IPv6 DHCPv6 Guard

IPv6 DHCPv6 Guard is one of the IPv6 FHS (First Hop Security) mechanisms and is very similar to IPv4 DHCP snooping.

This feature inspects DHCPv6 messages between a DHCPv6 server and DHCPv6 client (or relay agent) and blocks DHCPv6 reply and advertisements from (rogue) DHCPv6 servers. DHCPv6 messages from clients or relay agents to a DHCPv6 server are not affected.

In this lesson, I’ll show you how to configure IPv6 DHCPv6 guard.

Configuration

Here is the topology we’ll use:

Ipv6 Dhcp Guard Topology Lab

We have four devices:

  • R1 is our legitimate DHCPv6 server.
  • R2 is a rogue DHCPv6 server.
  • H1 is a DHCPv6 client.
  • SW1 is where we configure IPv6 DHCPv6 guard.


Basic Policy

We’ll start with a simple example where we configure R1 as a DHCPv6 server and block the rogue DHCPv6 server with a DHCPv6 guard policy.

Let’s configure R1 as a DHCPv6 server:

R1(config)#ipv6 unicast-routing

R1(config)#ipv6 dhcp pool MY_POOL
R1(config-dhcpv6)#address prefix 2001:DB8:0:1::/64

R1(config)#interface FastEthernet 0/0
R1(config-if)#ipv6 enable
R1(config-if)#ipv6 dhcp server MY_POOL

R1 is a simple DHCPv6 server, I only advertise a prefix and that’s it. Let’s configure H1 as a DHCPv6 client:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ipv6 enable
H1(config-if)#ipv6 address dhcp

Let’s see if H1 gets an IPv6 address:

R1#show ipv6 dhcp binding
Client: FE80::217:5AFF:FEED:7AF0
  DUID: 0003000100175AED7AF0
  Username : unassigned
  IA NA: IA ID 0x00030001, T1 43200, T2 69120
    Address: 2001:DB8:0:1:ED29:C746:E04B:5784
            preferred lifetime 86400, valid lifetime 172800
            expires at Apr 27 2018 01:47 PM (172704 seconds)
H1#show ipv6 interface brief | include 2001
    2001:DB8:0:1:ED29:C746:E04B:5784

Excellent. Let’s configure a DHCPv6 guard policy so that this setup is protected. I need to create two policies, one for the DHCPv6 server, another one for the DHCPv6 client:

SW1(config)#ipv6 dhcp guard policy DHCP_SERVER
SW1(config-dhcp-guard)#device-role server
SW1(config)#ipv6 dhcp guard policy DHCP_CLIENT
SW1(config-dhcp-guard)#device-role client

Right now, my policies are empty and I only set the device role. Client is the default role so you don’t have to configure it. For the sake of completeness, I did it anyway.

Let’s attach the DHCP_SERVER policy to the interface that connects to R1 and the DHCP_CLIENT policy to the correct interfaces:

SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#ipv6 dhcp guard attach-policy DHCP_SERVER

SW1(config)#interface range GigabitEthernet 0/2 - 3
SW1(config-if-range)#ipv6 dhcp guard attach-policy DHCP_CLIENT

We can verify our configuration with the following command:

SW1#show ipv6 dhcp guard policy
Dhcp guard policy: DHCP_CLIENT
        Device Role: dhcp client
        Target: Gi0/2 Gi0/3

Dhcp guard policy: DHCP_SERVER
        Device Role: dhcp server
        Target: Gi0/1
        Max Preference: 255
        Min Preference: 0

This gives a nice overview of the policies and to which interfaces we attached them. Let’s see if it works though…

To test this, I’ll shut the interface of R1:

R1(config)#interface FastEthernet 0/0
R1(config-if)#shutdown

And we’ll configure a DHCPv6 server on our rogue DHCPv6 server:

R2(config)#ipv6 unicast-routing

R2(config)#ipv6 dhcp pool ROGUE_POOL
R2(config-dhcpv6)#address prefix 2001:DB8:BAD:C0DE::/64

R2(config)#interface FastEthernet 0/0
R2(config-if)#ipv6 enable
R2(config-if)#ipv6 dhcp server ROGUE_POOL

Before we request another IPv6 address on the host, let’s enable a debug on SW1 so that we can see everything in action:

SW1#debug ipv6 snooping dhcp-guard
  IPv6 snooping - DHCP Guard debugging is on

Now reset the DHCPv6 client:

H1#clear ipv6 dhcp client FastEthernet 0/0

This is what you’ll see on the switch:

SW1#
SISF[DHG]: Gi0/3 vlan 1 DHCP Client message for role dhcp client - Permit
SISF[DHG]: Gi0/2 vlan 1 DHCP Server message for role dhcp client - Deny

In the output above, you can see that the DHCPv6 client messages are permitted but the DHCPv6 server messages are dropped because we shouldn’t receive those on a “client” interface.

Prefix Filtering

Anything else we can do? First, let’s get rid of the rogue DHCPv6 server and enable the legitimate DHCPv6 server:

H2(config)#interface FastEthernet 0/0
H2(config-if)#shutdown
R1(config)#interface FastEthernet 0/0
R1(config-if)#no shutdown

Let’s take a closer look at the DHCP_SERVER policy we created:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

568 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Ask a question or start a discussion by visiting our Community Forum