|
Feature |
Product |
Release introduced |
|---|---|---|
|
DHCPv6 Guard |
5320 Series |
Fabric Engine 8.6 |
|
5420 Series |
VOSS 8.4 |
|
|
5520 Series |
VOSS 8.2.5 |
|
|
5720 Series |
Fabric Engine 8.7 |
DHCPv6 Guard is a type of security for IPv6 deployments in an enterprise environment, it provides Layer 2 security to DHCPv6 clients by protecting them against rogue DHCPv6 servers. The basic concept of DHCPv6 Guard is that a Layer 2 device filters DHCPv6 messages meant to DHCPv6 clients, based on a number of different criteria. The basic filtering criterion is, the DHCPv6 server generated packets which are received on non-server ports or from an untrusted server will be dropped by the Layer 2 device.
Various levels of granularity are provided. Following are the policies that are supported:
Port based filtering using device role (server or client)
Server or relay agent IPv6 address based filtering
Advertising IPv6 prefix based filtering
DHCPv6 packet filtering based on Server Preference checks
The following figures are DHCPv6 topology samples:
