IPv6 DHCPv6 Guard
IPv6 DHCPv6 Guard is one of the IPv6 FHS (First Hop Security) mechanisms and is very similar to IPv4 DHCP snooping.This feature inspects DHCPv6 messages between a DHCPv6 server and DHCPv6 client (or relay agent) and blocks DHCPv6 reply and advertisements from (rogue) DHCPv6 servers. DHCPv6 messages from clients or relay agents to a DHCPv6 server are not affected.In this lesson, I’ll show you how to configure IPv6 DHCPv6 guard.ConfigurationHere is the topology we’ll use:We have four devices:
[*]R1 is our legitimate DHCPv6 server.
[*]R2 is a rogue DHCPv6 server.
[*]H1 is a DHCPv6 client.
[*]SW1 is where we configure IPv6 DHCPv6 guard.
Basic PolicyWe’ll start with a simple example where we configure R1 as a DHCPv6 server and block the rogue DHCPv6 server with a DHCPv6 guard policy.Let’s configure R1 as a DHCPv6 server:R1(config)#ipv6 unicast-routingR1(config)#ipv6 dhcp pool MY_POOLR1(config-dhcpv6)#address prefix 2001:DB8:0:1::/64R1(config)#interface FastEthernet 0/0R1(config-if)#ipv6 enableR1(config-if)#ipv6 dhcp server MY_POOLR1 is a simple DHCPv6 server, I only advertise a prefix and that’s it. Let’s configure H1 as a DHCPv6 client:H1(config)#interface FastEthernet 0/0H1(config-if)#ipv6 enableH1(config-if)#ipv6 address dhcpLet’s see if H1 gets an IPv6 address:R1#show ipv6 dhcp bindingClient: FE80::217:5AFF:FEED:7AF0DUID: 0003000100175AED7AF0Username : unassignedIA NA: IA ID 0x00030001, T1 43200, T2 69120 Address: 2001:DB8:0:1:ED29:C746:E04B:5784 preferred lifetime 86400, valid lifetime 172800 expires at Apr 27 2018 01:47 PM (172704 seconds)H1#show ipv6 interface brief | include 2001 2001:DB8:0:1:ED29:C746:E04B:5784Excellent. Let’s configure a DHCPv6 guard policy so that this setup is protected. I need to create two policies, one for the DHCPv6 server, another one for the DHCPv6 client:SW1(config)#ipv6 dhcp guard policy DHCP_SERVERSW1(config-dhcp-guard)#device-role serverSW1(config)#ipv6 dhcp guard policy DHCP_CLIENTSW1(config-dhcp-guard)#device-role clientRight now, my policies are empty and I only set the device role. Client is the default role so you don’t have to configure it. For the sake of completeness, I did it anyway.Let’s attach the DHCP_SERVER policy to the interface that connects to R1 and the DHCP_CLIENT policy to the correct interfaces:SW1(config)#interface GigabitEthernet 0/1SW1(config-if)#ipv6 dhcp guard attach-policy DHCP_SERVERSW1(config)#interface range GigabitEthernet 0/2 - 3SW1(config-if-range)#ipv6 dhcp guard attach-policy DHCP_CLIENTWe can verify our configuration with the following command:SW1#show ipv6 dhcp guard policyDhcp guard policy: DHCP_CLIENT Device Role: dhcp client Target: Gi0/2 Gi0/3Dhcp guard policy: DHCP_SERVER Device Role: dhcp server Target: Gi0/1 Max Preference: 255 Min Preference: 0This gives a nice overview of the policies and to which interfaces we attached them. Let’s see if it works though…To test this, I’ll shut the interface of R1:R1(config)#interface FastEthernet 0/0R1(config-if)#shutdownAnd we’ll configure a DHCPv6 server on our rogue DHCPv6 server:R2(config)#ipv6 unicast-routingR2(config)#ipv6 dhcp pool ROGUE_POOLR2(config-dhcpv6)#address prefix 2001:DB8:BAD:C0DE::/64R2(config)#interface FastEthernet 0/0R2(config-if)#ipv6 enableR2(config-if)#ipv6 dhcp server ROGUE_POOLBefore we request another IPv6 address on the host, let’s enable a debug on SW1 so that we can see everything in action:SW1#debug ipv6 snooping dhcp-guardIPv6 snooping - DHCP Guard debugging is onNow reset the DHCPv6 client:H1#clear ipv6 dhcp client FastEthernet 0/0This is what you’ll see on the switch:SW1#SISF: Gi0/3 vlan 1 DHCP Client message for role dhcp client - PermitSISF: Gi0/2 vlan 1 DHCP Server message for role dhcp client - DenyIn the output above, you can see that the DHCPv6 client messages are permitted but the DHCPv6 server messages are dropped because we shouldn’t receive those on a “client” interface.Prefix FilteringAnything else we can do? First, let’s get rid of the rogue DHCPv6 server and enable the legitimate DHCPv6 server:H2(config)#interface FastEthernet 0/0H2(config-if)#shutdownR1(config)#interface FastEthernet 0/0R1(config-if)#no shutdown
{:6_301:} {:6_290:} {:6_267:}{:6_290:}
页:
[1]