Chapter 3
Configuring IPv6
S e n d d o c u m e n t c o m m e n t s t o n e x u s 7 k - d o c f e e d b a c k @ c i s c o . c o m .
Configuring IPv6 Packet Verification
Cisco NX-OS supports an Intrusion Detection System (IDS) that checks for IPv6 packet verification.
You can enable or disable these IDS checks.
To enable IDS checks, use the following commands in global configuration mode:
Command
hardware ip verify address {destination
zero | identical | reserved | source
multicast}
hardware ip verify checksum
hardware ip verify fragment
hardware ipv6 verify length {consistent |
maximum {max-frag | max-tcp | udp}}
hardware ipv6 verify tcp tiny-frag
hardware ipv6 verify version
Use the show hardware forwarding ip verify command to display the IPv6 packet verification
configuration.
OL-20002-02
Purpose
Performs the following IDS checks on the IPv6 address:
destination zero—Drops IPv6 packets if the
•
destination IP address is ::.
identical—Drops IPv6 packets if the source IPv6
•
address is identical to the destination IPv6 address.
reserved—Drops IPv6 packets if the IPv6 address is
•
in the ::1 range.
•
source multicast—Drops IPv6 packets if the IPv6
source address is in the FF00::/8 range (multicast).
Drops IPv6 packets if the packet checksum is invalid.
Drops IPv6 packets if the packet fragment has a nonzero
offset and the DF bit is active.
Performs the following IDS checks on the IPv6 address:
consistent—Drops IPv6 packets where the Ethernet
•
frame size is greater than or equal to the IPv6 packet
length plus the Ethernet header.
maximum max-frag—Drops IPv6 packets if the
•
formula (IPv6 Payload Length – IPv6 Extension
Header Bytes) + (Fragment Offset * 8) is greater than
65536.
maximum max-tcp—Drops IPv6 packets if the TCP
•
length is greater than the IP payload length.
maximum udp—Drops IPv6 packets if the IPv6
•
payload length is less than the UDP packet length.
Drops TCP packets if the IPv6 fragment offset is 1, or if
the IPv6 fragment offset is 0 and the IP payload length is
less than 16.
Drops IPv6 packets if the ethertype is not set to 6 (IPv6).
Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.x
Configuring IPv6
3-23