Re: DHCPv6 Guard, the goal is to blackhole DHCPv6 Server Responses

mlorincz · ‎08-19-2020

Hello,

I've got a customer with 3650s who's concerned about rogue IPv6 DHCP servers. They don't run IPv6 and have left default of 'no ipv6 unicast-routing' enabled.

In my tests, I am able to create a DHCPv6 server on a connected router and it fulfills DHCPv6 requests which are requested using a test SVI on a access switch. I'd like to blackhole DHCPv6 offers or requests or both but the config I put together (shown below) isn't working. I've tried applying to the core switch but DHCPv6 requests and offers still seem to work.

RTR -- CORE_SW(vlan10) -- ACCESS_SW(vlan10 SVI)

! TEST CONFIG !

!
ipv6 access-list ipv6dhcp_acl
deny any any
!
no ipv6 dhcp guard policy ipv6dhcpguard_policy
device-role server
match server access-list ipv6dhcp_acl
trusted-port
!
vlan configuration 10
ipv6 dhcp guard attach-policy ipv6dhcpguard_policy
!

Georg Pauwen · ‎08-24-2020

Hello,

what if you add the lines marked in bold:

ipv6 access-list ipv6dhcp_acl
deny any any
!
--> ipv6 prefix-list ipv6dhcp_pl
deny any any
!
no ipv6 dhcp guard policy ipv6dhcpguard_policy
device-role server
match server access-list ipv6dhcp_acl
--> match reply prefix-list ipv6dhcp_pl
trusted-port
!
vlan configuration 10
ipv6 dhcp guard attach-policy ipv6dhcpguard_policy

mlorincz · ‎08-24-2020

Thanks for the reply, it seems deny any any isn't available, looks like I would have to define an actual prefix.

PH-CORE-01(config)#ipv6 prefix-list ipv6dhcp_pl deny ?
X:X:X:X::X/<0-128> IPv6 prefix <network>/<length>