertised M flag
match Match a particular prefix-list or access-list
no Negate a command or set its defaults
other-config-flag Enable verification of the advertised O flag
router-preference Enable verification of the advertised Router Preference
flag
trusted-port Setup trusted port
DHCPv6 Guard
Switch(config)#ipv6 dhcp guard policy dhcpguard01
Switch(config-dhcp-guard)#?
IPv6 dhcp guard policy configuration mode:
default Set a command to its defaults
device-role Sets the role of the device attached to the port
exit Exit from DHCP Guard policy configuration mode
no Negate a command or set its defaults
trusted-port This is a trusted port (no policing)
Switch(config-dhcp-guard)#device-role ?
client Attached device is a client (default)
server Attached device is a dhcp server
Switch(config-dhcp-guard)#device-role server
Switch(config-dhcp-guard)#?
IPv6 dhcp guard policy configuration mode:
default Set a command to its defaults
device-role Sets the role of the device attached to the port
exit Exit from DHCP Guard policy configuration mode
match dhcp filtering
no Negate a command or set its defaults
preference dhcp server advertised preference filter
trusted-port This is a trusted port (no policing)
Switch(config-dhcp-guard)#