Solved: Re: IPv6 Implementation on Cisco 3560-CX 12 port switch (Layer 2)

AKRobert · ‎07-10-2025

good morning

I have several Cisco 3560-CX 12 and 16 port switches. when using IPv4 we simply used the command "show ip device tracking all" to find the IP for each device when troubleshooting but there does not seem to be an IPv6 equivalent. I found suggestions to use "show ipv6 neighbors" but that doesn't work at Layer 2 and currently we dont have snooping going on the IPv6 side so I'm stuck. I plug the device in and it does pull an IPv6 address just fine and is fully functional but when i SSH into the switch there's no way to tell what its IP is short of doing a show mac address-table int gi 0/8 and getting the mac and then going out to DHCP and looking up that mac there. I looked it up and it looks like this is not an issue in the 9200CX but we have about 75 of these so i was hoping for some kind of a work around that wouldn't cause a STIG violation at the same time.

Jens Albrecht · ‎07-10-2025

Hello @AKRobert,

I use IPv6 snooping on my 3560CX for this purpose which is pretty easy to set up.

You need to create a policy and then attach it either to the vlan(s) or interface(s) as needed.
The following example attaches a basic policy to a single vlan:

ipv6 snooping policy MY_POLICY
 security-level inspect
 tracking enable
!
vlan configuration 100
 ipv6 snooping attach-policy MY_POLICY
!
! View the list of IPv6 entries:
!
show ipv6 neighbor binding

For more details check the Configuring IPv6 First Hop Security section of the Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(7)Ex (Catalyst 3560-CX and 2960-CX Switches).

HTH!

View solution in original post

Enes Simnica · ‎07-10-2025

hello man. ur correct that the #sho ip device tracking all commands doesnt have a direct IPv6 equivalent on the Cisco 3560-CX switches. i would try some stuff here. first 1. Enable ipv6 Neighbor Discovery Inspection:

#ipv6 neighbor discovery inspection policy add a name....
device-role node
ex
ipv6 neighbor discovery inspection vlan lets say VLAN_LIST.. so this will enable tracking of IPv6 devices similar to IPv4 device tracking

also u have some more commands like sh ipv6 dhcp binding, sh ipv6 neighb... or sh ipv6 traffic and more....

but for immediate troubleshooting I would say that the method u're currently using (MAC address table + DHCP lookup) is unfortunately one of the only reliable ways on these switches without additional configuration. AND if u want to have long term solution, it might be worth considering : A phased upgrade to 9200CX switches where this functionality is native, 2. Implementing IPv6 snooping consistently across your network and or exploring network management platforms that can provide this visibility.

and if u need more details, just ping me.

hope it helps.

-Enes

more Cisco?!
more Gym?!

AKRobert · ‎07-10-2025

we are using DHCP snooping for IPv4 and i think once we have some weirdness ironed out with IPv6 we will likely extend snooping to IPv6 also. I do agree that a phased upgrade to 9200s is probably the best long term solution, im starting to think the best short term solution may be to replace the 3560s with 3850s.

thank you

Enes Simnica · ‎07-10-2025

and G, since u mentioned STIG compliance, the safest method remains: #show mac address-table interface Gi0/*

and also, u have some conditions to follow if u want the config below to work (talking abou the Enable ipv6 Neighbor Discovery Inspection command), u have some conditions like: Requires IOS 15.2(4)E or later. 2. it is not as detailed as ipv4 tracking is.. and must be applied to the correct vlans......

more Cisco?!
more Gym?!

Jens Albrecht · ‎07-10-2025

Hello @AKRobert,

I use IPv6 snooping on my 3560CX for this purpose which is pretty easy to set up.

You need to create a policy and then attach it either to the vlan(s) or interface(s) as needed.
The following example attaches a basic policy to a single vlan:

ipv6 snooping policy MY_POLICY
 security-level inspect
 tracking enable
!
vlan configuration 100
 ipv6 snooping attach-policy MY_POLICY
!
! View the list of IPv6 entries:
!
show ipv6 neighbor binding

For more details check the Configuring IPv6 First Hop Security section of the Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(7)Ex (Catalyst 3560-CX and 2960-CX Switches).

HTH!

AKRobert · ‎07-10-2025

so youre using the snooping just as a way to collect IPs.

I know on our switches we are doing DHCP Snooping and Dynamic ARP inspection in conjunction. i had not realized i suppose that i could use just the IPv6 snooping only to collect the IPs and nothing else.

thank you

AKRobert · ‎07-10-2025

so on my L2 3560 i would create my policy to track and then for each vlan i want to snoop just make a vlan interface that simply says snoop this vlan?
that seems super easy. lol

Jens Albrecht · ‎07-11-2025

In case of IPv6 the tracking relies on the binding table so that you need to enable snooping (or create static binding entries) as a foundation.

Just like IPv4 you can then use this database to add other securtiy features like IPv6 RA Guard, DHCPv6 Guard or IPv6 Source Guard on top as required.

However, if you just want to track the IPv6 addresses, then yes, it is really that simple.

HTH!