Login
- Table of Contents
-
- 03-Layer 3—IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-IP forwarding basics configuration
- 06-Fast forwarding configuration
- 07-IP performance optimization configuration
- 08-UDP helper configuration
- 09-IPv6 basics configuration
- 10-DHCPv6 configuration
- 11-IPv6 fast forwarding configuration
- 12-HTTP redirect configuration
- 13-NAT configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-DHCPv6 configuration | 363.58 KB |
DHCPv6 address/prefix assignment
Rapid assignment involving two messages
Assignment involving four messages
DHCPv6 client tasks at a glance
Configuring the DHCPv6 client DUID
Configuring IPv6 address acquisition
Configuring IPv6 prefix acquisition
Configuring IPv6 address and prefix acquisition
Configuring acquisition of configuration parameters except IP addresses and prefixes
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client
Display and maintenance commands for DHCPv6 client
DHCPv6 client configuration examples
Example: Configuring IPv6 address acquisition
Example: Configuring IPv6 prefix acquisition
Example: Configuring IPv6 address and prefix acquisition
Example: Configuring stateless DHCPv6
Application of trusted and untrusted ports
Restrictions and guidelines: DHCPv6 snooping configuration
DHCPv6 snooping tasks at a glance
Configuring basic DHCPv6 snooping features
Configuring basic DHCPv6 snooping features in a common network
Configuring DHCP snooping support for Option 18
Configuring DHCP snooping support for Option 37
Configuring DHCPv6 snooping entry auto backup
Setting the maximum number of DHCPv6 snooping entries
Configuring DHCPv6 packet rate limit
Configuring DHCPv6 snooping security features
Configuring a DHCPv6 packet blocking port
Enabling DHCPv6 snooping logging and alarm
Enabling DHCPv6 snooping logging
Disabling DHCPv6 snooping on an interface
Display and maintenance commands for DHCPv6 snooping
DHCPv6 snooping configuration examples
Example: Configuring DHCPv6 snooping globally
Example: Configuring DHCPv6 snooping for a VLAN
DHCPv6 guard operating mechanism
Restrictions and guidelines: DHCPv6 guard configuration
DHCPv6 guard tasks at a glance
Configuring a DHCPv6 guard policy
Applying a DHCPv6 guard policy to an interface
Applying a DHCPv6 guard policy to a VLAN
Display and maintenance commands for DHCPv6 guard
DHCPv6 guard configuration examples
Example: Configuring DHCPv6 guard
DHCPv6 overview
DHCPv6 address/prefix assignment
An address/prefix assignment process involves two or four messages.
Rapid assignment involving two messages
As shown in Figure 1, rapid assignment operates in the following steps:
1. The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid Commit option to prefer rapid assignment.
2. If the DHCPv6 server supports rapid assignment, it responds with a Reply message containing the assigned IPv6 address/prefix and other configuration parameters. If the DHCPv6 server does not support rapid assignment, Assignment involving four messages is performed.
Figure 1 Rapid assignment involving two messages
Assignment involving four messages
As shown in Figure 2, four-message assignment operates using the following steps:
1. The DHCPv6 client sends a Solicit message to request an IPv6 address/prefix and other configuration parameters.
2. The DHCPv6 server responds with an Advertise message that contains the assignable address/prefix and other configuration parameters if either of the following conditions exists:
¡ The Solicit message does not contain a Rapid Commit option.
¡ The DHCPv6 server does not support rapid assignment even though the Solicit message contains a Rapid Commit option.
3. The DHCPv6 client might receive multiple Advertise messages offered by different DHCPv6 servers. It selects an offer according to the receiving sequence and server priority, and sends a Request message to the selected server for confirmation.
4. The DHCPv6 server sends a Reply message to the client, confirming that the address/prefix and other configuration parameters are assigned to the client.
Figure 2 Assignment involving four messages
Address/prefix lease renewal
An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.
Figure 3 Using the Renew message for address/prefix lease renewal
As shown in Figure 3, at T1, the DHCPv6 client sends a Renew message to the DHCPv6 server. The recommended value of T1 is half the preferred lifetime. The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.
Figure 4 Using the Rebind message for address/prefix lease renewal
As shown in Figure 4:
· If the DHCPv6 client does not receive a response from the DHCPv6 server after sending a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2. Typically, the value of T2 is 0.8 times the preferred lifetime.
· The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.
· If the DHCPv6 client does not receive a response from any DHCPv6 server before the valid lifetime expires, the client stops using the address/prefix.
For more information about the valid lifetime and the preferred lifetime, see "Configuring basic IPv6 settings."
Stateless DHCPv6
Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server.
The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration:
· The managed address configuration flag (M flag) is set to 0.
· The other stateful configuration flag (O flag) is set to 1.
Figure 5 Stateless DHCPv6 operation
As shown in Figure 5, stateless DHCPv6 operates in the following steps:
1. The DHCPv6 client sends an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents. The Information-request message contains an Option Request option that specifies the requested configuration parameters.
2. The DHCPv6 server returns to the client a Reply message containing the requested configuration parameters.
3. The client checks the Reply message. If the obtained configuration parameters match those requested in the Information-request message, the client uses these parameters to complete configuration. If not, the client ignores the configuration parameters. If the client receives multiple replies with configuration parameters matching those requested in the Information-request message, it uses the first received reply.
DHCPv6 options
Option 18
Option 18, also called the interface-ID option, is used by the DHCPv6 relay agent to determine the interface to use to forward RELAY-REPLY message.
The DHCPv6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. The server then assigns IP address to the client based on the client information in Option 18.
Figure 6 shows the Option 18 format, which includes the following fields:
· Option code—Option code. The value is 18.
· Option length—Size of the option data.
