IPv6 security – DHCPv6 – part four.
Today I would like to do some tests with the DHCPv6. Like with IP version 4, we can run DHCP server on routers or switches.
Gi1/0/1 Gi1/0/2
/----\ \ ----- / /----\
| R1 |-------| sw1 |-------| R2 |
\----/ ----- \----/
DHCP SERVER |\
| Gi1/0/3
/----\
| R3 |
\----/
DHCP CLIENT
In my example R1 will work as a DHCP Server and R3 as a client. First I will configure R3:
!
interface FastEthernet0/0
no ip address
ipv6 address dhcp
ipv6 enable
no sh
end
!
Then R1:
!
ipv6 dhcp pool DHCP-POOL
address prefix 2001::/64
link-address 2001::100/64
domain-name test.com
!
!
interface FastEthernet0/0
no ip address
ipv6 address 2001::100/64
ipv6 enable
ipv6 dhcp server DHCP-POOL
end
!
Now I configure SW1:
!
ipv6 dhcp guard policy DHCP-POLICY
device-role client
!
ipv6 dhcp guard policy DHCP-POLICY-SERVER
device-role server
!
interface GigabitEthernet1/0/1
ipv6 nd inspection
ipv6 snooping
ipv6 dhcp guard attach-policy DHCP-POLICY-SERVER
!
!
interface GigabitEthernet1/0/3
ipv6 dhcp guard attach-policy DHCP-POLICY
!
Static bindings for Gig1/0/1:
ipv6 neighbor binding logging
ipv6 neighbor binding max-entries 2
ipv6 neighbor binding vlan 1 2001::100 interface Gi1/0/1 001e.4a60.ed80 tracking enable
Now, we check how the process looks like from r1, r3 and sw1 perspective:
DHCP client:
r3#
Apr 27 12:41:28.583: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
r3#
Apr 27 12:42:00.367: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
r3#
DHCP server:
r1#
Apr 27 12:42:35.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Apr 27 12:42:36.195: IPv6 DHCP: Add routes, pool DHCP-POOL, idb FastEthernet0/0
r1#
Apr 27 12:43:05.035: IPv6 DHCP: Received SOLICIT from FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.035: IPv6 DHCP: Using interface pool DHCP-POOL
Apr 27 12:43:05.035: IPv6 DHCP: Creating binding for FE80::219:AAFF:FE00:B298 in pool DHCP-POOL
Apr 27 12:43:05.035: IPv6 DHCP: Binding for IA_NA 00030001 not found
Apr 27 12:43:05.035: IPv6 DHCP: Allocating IA_NA 00030001 in binding for FE80::219:AAFF:FE00:B298
Apr 27 12:43:05.035: IPv6 DHCP: Looking up pool 2001::/64 entry with username '000300010019AA00B29800030001'
Apr 27 12:43:05.035: IPv6 DHCP: Poolentry for user not found
Apr 27 12:43:05.035: IPv6 DHCP: Allocated new address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.035: IPv6 DHCP: Allocating address 2001::83A:E2C3:5E66:5FFF in binding for FE80::219:AAFF:FE00:B298, IAID 00030001
Apr 27 12:43:05.035: IPv6 DHCP: Updating binding address entry for address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.035: IPv6 DHCP: Setting timer on 2001::83A:E2C3:5E66:5FFF for 60 seconds
Apr 27 12:43:05.035: IPv6 DHCP: Sending ADVERTISE to FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.047: IPv6 DHCP: Received REQUEST from FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.047: IPv6 DHCP: Using interface pool DHCP-POOL
Apr 27 12:43:05.047: IPv6 DHCP: Looking up pool 2001::/64 entry with username '000300010019AA00B29800030001'
Apr 27 12:43:05.047: IPv6 DHCP: Poolentry for user found
Apr 27 12:43:05.047: IPv6 DHCP: Found address 2001::83A:E2C3:5E66:5FFF in binding for FE80::219:AAFF:FE00:B298, IAID 00030001
Apr 27 12:43:05.047: IPv6 DHCP: Updating binding address entry for address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.047: IPv6 DHCP: Setting timer on 2001::83A:E2C3:5E66:5FFF for 172800 seconds
Apr 27 12:43:05.047: IPv6 DHCP: Sending REPLY to FE80::219:AAFF:FE00:B298 on FastEthernet0/0
r1#
Apr 27 12:43:04.939: IPv6 DHCP: Received ADVERTISE from FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
