Configuring DHCPv6 Guard
Configuration Notes and Constraints
When configuring DHCPv6 Guard, you should pay attention to the following notes:
You can configure only one guard policy on an interface. A guard policy can be configured on multiple interfaces.
By default, the value of device-role is “client”.
In the guard device-role, if the server and trust-port conflicts with each other, you need to delete one to configure the other.
If guard device-role is “server”, the default value for preference-min is 0, and preference-max is 255.
If guard device-role is “client”, all packets in the reply direction are discarded on the port configured with this policy.
If guard policy is “trust-port”, all DHCPv6 packets on the port configured with the policy are directly forwarded.
The source-address of matching servers in the guard policy filters only the source address in the Advertise packet but not the source address in the Reply packet.
DHCPv6 snooping and guard can be placed in the same VLAN. The relay and guard cannot be placed in the same VLAN.
DHCPv6 Guard does not support the Multi-chassis Link Aggregation Group (MLAG) topology.
Procedure
Step 1 (Optional) Set a matching condition that specifies the source addresses of DHCPv6 servers to matched.
set protocols dhcp6 guard policy <policy-name> match server source-address <IPv6Net>
Step 2 (Optional) The specified IPv6 prefix or network matched by the policy is assigned to the client. The prefix defines the range of IPv6 addresses that can be used by clients.
set protocols dhcp6 guard policy <policy-name> match reply ia-prefix <IPv6Net>
Step 3 (Optional) Set a maximum limit for a preferred value in the DHCPv6 Guard policy to ensure that the DHCPv6 server only considers DHCPv6 responses whose preferred value is lower than or equal to the specified value.
set protocols dhcp6 guard policy <policy-name> preference-max <max-value>
Step 4 (Optional) The minimum limit on the preferred value specified by the user.
set protocols dhcp6 guard policy <policy-name> preference-min <min-value>
Step 5 Configuration options allow different security policies to be defined depending on the source of DHCPv6 messages (server or client), giving more precise control over messages which should be detected, logged, or blocked.
set protocols dhcp6 guard policy <policy-name> device-role <server/client>
Step 6 (Optional) Set a trusted port for DHCPv6 Guard policy to control precisely DHCPv6 messages which should be trusted and processed, limiting trust to messages from a specific port.
set protocols dhcp6 guard policy <policy-name> trust-port
Step 7 Associate the specified DHCPv6 Guard policy with a specific network interface.
set protocols dhcp6 guard policy <policy-name> interface <interface-name>
Step 8 Commit the configuration.
commit
Copyright © 2024 Pica8 Inc. All Rights Reserved.