IPv6 DHCPv6 Guard

IPv6 DHCPv6 Guard is one of the IPv6 FHS (First Hop Security) mechanisms and is very similar to IPv4 DHCP snooping.

This feature inspects DHCPv6 messages between a DHCPv6 server and DHCPv6 client (or relay agent) and blocks DHCPv6 reply and advertisements from (rogue) DHCPv6 servers. DHCPv6 messages from clients or relay agents to a DHCPv6 server are not affected.

In this lesson, I’ll show you how to configure IPv6 DHCPv6 guard.


Here is the topology we’ll use:

Ipv6 Dhcp Guard Topology Lab

We have four devices:

  • R1 is our legitimate DHCPv6 server.
  • R2 is a rogue DHCPv6 server.
  • H1 is a DHCPv6 client.
  • SW1 is where we configure IPv6 DHCPv6 guard.

IPv6 DHCPv6 Guard is one of the IPv6 FHS (First Hop Security) mechanisms and is very similar to IPv4 DHCP snooping. This feature inspects DHCPv6 messages between a DHCPv6 server and DHCPv6 client (or relay agent) and blocks DHCPv6 reply and advertisements from (rogue) DHCPv6 servers. DHCPv6 messages

Basic Policy

We’ll start with a simple example where we configure R1 as a DHCPv6 server and block the rogue DHCPv6 server with a DHCPv6 guard policy.

Let’s configure R1 as a DHCPv6 server:

R1(config)#ipv6 unicast-routing

R1(config)#ipv6 dhcp pool MY_POOL
R1(config-dhcpv6)#address prefix 2001:DB8:0:1::/64

R1(config)#interface FastEthernet 0/0
R1(config-if)#ipv6 enable
R1(config-if)#ipv6 dhcp server MY_POOL

R1 is a simple DHCPv6 server, I only advertise a prefix and that’s it. Let’s configure H1 as a DHCPv6 client:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ipv6 enable
H1(config-if)#ipv6 address dhcp

Let’s see if H1 gets an IPv6 address:

R1#show ipv6 dhcp binding
Client: FE80::217:5AFF:FEED:7AF0
  DUID: 0003000100175AED7AF0
  Username : unassigned
  IA NA: IA ID 0x00030001, T1 43200, T2 69120
    Address: 2001:DB8:0:1:ED29:C746:E04B:5784
            preferred lifetime 86400, valid lifetime 172800
            expires at Apr 27 2018 01:47 PM (172704 seconds)
H1#show ipv6 interface brief | include 2001

Excellent. Let’s configure a DHCPv6 guard policy so that this setup is protected. I need to create two policies, one for the DHCPv6 server, another one for the DHCPv6 client:

SW1(config)#ipv6 dhcp guard policy DHCP_SERVER
SW1(config-dhcp-guard)#device-role server
SW1(config)#ipv6 dhcp guard policy DHCP_CLIENT
SW1(config-dhcp-guard)#device-role client

Right now, my policies are empty and I only set the device role. Client is the default role so you don’t have to configure it. For the sake of completeness, I did it anyway.

Let’s attach the DHCP_SERVER policy to the interface that connects to R1 and the DHCP_CLIENT policy to the correct interfaces:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#ipv6 dhcp guard attach-policy DHCP_SERVER

SW1(config)#interface range GigabitEthernet 0/2 - 3
SW1(config-if-range)#ipv6 dhcp guard attach-policy DHCP_CLIENT

We can verify our configuration with the following command:

SW1#show ipv6 dhcp guard policy
Dhcp guard policy: DHCP_CLIENT
        Device Role: dhcp client
        Target: Gi0/2 Gi0/3

Dhcp guard policy: DHCP_SERVER
        Device Role: dhcp server
        Target: Gi0/1
        Max Preference: 255
        Min Preference: 0

This gives a nice overview of the policies and to which interfaces we attached them. Let’s see if it works though…

To test this, I’ll shut the interface of R1:

R1(config)#interface FastEthernet 0/0

And we’ll configure a DHCPv6 server on our rogue DHCPv6 server:

R2(config)#ipv6 unicast-routing

R2(config)#ipv6 dhcp pool ROGUE_POOL
R2(config-dhcpv6)#address prefix 2001:DB8:BAD:C0DE::/64

R2(config)#interface FastEthernet 0/0
R2(config-if)#ipv6 enable
R2(config-if)#ipv6 dhcp server ROGUE_POOL

Before we request another IPv6 address on the host, let’s enable a debug on SW1 so that we can see everything in action:

SW1#debug ipv6 snooping dhcp-guard
  IPv6 snooping - DHCP Guard debugging is on

Now reset the DHCPv6 client:

H1#clear ipv6 dhcp client FastEthernet 0/0

This is what you’ll see on the switch:

SISF[DHG]: Gi0/3 vlan 1 DHCP Client message for role dhcp client - Permit
SISF[DHG]: Gi0/2 vlan 1 DHCP Server message for role dhcp client - Deny

In the output above, you can see that the DHCPv6 client messages are permitted but the DHCPv6 server messages are dropped because we shouldn’t receive those on a “client” interface.

Prefix Filtering

Anything else we can do? First, let’s get rid of the rogue DHCPv6 server and enable the legitimate DHCPv6 server:

H2(config)#interface FastEthernet 0/0
R1(config)#interface FastEthernet 0/0
R1(config-if)#no shutdown

Let’s take a closer look at the DHCP_SERVER policy we created:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

510 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Yevgeniy,

    DHCP Option 82 stands for “DHCP Relay Agent Information Option”. If you haven’t seen how DHCP relay works before, take a look at this lesson:

    ... Continue reading in our forum

  2. Zaman,
    IOS XE is a different from the “traditional” IOS operating system in terms of its architecture. IOS XE still runs the traditional IOS, but it runs as a single process (daemon) within a larger linux operating system. Notice in your output, there is an indication of this (linux):


    So, “Version 03.12.00a.S” refers to the large linux operating system, while “Version 15.4(2)S0a” refers to the IOS version being run by the IOS daemon within IOS XE. Make sense?

    Here’s some more info on IOS XE if you want to read about the new

    ... Continue reading in our forum

  3. Hello Manuel

    Rene describes what option 82 does in this post very well.

    As to why you should disable option 82, when DHCP snooping is enabled on a switch, option 82 is enabled by default. That is, any DHCP request packets that are sent from a host will enter the switch and will have option 82 information ADDED to the request before it is sent on to the DHCP server. Specifically, enabling DHCP snooping on the switch adds the giaddr value of in the DHCP packet. However, the DHCP server is expecting this field to be set to that of the relay agent (a non

    ... Continue reading in our forum

  4. Hello Harry

    When you post a question, try to find a thread that is close to the topic that you are asking about. This is the perfect thread for this question. However, if you find that there is no thread that matches your question, you can always post a new topic, and we may re-categorize it into the appropriate thread.

    As for your question, keep in mind that the IP helper address command installed on the local router will just take any DHCP request that it hears on the network and forward it to the DHCP server that exists on a different subnet. This does no

    ... Continue reading in our forum

  5. Hello Sumant

    Take a look at the following diagram:


    Here we have an L3 switch that has three VLANs configured on it. We want each VLAN to be assigned an IP address in the range shown, but we want to create only a single DHCP server. We have a DHCP server with an IP address of which is completely outside of the VLANS we want to serve. In order for DHCP broadcast packets to reach this DHCP server, we configure the following command on the inter

    ... Continue reading in our forum

26 more replies! Ask a question or join the discussion by visiting our Community Forum