Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPv6 Snooping and IPv6 security

We don't run IPv6 in our network, but I'm trying to set up IPv6 security features since modern operating systems prefer IPv6 by default.  I'm looking at IPv6 snooping, and following this document:

 

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_fhsec/configuration/15-s/ip6-snooping.html

 

This document says that IPv6 snooping bundles these features: IPv6 neighbor discovery (ND) inspection, IPv6 address glean, and IPv6 device tracking.  Does that mean if I configure snooping, then I don't have to configure those features individually?  The document seems to show that each feature still needs to be configured individually.  But if that is the case, I don't understand what snooping adds to the picture.

Everyone's tags (1)
4 REPLIES
Cisco Employee

Hi Kyleevans, Can you please

Hi Kyleevans,

 

Can you please share on which device your planning to enable ipv6 snooping.

 

On more thing with out enabling ipv6 in your network , device can't build binding table nor device tracking info.

 

 

 

 

 

New Member

They are 3750X and 3850

They are 3750X and 3850 switches.  Even though we don't support IPv6, computers still have IPv6 enabled individually, so a rogue RA could still assign IPs to devices and communicate with them over IPv6.  We are trying to prevent those types of things from happening.

Cisco Employee

Hi Kyleevans,If you didn't

Hi Kyleevans,

If you didn't enable ipv6 on your network then 3750/3850 will simply drop the ipv6 packets.

Let say if you enable ipv6 on network , there is feature called IPV6 RAGUARD .

The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue router advertisement (RA) guard messages that arrive at the network device platform .

Please refer to below link for configuration:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3se/3850/ip6f-xe-3se-3850-book/ip6-ra-guard.html

 

 

 

New Member

I ended up opening a ticket

I ended up opening a ticket with TAC to ask this question.  Basically, you do have to enable those features individually, and snooping by itself is used to building the binding table used by the other features.  Here is the config I ended up using, which enables a bunch of layer-2 security features for both IPv4 and IPv6:

 

Configuration:

Global:

ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip dhcp snooping
ipv6 nd raguard policy kyle-raguard
 device-role host
ipv6 snooping policy kyle-ipv6-snooping
 data-glean
ipv6 nd inspection policy kyle-ndinspection
 drop-unsecure
 device-role host
ipv6 neighbor tracking
ipv6 source-guard policy kyle-ipv6-source-guard
 permit link-local
 deny global-autoconf
ipv6 dhcp guard policy kyle-dhcp6guard
 device-role client

 


Trusted port/uplink:

ip dhcp snooping trust

 

Regular user port:

 ip arp inspection limit rate 15 burst interval 10
 ipv6 nd raguard attach-policy kyle-raguard
 ipv6 snooping attach-policy kyle-ipv6-snooping
 ipv6 nd inspection attach-policy kyle-ndinspection
 ipv6 source-guard attach-policy kyle-ipv6-source-guard
 ipv6 dhcp guard attach-policy kyle-dhcp6guard
 storm-control broadcast level pps 1k
 ip verify source
 ip dhcp snooping limit rate 10

148
Views
0
Helpful
4
Replies