· Port index—Port that receives the DHCPv6 request from the client.
· VLAN ID—ID of the outer VLAN.
· Second VLAN ID—ID of the inner VLAN. This field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 also does not contain it.
· DUID—DUID of the DHCPv6 client.
Option 37
Option 37, also called the remote-ID option, is used to identify the client.
The DHCPv6 snooping device adds Option 37 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. This option provides client information about address allocation.
Figure 7 shows the Option 37 format, which includes the following fields:
· Option code—Option code. The value is 37.
· Option length—Size of the option data.
· Enterprise number—Enterprise number.
· Port index—Port that receives the DHCPv6 request from the client.
· VLAN ID—ID of the outer VLAN.
· Second VLAN ID—ID of the inner VLAN. This field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 37 also does not contain it.
· DUID—DUID of the DHCPv6 client.
Option 79
Option 79, also called the client link-layer address option, is used to record the MAC address of the DHCPv6 client. The first relay agent that a DHCPv6 request passes learns the MAC address of the client and encapsulates this address into Option 79 in the Relay-Forward message for the request. The DHCPv6 server verifies the client or assigns IPv6 address/prefix to the client based on the MAC address of the client.
Figure 8 Option 79 format
Figure 8 shows the Option 79 format, which includes the following fields:
· Option code—Option code. The value is 79.
· Option length—Size of the option data.
· Link-layer type—Link-layer address type of the client.
· Link-layer address—Link-layer address of the client.
Protocols and standards
· RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6
· RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
· RFC 2462, IPv6 Stateless Address Autoconfiguration
· RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6
· RFC 6939, Client Link-Layer Address Option in DHCPv6
Configuring the DHCPv6 client
About the DHCPv6 client
With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server.
A DHCPv6 client can use DHCPv6 to complete the following functions:
· Obtain an IPv6 address, an IPv6 prefix, or both, and obtain other configuration parameters. If DHCPv6 server is enabled on the device, the client can automatically save the obtained parameters to a DHCPv6 option group. With the obtained IPv6 prefix, the client can generate its global unicast address.
· Support stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. The client obtains an IPv6 address through stateless IPv6 address autoconfiguration. If the client receives an RA message with the M flag set to 0 and the O flag set to 1 during address acquisition, stateless DHCPv6 starts.
DHCPv6 client tasks at a glance
To configure a DHCPv6 client, perform the following tasks:
1. (Optional.) Configuring the DHCPv6 client DUID
2. Configuring the DHCPv6 client to obtain IPv6 addresses, IPv6 prefixes and other network parameters
Choose the following tasks as needed:
¡ Configuring IPv6 address acquisition
¡ Configuring IPv6 prefix acquisition
¡ Configuring IPv6 address and prefix acquisition
¡ Configuring acquisition of configuration parameters except IP addresses and prefixes
3. (Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client
Configuring the DHCPv6 client DUID
About the DHCPv6 client DUID
The DUID of a DHCPv6 client is the globally unique identifier of the client. The client pads its DUID into Option 1 of the DHCPv6 packet that it sends to the DHCPv6 server. The DHCPv6 server can assign specific IPv6 addresses or prefixes to DHCPv6 clients with specific DUIDs.
Restrictions and guidelines
Make sure the DUID that you configure is unique.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the DHCPv6 client DUID.
ipv6 dhcp client duid { ascii ascii-string | hex hex-string | mac interface-type interface-number }
By default, the interface uses the device bridge MAC address to generate its DHCPv6 client DUID.
Configuring IPv6 address acquisition
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the interface to use DHCPv6 to obtain IPv6 addresses and other network settings.
ipv6 address dhcp-alloc [ option-group group-number | rapid-commit ] *
By default, an interface does not use DHCPv6 to obtain IPv6 addresses and other network settings by default.
Configuring IPv6 prefix acquisition
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the interface to use DHCPv6 to obtain an IPv6 prefix and other configuration parameters.
ipv6 dhcp client pd prefix-number [ option-group group-number | rapid-commit ] *
By default, the interface does not use DHCPv6 for IPv6 prefix acquisition.
Configuring IPv6 address and prefix acquisition
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the interface to use DHCPv6 to obtain an IPv6 address, an IPv6 prefix, and other configuration parameters.
ipv6 dhcp client stateful prefix prefix-number [ option-group option-group-number | rapid-commit ] *
By default, the interface does not use DHCPv6 for IPv6 address and prefix acquisition.
Configuring acquisition of configuration parameters except IP addresses and prefixes
About acquisition of configuration parameters except IP addresses and prefixes
When a DHCPv6 client has obtained an IPv6 address and prefix, you can configure the following methods for the client to obtain other network configuration parameters:
· Execute the ipv6 address auto command to enable an interface to automatically generate an IPv6 global unicast address and a link-local address. Then stateless DHCPv6 will be triggered when the M flag is set to 0 and the O flag is set to 1 in a received RA message. For more information about the commands, see Layer 3—IP services Command Reference.
· Executing the ipv6 dhcp client stateless enable command on an interface to enable the interface to act as a DHCPv6 client to obtain configuration parameters from a DHCPv6 server.
If you execute both the ip address auto and ipv6 dhcp client stateless enable commands, the interface acts as follows:
· Generate a global unicast address and a link-local address.
· Obtain other configuration parameters from a DHCPv6 server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the interface to support stateless DHCPv6. Choose the options to configure as needed:
¡ Enable stateless IPv6 address autoconfiguration:
ipv6 address auto
¡ Configure the client to obtain network parameters from DHCPv6 servers:
ipv6 dhcp client stateless enable
By default, the interface does not support stateless DHCPv6.
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client
About setting the DSCP value for DHCPv6 packets
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.
