Chapter 1
Product Overview
These attacks can come from malicious or mis-configured users and could result in severe disruption to
users of the Layer 2 domain and to the network in general.
The following features are supported:
DAD Proxy
•
Data Glean
•
Destination Guard
•
IPv6 Snooping (DHCP Data Gleaning, per-limit Address Limit)
•
IPv6 Address Glean
•
IPv6 Device Tracking
•
Lightweight DHCPv6 Relay Agent (LDRA)
•
NDP Inspection
•
Per ND Cache Limit
•
Per Port Address Limit
•
Source and Prefix Guard
•
Note
IPV6 LDRA is the only FHS feature supported on EtherChannels.
Configuring IPv6 FHS on secondary VLANs is not allowed; they inherit the policy from the primary
Note
VLAN configuration. Whatever policy is applied on the primary VLANs is programmed automatically
on the associated secondary VLANs. The applied policy, however, always overrides the VLAN level
configuration.
The following caveats are specific for Data Glean, Prefix Guard, and Source Guard enabled on a
Catalyst 4500 series switch:
First Hop Security (FHS) cannot be configured on the same port or VLAN as dot1X, because the
•
latter asserts control over the MAC table and FHS requires similar control to allow only valid NDP
or DHCPv6 hosts.
If unicast Rpf ( unicast reverse path forwarding; uRPF) is configured on box and FHS is enabled,
•
Forward Lookup CAM is populated with routes from FHS and uRPF. Packets that normally fail the
uRPF check are admitted provided it passes the Source Guard or Prefix Guard check.
If Data Glean policy and Source Guard (or Prefix Guard) are applied such that VLAN policies and
•
port polices differ, neither VLAN nor port policy are effective.
All ICMP and DHCP version 6 control packets are permitted even when Source Guard or Prefix
•
Guard is enabled.
For a brief overview of FHS, see the URL:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/aag_c45-707354.pdf
For detailed information on how to implement FHS, see the URL:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-4t/ip6-first-hop-security.html
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Security Features
1-39