DHCPv6 Guard

Table 1. DHCPv6 Guard product support

Feature

Product

Release introduced

DHCPv6 Guard

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

DHCPv6 Guard is a type of security for IPv6 deployments in an enterprise environment, it provides Layer 2 security to DHCPv6 clients by protecting them against rogue DHCPv6 servers. The basic concept of DHCPv6 Guard is that a Layer 2 device filters DHCPv6 messages meant to DHCPv6 clients, based on a number of different criteria. The basic filtering criterion is, the DHCPv6 server generated packets which are received on non-server ports or from an untrusted server will be dropped by the Layer 2 device.

Various levels of granularity are provided. Following are the policies that are supported:

The following figures are DHCPv6 topology samples:

Click to expand in new window
DHCPv6 Topology 1
Click to expand in new window
DHCPv6 Topology 2