Example for Configuring DHCPv6 Guard
- Tracy Yang
Network Requirements
Figure 1. DHCPv6 Guard Configuration Example
To maintain the DHCPv6 service properly, the DHCPv6 Guard protocol can be deployed on the device between the DHCPv6 server and the client.
As shown in Figure 1, the DHCPv6 Guard is deployed between multiple servers and a single client. You can configure Switch A and Switch B as DHCPv6 servers, configure Switch D as the DHCPv6 client, and configure DHCPv6 guard on Switch C to protect networks from rogue DHCPv6 servers.
Procedure
Switch C
Step 1 Configure policies p1, p2, and p3 on the ports connected to switch A, switch B, and switch D.
admin@SwitchC# set protocols dhcp6 guard policy p1 interface ge-1/1/5
admin@SwitchC# set protocols dhcp6 guard policy p2 interface ge-1/1/6
admin@SwitchC# set protocols dhcp6 guard policy p3 interface ge-1/1/7Step 2 Configure a trusted port on the port connected to switch A.
admin@SwitchC# set protocols dhcp6 guard policy p1 trust-portStep 3 Configure port roles for the ports that connect to switch B and switch D.
admin@SwitchC# set protocols dhcp6 guard policy p2 device-role server
admin@SwitchC# set protocols dhcp6 guard policy p3 device-role clientStep 4 Configure multiple filtering policies on the port connected to switch B.
Step 5 Commit the configuration.
Verifying the Configuration
The command run show dhcp6 guard can be used to check the configuration information of the DHCPv6 Guard.
As shown in the command output:
policy p1 is set as a trusted port and applied to port ge-1/1/5.
Policy p2 checks the packets from the server and allows the packets whose source address is 2001::0/64 to pass and the IA reply packets whose prefix is 2001::0/64 to pass.
The maximum value of the priority is 200 and the minimum value is 100.
The role of the port is “server”, which is applicable to port ge-1/1/6.
Policy p3 defines the port role as client and applies it to port ge-1/1/7.
Copyright © 2024 Pica8 Inc. All Rights Reserved.