Procedure
1. Enter system view.
system-view
2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 client.
ipv6 dhcp client dscp dscp-value
By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 client is 56.
Display and maintenance commands for DHCPv6 client
Execute the display commands in any view, and execute the reset command in user view.
|
Task |
Command |
|
Display the DHCPv6 client information. |
display ipv6 dhcp client [ interface interface-type interface-number ] |
|
Display the DHCPv6 client statistics. |
display ipv6 dhcp client statistics [ interface interface-type interface-number ] |
|
Clear the DHCPv6 client statistics. |
reset ipv6 dhcp client statistics [ interface interface-type interface-number ] |
DHCPv6 client configuration examples
Example: Configuring IPv6 address acquisition
Network configuration
As shown in Figure 9, configure the switch to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, DNS server address, domain name suffix, SIP server address, and SIP server domain name.
Procedure
You must configure the DHCPv6 server first before configuring the DHCPv6 client.
# Configure VLAN-interface 2 as a DHCPv6 client for IPv6 address acquisition. Configure the DHCPv6 client to support DHCPv6 rapid address assignment. Configure the DHCPv6 client to create a dynamic DHCPv6 option group for saving configuration parameters.
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ipv6 address dhcp-alloc rapid-commit option-group 1
[Switch-Vlan-interface2] quit
Verifying the configuration
# Verify that the client has obtained an IPv6 address and other configuration parameters from the server.
[Switch] display ipv6 dhcp client
Vlan-interface2:
Type: Stateful client requesting address
State: OPEN
Client DUID: 0003000100e002000000
Preferred server:
Reachable via address: FE80::2E0:1FF:FE00:18
Server DUID: 0003000100e001000000
IA_NA: IAID 0x00000642, T1 50 sec, T2 80 sec
Address: 1:1::2/128
Preferred lifetime 100 sec, valid lifetime 200 sec
Will expire on Mar 27 2014 at 08:06:57 (198 seconds left)
DNS server addresses:
2000::FF
Domain name:
example.com
SIP server addresses:
2:2::4
SIP server domain names:
bbb.com
# After DHCPv6 server is enabled on the device, verify that configuration parameters are saved in a dynamic DHCPv6 option group.
[Switch] display ipv6 dhcp option-group 1
DHCPv6 option group: 1
DNS server addresses:
Type: Dynamic (DHCPv6 address allocation)
Interface: Vlan-interface2
2000::FF
Domain name:
Type: Dynamic (DHCPv6 address allocation)
Interface: Vlan-interface2
example.com
SIP server addresses:
Type: Dynamic (DHCPv6 address allocation)
Interface: Vlan-interface2
2:2::4
SIP server domain names:
Type: Dynamic (DHCPv6 address allocation)
Interface: Vlan-interface2
bbb.com
# Verify that the DHCPv6 client has obtained an IPv6 address..
[Switch] display ipv6 interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IPv6 Address
Vlan-interface2 up up 1:1::2
Example: Configuring IPv6 prefix acquisition
Network configuration
As shown in Figure 10, configure the switch to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.
Procedure
You must configure the DHCPv6 server first before configuring the DHCPv6 client.
# Configure an IPv6 address for VLAN-interface 2 that is connected to the DHCPv6 server.
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ipv6 address 1::2/48
# Configure VLAN-interface 2 as a DHCPv6 client for IPv6 prefix acquisition. Configure the DHCPv6 client to support DHCPv6 rapid prefix assignment. Configure the DHCPv6 client to assign an ID to the obtained IPv6 prefix and create a dynamic DHCPv6 option group for saving configuration parameters.
[Switch-Vlan-interface2] ipv6 dhcp client pd 1 rapid-commit option-group 1
[Switch-Vlan-interface2] quit
Verifying the configuration
# Verify that the DHCPv6 client has obtained an IPv6 prefix and other configuration parameters from the DHCPv6 server.
[Switch] display ipv6 dhcp client
Vlan-interface2:
Type: Stateful client requesting prefix
State: OPEN
Client DUID: 0003000100e002000000
Preferred server:
Reachable via address: FE80::2E0:1FF:FE00:18
Server DUID: 0003000100e001000000
IA_PD: IAID 0x00000642, T1 50 sec, T2 80 sec
Prefix: 12:34::/48
Preferred lifetime 100 sec, valid lifetime 200 sec
Will expire on Feb 4 2014 at 15:37:20(80 seconds left)
DNS server addresses:
2000::FF
Domain name:
example.com
SIP server addresses:
2:2::4
SIP server domain names:
bbb.com
# Verify that the client has obtained an IPv6 prefix.
[Switch] display ipv6 prefix 1
Number: 1
Type : Dynamic
Prefix: 12:34::/48
Preferred lifetime 100 sec, valid lifetime 200 sec
# After DHCPv6 server is enabled on the device, verify that configuration parameters are saved in a dynamic DHCPv6 option group.
[Switch] display ipv6 dhcp option-group 1
DHCPv6 option group: 1
DNS server addresses:
Type: Dynamic (DHCPv6 prefix allocation)
Interface: Vlan-interface2
2000::FF
Domain name:
Type: Dynamic (DHCPv6 prefix allocation)
Interface: Vlan-interface2
example.com
SIP server addresses:
Type: Dynamic (DHCPv6 prefix allocation)
Interface: Vlan-interface2
2:2::4
SIP server domain names:
Type: Dynamic (DHCPv6 prefix allocation)
Interface: Vlan-interface2
bbb.com
Example: Configuring IPv6 address and prefix acquisition
Network configuration
As shown in Figure 11, configure the switch to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.
Procedure
You must configure the DHCPv6 server before configuring the DHCPv6 client.
