IPv6 First Hop Security
General Notes
- Features to increase IPv6 layer 2 security, typically applied on switches
- No broadcasts, but certain packets almost always flooded in IPv6 networks
- FF02::1 (All IPv6 hosts)
- FF02::2 (All IPv6 routers)
- First-hop security features assist in preventing exploits around common multicast addresses used by NDP, DHCPv6
Features
- RA Guard
- Analyzes RAs and filters traffic from unauthorized devices
- Does not rely on binding table
- Configured with
ipv6 nd raguard attach-policy [policy-name]
under interface
- DHCP v6 Guard
- Basically DHCP snooping in IPv6
- Does not rely on binding table
- Configured with
ipv6 dhcp guard attach-policy [policy-name]
under interface
- IPv6 Snooping
- Required for following features that rely on the IPv6 binding table
- Glean populates bind table without verifying messages
- Inspect gleans addresses and validates messages
- Guard gleans and inspects messages, drops RA and DHCP messages by default
- Configured like:
ipv6 snooping policy <name> security-level [glean|inspect|guard] ! int gi0/1 ipv6 snooping attach-policy <name>
- ND inspection
- Inspects neighbor discovery messages and drops messages from hosts that already exist in the bind table but on different hardware addresses, preventing address spoofing
- Relies on IPv6 snooping
- Configured with
ipv6 nd inspection
under interfaces
- Source/Prefix Guard
- Blocks traffic that does not come from an IPv6 address already known in the binding table
- Relies on IPv6 snooping
- Configured with
ipv6 source-guard
under interfaces
Useful show commands
show ipv6 nd raguard policy
- Shows RA Guard detailsshow ipv6 dhcp guard policy
- Shows DHCP v6 detailsshow ipv6 neighbors binding
- Shows IPv6 bind table
Config
Standard RA Guard Config
ipv6 nd raguard policy <policy-name>
device-role host
!
int gi0/0
ipv6 nd raguard attach-policy <policy-name>
!
!This will block all RAs on this port
Standard DHCP v6 Guard Config
ipv6 dhcp guard policy DHCP_SERVER
device-role server
ipv6 dhcp guard policy DHCP_CLIENT
device-role client
!
interface GigabitEthernet 0/1
ipv6 dhcp guard attach-policy DHCP_SERVER
interface range GigabitEthernet 0/2 - 3
ipv6 dhcp guard attach-policy DHCP_CLIENT
!
!This will only allow DHCP offers from the server ports