Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
267
Views
1
Helpful
2
Replies

Ipv6 DHCP Guard and RA Guard Policy

Go to solution
cooperrocks78
Level 1
Level 1

‎01-29-2025 11:48 AM

My company that I work for currently does not use IPv6 in our organization.  We currently only use IPv4.  During our annual penetration test last month, the pentesters were able to reply to IPv6 DHCPv6 requests to successfully hijack DNS for workstations within the local domain.  I enabled Ipv6 DHCP Guard and RA Guard Policy on our access switches for DHCP VLAN's. 

After I implemented the configuaration below, the pentesters were able to successfully to spoof another ipv6 DHCP attack.  It looks like the commands did not do anything.  Did I do something wrong with the configuration?  Thank you.  

2FL-AS-01#show ipv6 nd raguard policy
RA guard policy DHCP-HOST configuration:
device-role host
Policy DHCP-HOST is applied on the following targets:
Target Type Policy Feature Target range
vlan 20 VLAN RCH-DHCP-HOST RA guard vlan all
vlan 41 VLAN RCH-DHCP-HOST RA guard vlan all
vlan 50 VLAN RCH-DHCP-HOST RA guard vlan all
vlan 51 VLAN RCH-DHCP-HOST RA guard vlan all
vlan 60 VLAN RCH-DHCP-HOST RA guard vlan all

2FL-AS-01#sh ipv6 dhcp guard policy
Dhcp guard policy DHCP-CLIENT configuration:
Device Role: dhcp client
Policy DHCP-CLIENT is applied on the following targets:
Target Type Policy Feature Target range
vlan 20 VLAN RCH-DHCP-CLIENT DHCP Guard vlan all
vlan 41 VLAN RCH-DHCP-CLIENT DHCP Guard vlan all
vlan 50 VLAN RCH-DHCP-CLIENT DHCP Guard vlan all
vlan 51 VLAN RCH-DHCP-CLIENT DHCP Guard vlan all
vlan 60 VLAN RCH-DHCP-CLIENT DHCP Guard vlan allIPv6 DHCP Guard

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AshSe
VIP
VIP

‎02-25-2025 09:07 PM

Hi @cooperrocks78 

 

It seems like you have implemented IPv6 RA Guard and DHCP Guard policies on your access switches, but the pentesters were still able to spoof an IPv6 DHCP attack. This suggests that the configuration may not be fully effective or properly applied. Let's analyze the situation and identify potential issues:

1. RA Guard and DHCP Guard Limitations

  • RA Guard: RA Guard is designed to block rogue Router Advertisement (RA) messages. However, it has limitations, especially if the attacker uses advanced techniques like fragmentation or tunneling to bypass the guard.
  • DHCP Guard: DHCP Guard is designed to block unauthorized DHCP servers. However, it must be configured correctly and applied to the correct interfaces or VLANs.

2. Configuration Review

Based on the output you provided, the policies are applied at the VLAN level. However, there are a few potential issues to consider:

  • Device Role: The device-role in your RA Guard and DHCP Guard policies is set to host and dhcp client, respectively. This is correct for end-user devices, but you need to ensure that the policies are applied to the correct interfaces (e.g., access ports where workstations are connected).
  • Policy Application: The policies are applied to VLANs, but VLAN-level application may not be sufficient. RA Guard and DHCP Guard are most effective when applied at the interface level (e.g., on access ports). If the policies are only applied at the VLAN level, they may not block rogue traffic effectively.
  • Switch Model and Software Version: Some switch models and software versions have limitations or bugs that affect the effectiveness of RA Guard and DHCP Guard. Ensure that your switch supports these features fully and that you are running the latest stable software version.

3. Recommendations

To address the issue, consider the following steps:

a. Apply Policies at the Interface Level

Instead of applying RA Guard and DHCP Guard policies at the VLAN level, apply them directly to the access interfaces where end-user devices are connected. For example:

 

interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 20
ipv6 nd raguard attach-policy DHCP-HOST
ipv6 dhcp guard attach-policy DHCP-CLIENT
 

 

 

Repeat this configuration for all access interfaces.

b. Verify Policy Effectiveness

After applying the policies, verify that they are active and functioning as expected. Use the following commands to check the status:

 

show ipv6 nd raguard policy
show ipv6 dhcp guard policy
show ipv6 snooping
 

 

 

c. Enable IPv6 Snooping

Some switches support IPv6 snooping, which can enhance the effectiveness of RA Guard and DHCP Guard. Enable IPv6 snooping on the relevant VLANs:

 

ipv6 snooping
ipv6 snooping vlan 20
ipv6 snooping vlan 41
ipv6 snooping vlan 50
ipv6 snooping vlan 51
ipv6 snooping vlan 60
 

 

 

d. Update Switch Software

Ensure that your switches are running the latest stable software version. Check the release notes for any known issues or enhancements related to RA Guard and DHCP Guard.

e. Disable Unused IPv6 Features

If your organization does not use IPv6, consider disabling IPv6 on access interfaces to eliminate the attack surface. For example:

 

interface GigabitEthernet1/0/1
no ipv6 enable
 

 

 

Alternatively, you can globally disable IPv6 on the switch if it is not needed:

 

no ipv6 unicast-routing
 

 

f. Monitor and Test

After implementing the changes, monitor the network for any unauthorized IPv6 activity. Conduct additional penetration testing to verify that the configuration is effective.