# Configure an IPv6 address for VLAN-interface 2 that is connected to the DHCPv6 server.
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ipv6 address 1::2/48
# Configure VLAN-interface 2 as a DHCPv6 client for IPv6 address and prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid address and prefix assignment.
[Switch-Vlan-interface2] ipv6 dhcp client stateful prefix 1 rapid-commit option-group 1
[Switch-Vlan-interface2] quit
Verifying the configuration
# Verify that the DHCPv6 client has obtained an IPv6 address, an IPv6 prefix, and other configuration parameters from the DHCPv6 server.
[Switch] display ipv6 dhcp client
Vlan-interface2:
Type: Stateful client requesting address and prefix
State: OPEN
Client DUID: 0003000100e002000000
Preferred server:
Reachable via address: FE80::2E0:1FF:FE00:18
Server DUID: 0003000100e001000000
IA_NA: IAID 0x00000642, T1 50 sec, T2 80 sec
Address: 1:1::2/128
Preferred lifetime 100 sec, valid lifetime 200 sec
Will expire on Mar 27 2014 at 08:02:00 (199 seconds left)
IA_PD: IAID 0x00000642, T1 50 sec, T2 80 sec
Prefix: 12:34::/48
Preferred lifetime 100 sec, valid lifetime 200 sec
Will expire on Mar 27 2014 at 08:02:00 (199 seconds left)
DNS server addresses:
2000::FF
Domain name:
example.com
SIP server addresses:
2:2::4
SIP server domain names:
bbb.com
# Verify that the DHCPv6 client has obtained an IPv6 address.
[Switch] display ipv6 interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IPv6 Address
Vlan-interface2 up up 1:1::2
# Verify that the client has obtained an IPv6 prefix.
[Switch] display ipv6 prefix 1
Number: 1
Type : Dynamic
Prefix: 12:34::/48
Preferred lifetime 100 sec, valid lifetime 200 sec
# After DHCPv6 server is enabled on the device, verify that configuration parameters are saved in a dynamic DHCPv6 option group.
[Switch] display ipv6 dhcp option-group 1
DNS server addresses:
Type: Dynamic (DHCPv6 address and prefix allocation)
Interface: Vlan-interface2
2000::FF
Domain name:
Type: Dynamic (DHCPv6 address and prefix allocation)
Interface: Vlan-interface2
example.com
SIP server addresses:
Type: Dynamic (DHCPv6 address and prefix allocation)
Interface: Vlan-interface2
2:2::4
SIP server domain names:
Type: Dynamic (DHCPv6 address and prefix allocation)
Interface: Vlan-interface2
bbb.com
Example: Configuring stateless DHCPv6
Network configuration
As shown in Figure 12, configure Switch A to use stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. Switch B acts as the gateway and advertises RA messages periodically.
Procedure
You must configure the DHCPv6 server first before configuring the DHCPv6 client.
1. Configure the gateway Switch B.
# Configure an IPv6 address for VLAN-interface 2.
<SwitchB> system-view
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ipv6 address 1::1 64
# Set the O flag to 1 in RA advertisements to be sent on VLAN-interface 2. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.
[SwitchB-Vlan-interface2] ipv6 nd autoconfig other-flag
# Disable RA message suppression on VLAN-interface 2.
[SwitchB-Vlan-interface2] undo ipv6 nd ra halt
2. Configure the DHCPv6 client Switch A.
# Enable stateless IPv6 address autoconfiguration on VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ipv6 address auto
With stateless IPv6 address autoconfiguration enabled, but no IPv6 address configured for VLAN-interface 2, Switch A automatically generates a link-local address. It sends an RS message to Switch B to request configuration information for IPv6 address generation. Upon receiving the RS message, Switch B sends back an RA message. After receiving an RA message with the M flag set to 0 and the O flag set to 1, Switch A performs stateless DHCPv6 to get other configuration parameters.
Verifying the configuration
# Display the DHCPv6 client information.
[SwitchA-Vlan-interface2] display ipv6 dhcp client interface vlan-interface 2
Vlan-interface2:
Type: Stateless client
State: OPEN
Client DUID: 00030001000fe2ff0000
Preferred server:
Reachable via address: FE80::213:7FFF:FEF6:C818
Server DUID: 0003000100137ff6c818
DNS server addresses:
1:2:4::5
1:2:4::7
Domain name:
abc.com
# Display the DHCPv6 client statistics.
[SwitchA-Vlan-interface2] display ipv6 dhcp client statistics
Interface : Vlan-interface2
Packets received : 1
Reply : 1
Advertise : 0
Reconfigure : 0
Invalid : 0
Packets sent : 5
Solicit : 0
Request : 0
Renew : 0
Rebind : 0
Information-request : 5
Release : 0
Decline : 0
Configuring DHCPv6 snooping
About DHCPv6 snooping
It guarantees that DHCPv6 clients obtain IPv6 addresses or prefixes from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping address entries) and prefix-to-port bindings of DHCPv6 clients (called DHCPv6 snooping prefix entries) for security purposes.
DHCPv6 snooping defines trusted and untrusted ports to make sure that clients obtain IPv6 addresses only from authorized DHCPv6 servers.
· Trusted—A trusted port can forward DHCPv6 messages correctly to make sure the clients get IPv6 addresses from authorized DHCPv6 servers.
· Untrusted—An untrusted port discards received messages sent by DHCPv6 servers to prevent unauthorized servers from assigning IPv6 addresses.
DHCPv6 snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCPv6 snooping entries. A DHCPv6 snooping entry can be an address entry or a prefix entry.
· A DHCPv6 address entry includes the MAC and IP addresses of a client, the port that connects to the DHCPv6 client, and the VLAN. You can use the display ipv6 dhcp snooping binding command to display the IP addresses of users for management.
