DHCPv6 guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. This functionality helps to prevent traffic redirection or denial of service (DoS).
Let's discussed about common problem scenario also called man-in-middle attack:
We’ve got our multilayer switch in the center and somewhere off to the side of router R1,we’ve got a DHCPv6 server which is our legitimate device. And in our access domain on the down we have our victim, who is a person coming into work on a normal morning, turning on his Laptop and requesting a DHCPv6 address with a solicit message. Unfortunately for him, a neighbor of his is the rogue man sitting next to him in the cubicle, can see his DHCP solicit message and can actually reply, pretending that he is the DHCPv6 server and assign credentials and…such as the DNS address to be used etc. and which he can use then to redirect traffic to himself. So, unprotected, this would be a very dangerous position. So for people to protect themselves in this sort of network layer by simply turning on IPv6 Snooping. By turning on IPv6 Snooping, you automatically drop the switch into “Guard Mode” which will turn on DHCPv6 Guard as well as RA Guard; so none of the redirect advertisements or any DHCPv6 server messages will get through.
There are two mode:
1) Client: Sets the role of the device to client.
2) Server: Sets the role of the device to server.
Since the default mode of the switch is to “guard”, by default all ports configured with dhcpv6 guard will be in client mode. Thus all ports will be dropping any dhcpv6 server messages by default.
Additional security can be achieved by assigning an access list to only permit dhcpv6 server messages from a specific source address. Assigning a prefix-list to allow address allocation only from a known prefix (i.e. the server has been compromised).
1) 1st Assign Policy for Hosts:
For the Host facing ports you don’t need to do this, but if you want to explicitly configure this, that’s how you do it.
SW1(config)#ipv6 dhcp guard policy dhcp-client
Interface range fa0/2-3
switchport mode access
ipv6 dhcp guard attach-policy dhcp-client
2) Then assign policy for DHCP server facing port:
For the server facing ports, you need create DHCPv6 Guard policy.
SW1(config)#ipv6 dhcp guard policy dhcp-server
SW1(config-dhcp-guard)#match server access-list ACL1
You can also provide some extra functionality over access lists; you could block server messages for particular addresses using an access list and you could also block some advertisements from the DHCPv6 server blocking certain prefixes using a prefix list as shown below:
SW1(config)#ipv6 access-list ACL1
SW1(config-ipv6-acl)#permit ipv6 host FE80::1 any
SW1(config)#ipv6 prefix-list PREF1 seq 5 permit 2001::/64 le 128
switchport mode access
ipv6 dhcp guard attach-policy dhcp-server
SW1#show ipv6 dhcp guard policy
Dhcp guard policy: dhcp-client
Device Role: dhcp client
Target: fa0/2 fa0/3
Dhcp guard policy: dhcp-server
Device Role: dhcp server
Max Preference: 255
Min Preference: 0
Source Address Match Access List: ACL1
Prefix List Match Prefix List: PREF1
SW1#show ipv6 access-list ACL1
IPv6 access list ACL1
permit ipv6 host FE80::1 any (5 matches) sequence 10