DHCPv6 guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. This functionality helps to prevent traffic redirection or denial of service (DoS).
Let's discussed about common problem scenario also called man-in-middle attack:
We’ve got our multilayer switch in the center and somewhere off to the side of router R1,we’ve got a DHCPv6 server which is our legitimate device. And in our access domain on the down we have our victim, who is a person coming into work on a normal morning, turning on his Laptop and requesting a DHCPv6 address with a solicit message. Unfortunately for him, a neighbor of his is the rogue man sitting next to him in the cubicle, can see his DHCP solicit message and can actually reply, pretending that he is the DHCPv6 server and assign credentials and…such as the DNS address to be used etc. and which he can use then to redirect traffic to himself. So, unprotected, this would be a very dangerous position. So for people to protect themselves in this sort of network layer by simply turning on IPv6 Snooping. By turning on IPv6 Snooping, you automatically drop the switch into “Guard Mode” which will turn on DHCPv6 Guard as well as RA Guard; so none of the redirect advertisements or any DHCPv6 server messages will get through.
There are two mode:
1) Client: Sets the role of the device to client.
2) Server: Sets the role of the device to server.
Since the default mode of the switch is to “guard”, by default all ports configured with dhcpv6 guard will be in client mode. Thus all ports will be dropping any dhcpv6 server messages by default.
Additional security can be achieved by assigning an access list to only permit dhcpv6 server messages from a specific source address. Assigning a prefix-list to allow address allocation only from a known prefix (i.e. the server has been compromised).
1) 1st Assign Policy for Hosts:
For the Host facing ports you don’t need to do this, but if you want to explicitly configure this, that’s how you do it.
SW1(config)#ipv6 dhcp guard policy dhcp-client
Interface range fa0/2-3
switchport mode access
ipv6 dhcp guard attach-policy dhcp-client
2) Then assign policy for DHCP server facing port:
For the server facing ports, you need create DHCPv6 Guard policy.
SW1(config)#ipv6 dhcp guard policy dhcp-server
SW1(config-dhcp-guard)#match server access-list ACL1
You can also provide some extra functionality over access lists; you could block server messages for particular addresses using an access list and you could also block some advertisements from the DHCPv6 server blocking certain prefixes using a prefix list as shown below:
SW1(config)#ipv6 access-list ACL1
SW1(config-ipv6-acl)#permit ipv6 host FE80::1 any
SW1(config)#ipv6 prefix-list PREF1 seq 5 permit 2001::/64 le 128
switchport mode access
ipv6 dhcp guard attach-policy dhcp-server
SW1#show ipv6 dhcp guard policy
Dhcp guard policy: dhcp-client
Device Role: dhcp client
Target: fa0/2 fa0/3
Dhcp guard policy: dhcp-server
Device Role: dhcp server
Max Preference: 255
Min Preference: 0
Source Address Match Access List: ACL1
Prefix List Match Prefix List: PREF1
SW1#show ipv6 access-list ACL1
IPv6 access list ACL1
permit ipv6 host FE80::1 any (5 matches) sequence 10
We have an older 6509 chassis with WS-F6K-DFC4-E module installed. The 6509 is EoL, EoS and is slated to be replaced shortly. However, we still need to add additional 10G connections before the hardware can be replaced. When we adde...
HI All, Please reffer the attached topology HUB location: 1 Core router / 2 CE routers connected to respective MPLS service providers.HUB Connectivity details: all 3 routers in the HUB are connected via IBGP and 2 CE routers connect to MPL...
Hi all, I know this may be a long shot, but has anyone tried using the 10G-T-X (Copper) module in the 9200L series switch? (Currently not listed on the supported SFP list) We have a need for a short copper run and our desire would be to nix the ...
We are testing the setup capabilites on IOS-XE (on CAT9200L and 9300L) and it was working great with IOS-XE 16.12.05b (cat9k_lite_iosxe.16.12.05b.SPA.bin) But with 17.03.03 (cat9k_lite_iosxe.17.03.03.SPA.bin) we get following error while booting...
Hello all, i've configured my new cisco switch 9200i've put the fibre port in trunk mode, allow all vlans, etc.in the 3750x i can ping it and from all 2960s/x i can ping it to however when i try to ssh or use the webgui it says "connection time ...