· A DHCPv6 prefix entry includes the prefix and lease information assigned to the client, the port that connects to the DHCPv6 client, and the VLAN. You can use the display ipv6 dhcp snooping pd binding command to display the prefixes of the users for management.
Application of trusted and untrusted ports
Configure ports facing the DHCPv6 server as trusted ports, and configure other ports as untrusted ports.
As shown in Figure 13, configure the DHCPv6 snooping device's port that is connected to the DHCPv6 server as a trusted port. The trusted port forwards response messages from the DHCPv6 server to the client. The untrusted port connected to the unauthorized DHCPv6 server discards incoming DHCPv6 response messages.
Figure 13 Trusted and untrusted ports
Restrictions and guidelines: DHCPv6 snooping configuration
DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent.
DHCPv6 snooping does not work between the DHCPv6 server and DHCPv6 relay agent.
To make sure DHCPv6 clients can obtain valid IPv6 addresses, specify the ports connected to authorized DHCPv6 servers as trusted ports. The trusted ports and the ports connected to DHCPv6 clients must be in the same VLAN.
If you configure DHCPv6 snooping settings on a Layer 2 Ethernet interface that is a member port of a Layer 2 aggregate interface, the settings do not take effect unless the interface is removed from the aggregation group.
DHCPv6 snooping tasks at a glance
To configure DHCPv6 snooping, perform the following tasks:
1. Configuring basic DHCPv6 snooping features
2. (Optional.) Configuring DHCP snooping support for Option 18
3. (Optional.) Configuring DHCP snooping support for Option 37
4. (Optional.) Configuring DHCPv6 snooping entry auto backup
5. (Optional.) Setting the maximum number of DHCPv6 snooping entries
6. (Optional.) Configuring DHCPv6 packet rate limit
7. (Optional.) Configuring DHCPv6 snooping security features
8. (Optional.) Enabling DHCPv6 snooping logging and alarm
9. (Optional.) Disabling DHCPv6 snooping on an interface
Configuring basic DHCPv6 snooping features
Configuring basic DHCPv6 snooping features in a common network
About basic DHCPv6 snooping features in a common network
Basic DHCPv6 snooping features include enabling DHCPv6 snooping, configuring trusted ports, and enabling recording DHCPv6 snooping entries.
When you enable DHCPv6 snooping globally on a device, DHCPv6 snooping is also enabled in all VLANs on the device. Enable snooping in specific VLANs if you do not need to enable DHCPv6 snooping globally in some networks. You can also other basic DHCP snooping features in these VLANs.
Restrictions and guidelines
If the basic DHCPv6 snooping features are configured globally, you can only use the undo form of the global configuration commands to disable the settings globally. The VLAN-specific configuration commands cannot disable the settings.
If the basic DHCPv6 snooping features are configured in a VLAN, you can only use the undo form of the VLAN-specific configuration commands to disable the settings in the VLAN. The global configuration command cannot disable the settings.
Configuring basic DHCPv6 snooping features globally
1. Enter system view.
system-view
2. Enable DHCPv6 snooping globally.
ipv6 dhcp snooping enable
By default, DHCPv6 snooping is disabled globally.
3. Enter interface view.
interface interface-type interface-number
This interface must connect to the DHCPv6 server.
4. Specify the port as a trusted port.
ipv6 dhcp snooping trust
By default, all ports are untrusted ports after DHCPv6 snooping is enabled.
5. Enable recording DHCPv6 snooping entries.
a. Return to system view.
quit
b. Enter interface view.
interface interface-type interface-number
This interface must connect to the DHCPv6 client.
c. Enable recording DHCPv6 snooping entries. Choose the following tasks as needed:
- Enable recording DHCPv6 snooping address entries.
ipv6 dhcp snooping binding record
By default, recording of DHCPv6 snooping address entries is disabled.
- Enable recording DHCPv6 snooping prefix entries.
ipv6 dhcp snooping pd binding record
By default, recording of DHCPv6 snooping prefix entries is disabled.
Configuring basic DHCPv6 snooping features for VLANs
1. Enter system view.
system-view
2. Enable DHCPv6 snooping for VLANs.
ipv6 dhcp snooping enable vlan vlan-id-list
By default, DHCPv6 snooping is disabled in all VLANs.
3. Enter VLAN view.
vlan vlan-id
Make sure DHCP snooping is enabled for the VLAN.
4. Specify a port as a trusted port.
ipv6 dhcp snooping trust interface interface-type interface-number
By default, all ports are untrusted ports after DHCPv6 snooping is enabled.
5. (Optional.) Enable recording DHCPv6 snooping entries in the VLAN. Choose the following tasks as needed:
¡ Enable recording DHCPv6 snooping address entries.
ipv6 dhcp snooping binding record
By default, recording of DHCPv6 snooping address entries is disabled in a VLAN.
¡ Enable recording DHCPv6 snooping prefix entries.
ipv6 dhcp snooping pd binding record
By default, recording of DHCPv6 snooping prefix entries is disabled in a VLAN.
Configuring DHCP snooping support for Option 18
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP snooping support for Option 18.
ipv6 dhcp snooping option interface-id enable
By default, DHCP snooping support for Option 18 is disabled.
4. (Optional.) Specify the content as the interface ID.
ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string interface-id
By default, the DHCPv6 snooping device uses its DUID as the content for Option 18.
Configuring DHCP snooping support for Option 37
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP snooping support for Option 37.
ipv6 dhcp snooping option remote-id enable
By default, DHCP snooping support for Option 37 is disabled.
4. (Optional.) Specify the content as the remote ID.
ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id
By default, the DHCPv6 snooping device uses its DUID as the content for Option 37.
Configuring DHCPv6 snooping entry auto backup
About DHCPv6 snooping entry auto backup
The auto backup feature saves DHCPv6 snooping entries to a backup file, and allows the DHCPv6 snooping device to download the entries from the backup file at reboot. The entries on the DHCPv6 snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCPv6 snooping entries for user authentication.
Restrictions and guidelines
· If you disable DHCPv6 snooping with the undo ipv6 dhcp snooping enable command, the device deletes all DHCPv6 snooping entries, including those stored in the backup file.
· If you execute the ipv6 dhcp snooping binding database filename command, the DHCPv6 snooping device backs up DHCPv6 snooping entries immediately and runs auto backup. This command automatically creates the file if you specify a non-existent file.
· The waiting period starts when a DHCPv6 snooping entry is learned, updated, or removed. The DHCPv6 snooping device updates the backup file when the specified waiting period is reached. All changed entries during the period will be saved to the backup file. If no DHCPv6 snooping entry changes, the backup file is not updated.
Procedure
1. Enter system view.
system-view
2. Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file.
ipv6 dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
By default, the DHCPv6 snooping device does not back up the DHCPv6 snooping entries.
3. (Optional.) Manually save DHCPv6 snooping entries to the backup file.
ipv6 dhcp snooping binding database update now
4. (Optional.) Set the waiting time after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file.
ipv6 dhcp snooping binding database update interval interval
By default, the DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.
Setting the maximum number of DHCPv6 snooping entries
About setting the maximum number of DHCPv6 snooping entries
Perform this task to prevent the system resources from being overused.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum number of DHCPv6 snooping entries for the interface to learn.
ipv6 dhcp snooping max-learning-num max-number
By default, the number of DHCPv6 snooping entries for an interface to learn is not limited.
Configuring DHCPv6 packet rate limit
About DHCPv6 packet rate limit
This DHCPv6 packet rate limit feature discards exceeding DHCPv6 packets to prevent attacks that send large numbers of DHCPv6 packets.
Restrictions and guidelines
The rate set on the Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate set in its Ethernet interface view.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum rate at which an interface can receive DHCPv6 packets.
ipv6 dhcp snooping rate-limit rate
By default, incoming DHCPv6 packets on an interface are not rate limited.
Configuring DHCPv6 snooping security features
Enabling DHCPv6-REQUEST check
About DHCPv6-REQUEST check
Perform this task to use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses.
The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.
· If any criterion in an entry is matched, the device compares the entry with the message information.
¡ If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.
¡ If they are different, the device considers the message forged and discards it.
· If no matching entry is found, the device forwards the message to the DHCPv6 server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCPv6-REQUEST check.
ipv6 dhcp snooping check request-message
By default, DHCPv6-REQUEST check is disabled.
Configuring a DHCPv6 packet blocking port
About DHCPv6 packet blocking port
Perform this task to configure a port as a DHCPv6 packet blocking port. The DHCPv6 packet blocking port drops all incoming DHCP requests.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port to block DHCPv6 requests.
ipv6 dhcp snooping deny
By default, the port does not block DHCPv6 requests.
|
|
CAUTION: To avoid IPv6 address and prefix acquisition failure, configure a port to block DHCPv6 packets only if no DHCPv6 clients are connected to it. |
Enabling DHCPv6 snooping logging and alarm
Enabling DHCPv6 snooping logging
About DHCPv6 snooping logging
The DHCPv6 snooping logging feature enables the DHCPv6 snooping device to generate DHCPv6 snooping logs and send them to the information center. The information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
As a best practice, disable this feature if the log generation affects the device performance.
Procedure
1. Enter system view.
system-view
2. Enable DHCPv6 snooping logging.
ipv6 dhcp snooping log enable
By default, DHCPv6 snooping logging is disabled.
Disabling DHCPv6 snooping on an interface
About disabling DHCPv6 snooping on an interface
This feature allows you to narrow down the interface range where DHCPv6 snooping takes effect. For example, to enable DHCP snooping globally except for a specific interface, you can enable DHCPv6 snooping globally and disable DHCPv6 snooping on the target interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view
interface interface-type interface-number
3. Disable DHCPv6 snooping on the interface.
ipv6 dhcp snooping disable
By default:
¡ If you enable DHCPv6 snooping globally or for a VLAN, DHCPv6 snooping is enabled on all interfaces on the device or on all interfaces in the VLAN.
¡ If you do not enable DHCPv6 snooping globally or for a VLAN, DHCPv6 snooping is disabled on all interfaces on the device or on all interfaces in the VLAN.
Display and maintenance commands for DHCPv6 snooping
Execute display commands in any view, and reset commands in user view.
|
Task |
Command |
|
Display DHCPv6 snooping address entries. |
display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ] |
|
Display information about the file that stores DHCPv6 snooping entries. |
display ipv6 dhcp snooping binding database |
|
Display DHCPv6 packet statistics for DHCPv6 snooping. |
display ipv6 dhcp snooping packet statistics [ slot slot-number ] |
|
Display DHCPv6 snooping prefix entries. |
display ipv6 dhcp snooping pd binding [ prefix prefix/prefix-length [ vlan vlan-id ] ] |
|
Display information about trusted ports. |
display ipv6 dhcp snooping trust |
|
Clear DHCPv6 snooping address entries. |
reset ipv6 dhcp snooping binding { all | address ipv6-address [ vlan vlan-id ] } |
|
Clear DHCPv6 packet statistics for DHCPv6 snooping. |
reset ipv6 dhcp snooping packet statistics [ slot slot-number ] |
|
Clear DHCPv6 snooping prefix entries. |
reset ipv6 dhcp snooping pd binding { all | prefix prefix/prefix-length [ vlan vlan-id ] } |
DHCPv6 snooping configuration examples
Example: Configuring DHCPv6 snooping globally
Network configuration
As shown in Figure 14, Switch B is connected to the authorized DHCPv6 server through GigabitEthernet 1/0/1, to the unauthorized DHCPv6 server through GigabitEthernet 1/0/3, and to the DHCPv6 client through GigabitEthernet 1/0/2.
