ipv6

Configures IPv6 components on this firewall policy

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

ipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|
strict-ext-hdr-check|unknown-options]
ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-only|
log-and-drop|log-only]
ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] 
[drop-only|log-and-drop|log-only]
ipv6 option {endpoint-identification|network-service-access-point|router-alert|
strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]
ipv6 [firewall enable|rewrite-flow-label]

Parameters

ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} 
[drop-only|log-and-drop|log-only]
dos Identifies IPv6 events as DoS events
hop-limit-zero Optional. Enables checking of IPv6 hop limit field. If the IPv6 hop limit field is ZERO (0) it is considered as attack. This option is enabled by default.
multicast-icmpv6 Optional. Enables detection of multicast ICMPv6 traffic as attack. This option is applicable only to ICMPv6 Echo request or reply packets. This option is enabled by default.
tcp-intercept-mobility Optional. Enables detection of IPv6 TCP packets with mobility option "HAO(Home-Address-Option)" or "RH(Routing Header) type two". When enabled, this option also detects the “don't generate TCP syn cookies” for such packets. This option is enabled by default.
drop-only This parameter is common to all of the above keywords.

Drops all packets. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility).

log-and-drop Logs the event and drops the packet. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility) and logs an event.
log-only Logs the event only, the packet is not dropped. Does not drop the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility). But, an event is logged.
log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:
  • <0-7> – Sets the numeric logging level
  • alerts – Numerical severity 1. Indicates a condition where immediate action is required
  • critical – Numerical severity 2. Indicates a critical condition
  • debugging – Numerical severity 7. Debugging messages
  • emergencies – Numerical severity 0. System is unusable
  • errors – Numerical severity 3. Indicates an error condition
  • informational – Numerical severity 6. Indicates a informational condition
  • notifications – Numerical severity 5. Indicates a normal but significant condition
  • warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.
ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] 
[drop-only|log-and-drop|log-only]
duplicate-options Enables handling of duplicate options in hop-by-hop and destination option extension headers. This configuration excludes HAO handling. This option is enabled by default.
routing-type [one|two] Enables checking of the following IPv6 routing types:
  • one – Routing Type 1(Nimrod routing). This option is disabled by default.
  • two – Routing Type 2(Mobile IP). This option is disabled by default.
strict-ext-hdr-check Enables strict checking for out of order and number of occurrences of extension header. This option is enabled by default.
unknown-options Enables handling unknown options in hop-by-hop and destination option extension headers. This option is enabled by default.
drop-only This parameter is common to all of the above keywords.

Drops all packets. Drops the packet if matching any of the above specified types.

log-and-drop Logs the event and drops the packet. Drops the packet, if matching any of the above specified types, and logs an event.
log-only Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified types. But an event is logged.
log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:
  • <0-7> – Sets the numeric logging level
  • alerts – Numerical severity 1. Indicates a condition where immediate action is required
  • critical – Numerical severity 2. Indicates a critical condition
  • debugging – Numerical severity 7. Debugging messages
  • emergencies – Numerical severity 0. System is unusable
  • errors – Numerical severity 3. Indicates an error condition
  • informational – Numerical severity 6. Indicates a informational condition
  • notifications – Numerical severity 5. Indicates a normal but significant condition
  • warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.
ipv6 option {endpoint-identification|network-service-access-point|router-alert|
strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only
option Enables checking for the following ipv6 extension header options:
  • End point identification option (disabled by default)
  • Network service access point address option (disabled by default)
  • Router alert option (disabled by default)
  • Home address option in destination option extension header (enabled by default)
  • Pad1 and PadN options validating (enabled by default)

All of these are optional parameters. If no option is specified, the system enables checks as per the default values.

drop-only This parameter is common to all of the above keywords.

Drops all packets. Drops the packet if matching any of the above specified “option” types.

log-and-drop Logs the event and drops the packet. Drops the packet, if matching any of the above specified “option” types, and logs an event.
log-only Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified “option” types. But an event is logged.
log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:
  • <0-7> – Sets the numeric logging level
  • alerts – Numerical severity 1. Indicates a condition where immediate action is required
  • critical – Numerical severity 2. Indicates a critical condition
  • debugging – Numerical severity 7. Debugging messages
  • emergencies – Numerical severity 0. System is unusable
  • errors – Numerical severity 3. Indicates an error condition
  • informational – Numerical severity 6. Indicates a informational condition
  • notifications – Numerical severity 5. Indicates a normal but significant condition
  • warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.
ipv6 [firewall enable|rewrite-flow-label]
firewall enable Enables IPv6 firewall. This option is enabled by default.
rewrite-flow-label Rewrites the IPv6 flow label field of every packet. This option is disabled by default.

Examples

nx9500-6C8809(config-fw-policy-testFW)#ipv6 dos hop-limit-zero drop-only
nx9500-6C8809(config-fw-policy-testFW)#ipv6 routing-type two log-and-drop log-level warnings
nx9500-6C8809(config-fw-policy-testFW)#show context
firewall-policy testFW
 ip dos fraggle drop-only
 ip dos tcp-sequence-past-window drop-only
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 ipv6 routing-type two log-and-drop log-level warnings
 ipv6 dos hop-limit-zero drop-only
 alg facetime
 dns-snoop entry-timeout 1200
nx9500-6C8809(config-fw-policy-testFW)#

Related Commands

no Resets this firewall policy‘s IPv6 components