ipv6

Configures IPv6 components on this firewall policy

Supported on the following devices:

Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

ipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|
strict-ext-hdr-check|unknown-options]

ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-only|
log-and-drop|log-only]

ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] 
[drop-only|log-and-drop|log-only]

ipv6 option {endpoint-identification|network-service-access-point|router-alert|
strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]

ipv6 [firewall enable|rewrite-flow-label]

Parameters

ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} 
[drop-only|log-and-drop|log-only]


dos	Identifies IPv6 events as DoS events
hop-limit-zero	Optional. Enables checking of IPv6 hop limit field. If the IPv6 hop limit field is ZERO (0) it is considered as attack. This option is enabled by default.
multicast-icmpv6	Optional. Enables detection of multicast ICMPv6 traffic as attack. This option is applicable only to ICMPv6 Echo request or reply packets. This option is enabled by default.
tcp-intercept-mobility	Optional. Enables detection of IPv6 TCP packets with mobility option "HAO(Home-Address-Option)" or "RH(Routing Header) type two". When enabled, this option also detects the “don't generate TCP syn cookies” for such packets. This option is enabled by default.
drop-only	This parameter is common to all of the above keywords. Drops all packets. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility).
log-and-drop	Logs the event and drops the packet. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility) and logs an event.
log-only	Logs the event only, the packet is not dropped. Does not drop the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility). But, an event is logged.
log-level	If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are: <0-7> – Sets the numeric logging level alerts – Numerical severity 1. Indicates a condition where immediate action is required critical – Numerical severity 2. Indicates a critical condition debugging – Numerical severity 7. Debugging messages emergencies – Numerical severity 0. System is unusable errors – Numerical severity 3. Indicates an error condition informational – Numerical severity 6. Indicates a informational condition notifications – Numerical severity 5. Indicates a normal but significant condition warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.

ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] 
[drop-only|log-and-drop|log-only]


duplicate-options	Enables handling of duplicate options in hop-by-hop and destination option extension headers. This configuration excludes HAO handling. This option is enabled by default.
routing-type [one\|two]	Enables checking of the following IPv6 routing types: one – Routing Type 1(Nimrod routing). This option is disabled by default. two – Routing Type 2(Mobile IP). This option is disabled by default.
strict-ext-hdr-check	Enables strict checking for out of order and number of occurrences of extension header. This option is enabled by default.
unknown-options	Enables handling unknown options in hop-by-hop and destination option extension headers. This option is enabled by default.
drop-only	This parameter is common to all of the above keywords. Drops all packets. Drops the packet if matching any of the above specified types.
log-and-drop	Logs the event and drops the packet. Drops the packet, if matching any of the above specified types, and logs an event.
log-only	Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified types. But an event is logged.
log-level	If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are: <0-7> – Sets the numeric logging level alerts – Numerical severity 1. Indicates a condition where immediate action is required critical – Numerical severity 2. Indicates a critical condition debugging – Numerical severity 7. Debugging messages emergencies – Numerical severity 0. System is unusable errors – Numerical severity 3. Indicates an error condition informational – Numerical severity 6. Indicates a informational condition notifications – Numerical severity 5. Indicates a normal but significant condition warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.

ipv6 option {endpoint-identification|network-service-access-point|router-alert|
strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only


option	Enables checking for the following ipv6 extension header options: End point identification option (disabled by default) Network service access point address option (disabled by default) Router alert option (disabled by default) Home address option in destination option extension header (enabled by default) Pad1 and PadN options validating (enabled by default) All of these are optional parameters. If no option is specified, the system enables checks as per the default values.
drop-only	This parameter is common to all of the above keywords. Drops all packets. Drops the packet if matching any of the above specified “option” types.
log-and-drop	Logs the event and drops the packet. Drops the packet, if matching any of the above specified “option” types, and logs an event.
log-only	Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified “option” types. But an event is logged.
log-level	If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are: <0-7> – Sets the numeric logging level alerts – Numerical severity 1. Indicates a condition where immediate action is required critical – Numerical severity 2. Indicates a critical condition debugging – Numerical severity 7. Debugging messages emergencies – Numerical severity 0. System is unusable errors – Numerical severity 3. Indicates an error condition informational – Numerical severity 6. Indicates a informational condition notifications – Numerical severity 5. Indicates a normal but significant condition warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.

ipv6 [firewall enable|rewrite-flow-label]


firewall enable	Enables IPv6 firewall. This option is enabled by default.
rewrite-flow-label	Rewrites the IPv6 flow label field of every packet. This option is disabled by default.

Examples

nx9500-6C8809(config-fw-policy-testFW)#ipv6 dos hop-limit-zero drop-only

nx9500-6C8809(config-fw-policy-testFW)#ipv6 routing-type two log-and-drop log-level warnings

nx9500-6C8809(config-fw-policy-testFW)#show context
firewall-policy testFW
 ip dos fraggle drop-only
 ip dos tcp-sequence-past-window drop-only
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 ipv6 routing-type two log-and-drop log-level warnings
 ipv6 dos hop-limit-zero drop-only
 alg facetime
 dns-snoop entry-timeout 1200
nx9500-6C8809(config-fw-policy-testFW)#

Related Commands


no	Resets this firewall policy‘s IPv6 components