Configure only the port connected to the authorized DHCPv6 server to forward the responses from the DHCPv6 server. Enable the DHCPv6 snooping device to record DHCPv6 snooping address entries.
Procedure
# Enable DHCPv6 snooping.
<SwitchB> system-view
[SwitchB] ipv6 dhcp snooping enable
# Specify GigabitEthernet 1/0/1 as a trusted port.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust
[SwitchB-GigabitEthernet1/0/1] quit
# Enable recording DHCPv6 snooping address entries on GigabitEthernet 1/0/2.
[SwitchB]interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] ipv6 dhcp snooping binding record
[SwitchB-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify that the DHCPv6 client obtains an IPv6 address and all other configuration parameters only from the authorized DHCPv6 server. (Details not shown.)
# Display DHCPv6 snooping address entries on the DHCPv6 snooping device.
[SwitchB] display ipv6 dhcp snooping binding
Example: Configuring DHCPv6 snooping for a VLAN
Network configuration
As shown in Figure 15, Switch B is connected to the authorized DHCPv6 server through GigabitEthernet 1/0/1, to the unauthorized DHCPv6 server through GigabitEthernet 1/0/3, and to the DHCPv6 client through GigabitEthernet 1/0/2.
In VLAN 100, configure only the port connected to the authorized DHCPv6 server to forward the responses from the DHCPv6 server. Enable the DHCPv6 snooping device to record DHCPv6 snooping address entries.
Procedure
# Assign access ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 100.
<SwitchB> system-view
[SwitchB] vlan 100
[SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[SwitchB-vlan100] quit
# Enable DHCPv6 snooping for VLAN 100.
[SwitchB] ipv6 dhcp snooping enable vlan 100
# Configure GigabitEthernet 1/0/1 as a trusted port in VLAN 100.
[SwitchB] vlan 100
[SwitchB-vlan100] ipv6 dhcp snooping trust interface gigabitethernet 1/0/1
# Enable recording DHCPv6 snooping entries in VLAN 100.
[SwitchB-vlan100] ipv6 dhcp snooping binding record
[SwitchB-vlan100] quit
Verifying the configuration
# Verify that the DHCPv6 client obtains an IPv6 address and all other configuration parameters only from the authorized DHCPv6 server. (Details not shown.)
# Display DHCPv6 snooping address entries on the DHCPv6 snooping device.
[SwitchB] display ipv6 dhcp snooping binding
Configuring DHCPv6 guard
About DHCPv6 guard
The DHCPv6 guard feature filters DHCPv6 Advertise and Reply messages by using DHCPv6 guard policies to make sure DHCPv6 clients obtain addresses/prefixes from authorized DHCPv6 servers. To provide finer level of filtering granularity, you can specify the following parameters for a DHCPv6 guard policy:
· Device role of the device that attached to the target interface or VLAN. The interface or VLAN to which the DHCPv6 guard policy is applied is called the target interface or VLAN.
· DHCPv6 server match criterion.
· Match criterion for IPv6 addresses/prefixes assigned by DHCPv6 servers.
· Allowed DHCPv6 server preference range.
To meet requirements of DHCPv6 clients in different locations, apply DHCPv6 guard policies to different interfaces or VLANs on the same device.
DHCPv6 guard operating mechanism
Upon receiving a DHCPv6 Solicit or Request message, the DHCPv6 guard device forwards the message without performing the DHCPv6 guard policy check.
When receiving a DHCPv6 reply, the DHCPv6 guard device performs the DHCPv6 guard policy check in the following order:
1. Examines whether the receiving port is a trusted port. The device forwards the message if the message is from the a trusted port.
Configure trusted ports in a DHCPv6 guard policy only in one of the following conditions:
¡ The port to which the DHCPv6 guard policy applies is connected to an authorized server.
¡ All ports in the VLAN to which the DHCPv6 guard policy applies are connected to authorized servers.
2. Examines the message based on the device role:
¡ If the message is received from the device with the DHCPv6 client device role, the device drops the message.
If the interface to which the DHCPv6 guard policy applies is not connected to any authorized DHCPv6 servers, set the device role to client for the policy, as shown in Figure 16.
Figure 16 Setting the device role to client
¡ If the message is received from the device with the DHCPv6 server device role, the device examines the message as follows:
- For an Advertise message, the message passes the policy check if the source IP address in the message is permitted by the ACL and the server preference is in the match range.
- For a Reply message, the message passes the policy check if the assigned IPv6 addresses/prefixes in the message are permitted by the ACL.
If the interface to which the DHCPv6 guard policy applies is connected to an authorized DHCPv6 server, set the device role to server for the policy, as shown in Figure 17.
Figure 17 Setting the device role to server
The device forwards the reply after the message passes the DHCPv6 guard policy check.
Restrictions and guidelines: DHCPv6 guard configuration
The DHCPv6 guard feature operates correctly only when the device is located between the DHCPv6 client and the DHCPv6 server or between the DHCPv6 client and the DHCPv6 relay agent. If the device is located between the DHCPv6 server and the DHCPv6 relay agent, the DHCPv6 guard feature cannot operate correctly.
