IPv6 DHCPv6 Guard

小乔

IPv6 DHCPv6 Guard is one of the IPv6 FHS (First Hop Security) mechanisms and is very similar to IPv4 DHCP snooping.

This feature inspects DHCPv6 messages between a DHCPv6 server and DHCPv6 client (or relay agent) and blocks DHCPv6 reply and advertisements from (rogue) DHCPv6 servers. DHCPv6 messages from clients or relay agents to a DHCPv6 server are not affected.

In this lesson, I’ll show you how to configure IPv6 DHCPv6 guard.

Configuration

Here is the topology we’ll use:

We have four devices:

• R1 is our legitimate DHCPv6 server.
• R2 is a rogue DHCPv6 server.
• H1 is a DHCPv6 client.
• SW1 is where we configure IPv6 DHCPv6 guard.
  

Basic Policy

We’ll start with a simple example where we configure R1 as a DHCPv6 server and block the rogue DHCPv6 server with a DHCPv6 guard policy.

Let’s configure R1 as a DHCPv6 server:

R1(config)#ipv6 unicast-routingR1(config)#ipv6 dhcp pool MY_POOLR1(config-dhcpv6)#address prefix 2001B8:0:1::/64R1(config)#interface FastEthernet 0/0R1(config-if)#ipv6 enableR1(config-if)#ipv6 dhcp server MY_POOL

R1 is a simple DHCPv6 server, I only advertise a prefix and that’s it. Let’s configure H1 as a DHCPv6 client:

H1(config)#interface FastEthernet 0/0H1(config-if)#ipv6 enableH1(config-if)#ipv6 address dhcp

Let’s see if H1 gets an IPv6 address:

R1#show ipv6 dhcp bindingClient: FE80::217:5AFF:FEED:7AF0  DUID: 0003000100175AED7AF0  Username : unassigned  IA NA: IA ID 0x00030001, T1 43200, T2 69120    Address: 2001B8:0:1:ED29:C746:E04B:5784            preferred lifetime 86400, valid lifetime 172800            expires at Apr 27 2018 01:47 PM (172704 seconds)H1#show ipv6 interface brief | include 2001    2001B8:0:1:ED29:C746:E04B:5784

Excellent. Let’s configure a DHCPv6 guard policy so that this setup is protected. I need to create two policies, one for the DHCPv6 server, another one for the DHCPv6 client:

SW1(config)#ipv6 dhcp guard policy DHCP_SERVERSW1(config-dhcp-guard)#device-role serverSW1(config)#ipv6 dhcp guard policy DHCP_CLIENTSW1(config-dhcp-guard)#device-role client

Right now, my policies are empty and I only set the device role. Client is the default role so you don’t have to configure it. For the sake of completeness, I did it anyway.

Let’s attach the DHCP_SERVER policy to the interface that connects to R1 and the DHCP_CLIENT policy to the correct interfaces:

SW1(config)#interface GigabitEthernet 0/1SW1(config-if)#ipv6 dhcp guard attach-policy DHCP_SERVERSW1(config)#interface range GigabitEthernet 0/2 - 3SW1(config-if-range)#ipv6 dhcp guard attach-policy DHCP_CLIENT

We can verify our configuration with the following command:

SW1#show ipv6 dhcp guard policyDhcp guard policy: DHCP_CLIENT        Device Role: dhcp client        Target: Gi0/2 Gi0/3Dhcp guard policy: DHCP_SERVER        Device Role: dhcp server        Target: Gi0/1        Max Preference: 255        Min Preference: 0

This gives a nice overview of the policies and to which interfaces we attached them. Let’s see if it works though…

To test this, I’ll shut the interface of R1:

R1(config)#interface FastEthernet 0/0R1(config-if)#shutdown

And we’ll configure a DHCPv6 server on our rogue DHCPv6 server:

R2(config)#ipv6 unicast-routingR2(config)#ipv6 dhcp pool ROGUE_POOLR2(config-dhcpv6)#address prefix 2001B8:BAD:C0DE::/64R2(config)#interface FastEthernet 0/0R2(config-if)#ipv6 enableR2(config-if)#ipv6 dhcp server ROGUE_POOL

Before we request another IPv6 address on the host, let’s enable a debug on SW1 so that we can see everything in action:

SW1#debug ipv6 snooping dhcp-guard  IPv6 snooping - DHCP Guard debugging is on

Now reset the DHCPv6 client:

H1#clear ipv6 dhcp client FastEthernet 0/0

This is what you’ll see on the switch:

SW1#SISF[DHG]: Gi0/3 vlan 1 DHCP Client message for role dhcp client - PermitSISF[DHG]: Gi0/2 vlan 1 DHCP Server message for role dhcp client - Deny

In the output above, you can see that the DHCPv6 client messages are permitted but the DHCPv6 server messages are dropped because we shouldn’t receive those on a “client” interface.

Prefix Filtering

Anything else we can do? First, let’s get rid of the rogue DHCPv6 server and enable the legitimate DHCPv6 server:

H2(config)#interface FastEthernet 0/0H2(config-if)#shutdownR1(config)#interface FastEthernet 0/0R1(config-if)#no shutdown

teany

f1662

f1662