Apr 27 12:43:04.939: IPv6 DHCP: Adding server FE80::21E:4AFF:FE60:ED80
Apr 27 12:43:04.939: IPv6 DHCP: Sending REQUEST to FF02::1:2 on FastEthernet0/0
Apr 27 12:43:04.939: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST (ADDR_ADVERTISE_RECEIVED) on FastEthernet0/0
Apr 27 12:43:04.947: IPv6 DHCP: Received REPLY from FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
Apr 27 12:43:04.947: IPv6 DHCP: Processing options
r3#
Apr 27 12:43:04.947: IPv6 DHCP: Adding address 2001::83A:E2C3:5E66:5FFF/128 to FastEthernet0/0
Apr 27 12:43:04.951: IPv6 DHCP: T1 set to expire in 43200 seconds
Apr 27 12:43:04.951: IPv6 DHCP: T2 set to expire in 69120 seconds
Apr 27 12:43:04.951: IPv6 DHCP: Configuring domain name test.com
Apr 27 12:43:04.951: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0
r3#
Switch:
sw1#
Mar 30 04:30:31.121: %SYS-5-CONFIG_I: Configured from console by console
sw1#
sw1#
Mar 30 04:30:32.354: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Mar 30 04:30:33.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
sw1#
Mar 30 04:31:02.779: IPv6 DHCP: Received SOLICIT from FE80::219:AAFF:FE00:B298 on Vlan1
Mar 30 04:31:02.779: IPv6 DHCP: Pool DHCP-POOL cannot be found
Mar 30 04:31:02.796: IPv6 DHCP: Received REQUEST from FE80::219:AAFF:FE00:B298 on Vlan1
Mar 30 04:31:02.796: IPv6 DHCP: SERVERID option in REQUEST from FE80::219:AAFF:FE00:B298 on Vlan1 does not match
sw1#
Mar 30 04:31:02.796: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per box (2) V=1 I=Gi1/0/3 M=001E.4A60.ED80
Mar 30 04:31:02.796: %SISF-6-ENTRY_CREATED: Entry created A=2001::83A:E2C3:5E66:5FFF V=1 I=Gi1/0/3 P=0024 M=0019.AA00.B298
sw1#
Mar 30 04:31:07.099: %SISF-6-ENTRY_CREATED: Entry created A=FE80::21E:4AFF:FE60:ED80 V=1 I=Gi1/0/1 P=0005 M=001E.4A60.ED80
sw1#
Let’s check the current settings:
r3#sh ipv6 interface
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::219:AAFF:FE00:B298
No Virtual link-local address(es):
Global unicast address(es):
2001::83A:E2C3:5E66:5FFF, subnet is 2001::83A:E2C3:5E66:5FFF/128
Joined group address(es):
FF02::1
FF02::1:FF00:B298
FF02::1:FF66:5FFF
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
r3#
sw1#sh ipv6 neighbors binding
Binding Table has 5 entries, 2 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address Link-Layer addr Interface vlan prlvl age state Time left
ND FE80::21E:4AFF:FE60:ED80 001E.4A60.ED80 Gi1/0/1 1 0005 46s REACHABLE 17 s
L FE80::206:F6FF:FEF7:4240 0006.F6F7.4240 Vl1 1 0100 90mn REACHABLE
DH 2001::83A:E2C3:5E66:5FFF 0019.AA00.B298 Gi1/0/3 1 0024 116s STALE 164502 s
S 2001::100 001E.4A60.ED80 Gi1/0/1 1 0100 56s REACHABLE 4 s try 0
L 2001::1 0006.F6F7.4240 Vl1 1 0100 87mn REACHABLE
sw1#
r1#sh ipv6 dhcp pool
DHCPv6 pool: DHCP-POOL
Address allocation prefix: 2001::/64 valid 172800 preferred 86400 (1 in use, 0 conflicts)
Link-address prefix: 2001::1/64
Link-address prefix: 2001::100/64
Domain name: test.com
Active clients: 1
r1#sh ipv6 dhcp bi
r1#sh ipv6 dhcp binding ?
X:X:X:X::X Client IPv6 address
| Output modifiers
<cr>
r1#sh ipv6 dhcp binding
Client: FE80::219:AAFF:FE00:B298
DUID: 000300010019AA00B298
Username : unassigned
IA NA: IA ID 0x00030001, T1 43200, T2 69120
Address: 2001::83A:E2C3:5E66:5FFF
preferred lifetime 86400, valid lifetime 172800
expires at Apr 29 2014 12:43 PM (172658 seconds)
r1#
sw1#sh ipv6 dhcp guard policy
Dhcp guard policy: DHCP-POLICY
Device Role: dhcp client
Target: Gi1/0/3
Dhcp guard policy: DHCP-POLICY-SERVER
Device Role: dhcp server
Target: Gi1/0/1
Max Preference: 255
Min Preference: 0
sw1#
3
Kudos
3
Kudos