When the DHCPv6 guard feature is configured on a DHCPv6 snooping device, both features can take effect. The device forwards DHCPv6 reply packets received on a DHCPv6 snooping trusted port only if they pass the DHCPv6 guard check. These packets are dropped if they fail the DHCPv6 guard check.
DHCPv6 guard tasks at a glance
To configure DHCPv6 guard, perform the following tasks:
1. Configuring a DHCPv6 guard policy
2. Applying the DHCPv6 guard policy
Choose the following tasks as needed:
¡ Applying a DHCPv6 guard policy to an interface
¡ Applying a DHCPv6 guard policy to a VLAN
If DHCPv6 guard polices are applied to both an interface and the VLAN of the interface, the interface-specific policy is used on the interface.
Configuring a DHCPv6 guard policy
1. Enter system view.
system-view
2. Create a DHCPv6 guard policy and enter its view.
ipv6 dhcp guard policy policy-name
3. Specify the role of the device attached to the target interface or VLAN.
device-role { client | server }
By default, the device role is DHCPv6 client for the device attached to the target interface or VLAN.
4. Configure a DHCPv6 guard policy.
¡ Configure a DHCPv6 server match criterion.
if-match server acl { acl-number | name acl-name }
By default, no DHCPv6 server match criterion is configured, and all DHCPv6 servers are authorized.
¡ Configure a match criterion for the assigned IPv6 addresses/prefixes.
if-match reply acl { acl-number | name acl-name }
By default, no match criterion is configured for the assigned IPv6 addresses/prefixes, and all assigned IPv6 addresses/prefixes can pass the address/prefix check.
¡ Configure an allowed DHCPv6 server preference range.
preference { max max-value | min min-value } *
By default, no DHCPv6 server preference range is configured, and DHCPv6 servers with preferences 1 to 255 can pass the preference check.
¡ Configure the port to which the policy applies as a trusted port for the policy.
trust port
By default, no trusted port is configured for a DHCPv6 guard policy.
Applying a DHCPv6 guard policy to an interface
1. Enter system view.
system-view
2. Enter Layer 2 interface view.
interface interface-type interface-number
3. Apply a DHCPv6 guard policy to the interface.
ipv6 dhcp guard apply policy policy-name
By default, no DHCPv6 guard policy is applied to the interface.
Applying a DHCPv6 guard policy to a VLAN
1. Enter system view.
system-view
2. Create a VLAN and enter its view.
vlan vlan-number
3. Apply a DHCPv6 guard policy to the VLAN.
ipv6 dhcp guard apply policy policy-name
By default, no DHCPv6 guard policy is applied to the VLAN.
Display and maintenance commands for DHCPv6 guard
Execute display commands in any view.
|
Task |
Command |
|
Display information about DHCPv6 guard policies. |
display ipv6 dhcp guard policy [ policy-name ] |
DHCPv6 guard configuration examples
Example: Configuring DHCPv6 guard
Network configuration
As shown in Figure 18, all DHCPv6 servers and clients are in VLAN 100. The assignable IPv6 address ranges on the DHCPv6 server 1, server 2, and server 3 are 2001::/64, 2001::/64, and 2002::/64, respectively.
Configure DHCPv6 guard on the switch, so that the switch forwards only DHCPv6 replies with the source IPv6 address in the range of FE80::/12 and assigned prefixes in the range of 2001::/16.
Procedure
Before you configure DHCPv6 guard, complete the configuration on DHCPv6 servers.
# Create VLAN 100, and assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to VLAN 100.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4
[Switch-vlan100] quit
# Create an IPv6 basic ACL numbered 2001.
[Switch] acl ipv6 number 2001
# Create rule 1 to permit only packets with source IPv6 addresses in the range of FE80::/12.
[Switch-acl-ipv6-basic-2001] rule 1 permit source fe80:: 12
[Switch-acl-ipv6-basic-2001] quit
# Create an IPv6 basic ACL numbered 2002.
[Switch] acl ipv6 number 2002
# Create rule 1 to permit only packets with source IPv6 addresses in the range of 2001::/16.
[Switch-acl-ipv6-basic-2002] rule 1 permit source 2001:: 16
[Switch-acl-ipv6-basic-2002] quit
# Create DHCPv6 guard policy named p1.
[Switch] ipv6 dhcp guard policy p1
# Set the device role to the DHCPv6 server for the device attached to the target VLAN.
[Switch-dhcp6-guard-policy-p1] device-role server
# Specify ACL 2001 to match DHCPv6 servers.
[Switch-dhcp6-guard-policy-p1] if-match server acl 2001
# Specify ACL 2002 to match IPv6 addresses/prefixes assigned by DHCPv6 servers.
[Switch-dhcp6-guard-policy-p1] if-match reply acl 2002
[Switch-dhcp6-guard-policy-p1] quit
# Create DHCPv6 guard policy named p2.
[Switch] ipv6 dhcp guard policy p2
# Set the device role to the DHCPv6 client for the device attached to the target interface.
[Switch-dhcp6-guard-policy-p2] device-role client
[Switch-dhcp6-guard-policy-p2] quit
# Apply DHCPv6 guard policy p1 to VLAN 100.
[Switch] vlan 100
[Switch-vlan100] ipv6 dhcp guard apply policy p1
[Switch-vlan100] quit
# Apply DHCPv6 guard policy p2 to GigabitEthernet 1/0/4.
[Switch]interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] ipv6 dhcp guard apply policy p2
[Switch-GigabitEthernet1/0/4] quit
Verifying the configuration
Verify that the switch forwards DHCPv6 replies with the source IPv6 address in the range of FE80::/12 and the assigned IPv6 prefixes in the range of 2001::/16. The switch forwards DHCPv6 replies from the DHCPv6 server 1 and drops replies from DHCPv6 server 2 and server 3.