4. Conclusion

The issue likely stems from the policies being applied at the VLAN level rather than the interface level, or from limitations in the switch's implementation of RA Guard and DHCP Guard. By applying the policies at the interface level, enabling IPv6 snooping, and ensuring that your switches are running the latest software, you can improve the effectiveness of your defenses against IPv6 attacks.

If your organization does not use IPv6, disabling IPv6 entirely on access interfaces or globally is the most effective way to prevent such attacks.

 

Hope This Helps!!!

AshSe

 

Community Etiquette: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
AshSe
VIP
VIP

‎02-25-2025 09:07 PM

Hi @cooperrocks78 

 

It seems like you have implemented IPv6 RA Guard and DHCP Guard policies on your access switches, but the pentesters were still able to spoof an IPv6 DHCP attack. This suggests that the configuration may not be fully effective or properly applied. Let's analyze the situation and identify potential issues:

1. RA Guard and DHCP Guard Limitations

  • RA Guard: RA Guard is designed to block rogue Router Advertisement (RA) messages. However, it has limitations, especially if the attacker uses advanced techniques like fragmentation or tunneling to bypass the guard.
  • DHCP Guard: DHCP Guard is designed to block unauthorized DHCP servers. However, it must be configured correctly and applied to the correct interfaces or VLANs.

2. Configuration Review

Based on the output you provided, the policies are applied at the VLAN level. However, there are a few potential issues to consider:

  • Device Role: The device-role in your RA Guard and DHCP Guard policies is set to host and dhcp client, respectively. This is correct for end-user devices, but you need to ensure that the policies are applied to the correct interfaces (e.g., access ports where workstations are connected).
  • Policy Application: The policies are applied to VLANs, but VLAN-level application may not be sufficient. RA Guard and DHCP Guard are most effective when applied at the interface level (e.g., on access ports). If the policies are only applied at the VLAN level, they may not block rogue traffic effectively.
  • Switch Model and Software Version: Some switch models and software versions have limitations or bugs that affect the effectiveness of RA Guard and DHCP Guard. Ensure that your switch supports these features fully and that you are running the latest stable software version.

3. Recommendations

To address the issue, consider the following steps:

a. Apply Policies at the Interface Level

Instead of applying RA Guard and DHCP Guard policies at the VLAN level, apply them directly to the access interfaces where end-user devices are connected. For example:

 

interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 20
ipv6 nd raguard attach-policy DHCP-HOST
ipv6 dhcp guard attach-policy DHCP-CLIENT
 

 

 

Repeat this configuration for all access interfaces.

b. Verify Policy Effectiveness

After applying the policies, verify that they are active and functioning as expected. Use the following commands to check the status:

 

show ipv6 nd raguard policy
show ipv6 dhcp guard policy
show ipv6 snooping
 

 

 

c. Enable IPv6 Snooping

Some switches support IPv6 snooping, which can enhance the effectiveness of RA Guard and DHCP Guard. Enable IPv6 snooping on the relevant VLANs:

 

ipv6 snooping
ipv6 snooping vlan 20
ipv6 snooping vlan 41
ipv6 snooping vlan 50
ipv6 snooping vlan 51
ipv6 snooping vlan 60
 

 

 

d. Update Switch Software

Ensure that your switches are running the latest stable software version. Check the release notes for any known issues or enhancements related to RA Guard and DHCP Guard.

e. Disable Unused IPv6 Features

If your organization does not use IPv6, consider disabling IPv6 on access interfaces to eliminate the attack surface. For example:

 

interface GigabitEthernet1/0/1
no ipv6 enable
 

 

 

Alternatively, you can globally disable IPv6 on the switch if it is not needed:

 

no ipv6 unicast-routing
 

 

f. Monitor and Test

After implementing the changes, monitor the network for any unauthorized IPv6 activity. Conduct additional penetration testing to verify that the configuration is effective.

4. Conclusion

The issue likely stems from the policies being applied at the VLAN level rather than the interface level, or from limitations in the switch's implementation of RA Guard and DHCP Guard. By applying the policies at the interface level, enabling IPv6 snooping, and ensuring that your switches are running the latest software, you can improve the effectiveness of your defenses against IPv6 attacks.

If your organization does not use IPv6, disabling IPv6 entirely on access interfaces or globally is the most effective way to prevent such attacks.

 

Hope This Helps!!!

AshSe

 

Community Etiquette: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

 

0 Helpful

Go to solution
cooperrocks78
Level 1
Level 1
In response to AshSe

‎03-03-2025 08:02 AM

Thank you for the recommendations.  I will definitely try enabling the policies on the interfaces.  I tried to enable IPv6 Snooping but it looks like it is not available on the version the switches is on.  We are on 17.09.04.  Do you recommend any substitution to IPv6 snooping.  I was doing some research and I think I read IPv6 Snooping was replaced by SISF?

Customers Also Viewed These Support Documents