IPv6 First Hop Security Overview
First Hop Security in IPv6 (FHS IPv6) is a set of IPv6 security features, whose policies can be attached to an interface or a VLAN. The following IPv6 policies are supported:
-
DHCPv6 Guard
-
IPv6 Router Advertisement (RA) Guard
Overview of DHCPv6 Guard
The DHCPv6 Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages from being entered in the binding table and block DHCPv6 server messages when they are received on ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature, configure a policy and attach it to an interface or a VLAN.
To debug DHCP guard packets, use the following privileged EXEC command.
# debug ipv6 snooping dhcp-guard [filter <name >] [interface <interface-id >] [vlan <vlanid >]
Restrictions of DHCPv6 Guard
The DHCPv6 guard feature is not supported on EtherChannel ports.
Overview of IPv6 RA Guard
The IPv6 Router Advertisement (RA) guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized devices. In host mode, all router advertisement and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 device with the information found in the received RA frame. Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
To debug RA guard packets, use the following privileged EXEC command.
# debug ipv6 snooping raguard [filter <name >] [interface <interface-id >] [vlan <vlanid >]
Limitations and Restrictions of IPv6 RA Guard
-
The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.
-
This feature is supported only in hardware when the ternary content addressable memory (TCAM) is programmed.
-
This feature can be configured on a switch port interface in the ingress direction.
-
This feature supports host mode and router mode.
-
This feature is supported only in the ingress direction; it is not supported in the egress direction.
-
This feature is not supported on EtherChannel and EtherChannel port members.
-
This feature is not supported on trunk ports with merge mode.
-
This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of PVLANs, primary VLAN features are inherited and merged with port features.
-
Packets dropped by the IPv6 RA Guard feature can be spanned.
-
If the platform ipv6 acl icmp optimize neighbor-discovery command is configured, the IPv6 RA Guard feature cannot be configured and an error message will be displayed. This command adds default global Internet Control Message Protocol (ICMP) entries that will override the RA guard ICMP entries.