Tuesday, April 29, 2014

IPv6 security – DHCPv6 – part four.

Today I would like to do some tests with the DHCPv6. Like with IP version 4, we can run DHCP server on routers or switches.

               Gi1/0/1   Gi1/0/2           
      /----\      \  ----- /       /----\ 
     |  R1  |-------| sw1 |-------|  R2  |
      \----/         -----         \----/ 
   DHCP SERVER         |\      
                       | Gi1/0/3        
                    /----\   
                   |  R3  |
                    \----/         
                 DHCP CLIENT

In my example R1 will work as a DHCP Server and R3 as a client. First I will configure R3:

!
interface FastEthernet0/0
 no ip address
 ipv6 address dhcp
 ipv6 enable
 no sh
end
!

Then R1:

!
ipv6 dhcp pool DHCP-POOL
 eaddress prefix 2001::/64
 link-address 2001::100/64
 domain-name tst.com
!
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001::100/64
 ipv6 enable
 ipv6 dhcp server DHCP-POOL
end
!

Now I configure SW1:

!
ipv6 dhcp guard policy DHCP-POLICY
 device-role client
!
ipv6 dhcp guard policy DHCP-POLICY-SERVER
 device-role server
!
interface GigabitEthernet1/0/1
 ipv6 nd inspection
 ipv6 snooping
 ipv6 dhcp guard attach-policy DHCP-POLICY-SERVER
!
!
interface GigabitEthernet1/0/3
 ipv6 dhcp guard attach-policy DHCP-POLICY
!

Static bindings for Gig1/0/1:

ipv6 neighbor binding logging
ipv6 neighbor binding max-entries 2
ipv6 neighbor binding vlan 1 2001::100 interface Gi1/0/1 001e.4a60.ed80 tracking enable

Now, we check how the process looks like from r1, r3 and sw1 perspective:

DHCP client:

r3#
Apr 27 12:41:28.583: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
r3#
Apr 27 12:42:00.367: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
r3#

DHCP server:

r1#
Apr 27 12:42:35.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Apr 27 12:42:36.195: IPv6 DHCP: Add routes, pool DHCP-POOL, idb FastEthernet0/0
r1#
Apr 27 12:43:05.035: IPv6 DHCP: Received SOLICIT from FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.035: IPv6 DHCP: Using interface pool DHCP-POOL
Apr 27 12:43:05.035: IPv6 DHCP: Creating binding for FE80::219:AAFF:FE00:B298 in pool DHCP-POOL
Apr 27 12:43:05.035: IPv6 DHCP: Binding for IA_NA 00030001 not found
Apr 27 12:43:05.035: IPv6 DHCP: Allocating IA_NA 00030001 in binding for FE80::219:AAFF:FE00:B298
Apr 27 12:43:05.035: IPv6 DHCP: Looking up pool 2001::/64 entry with username '000300010019AA00B29800030001'
Apr 27 12:43:05.035: IPv6 DHCP: Poolentry for user not found
Apr 27 12:43:05.035: IPv6 DHCP: Allocated new address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.035: IPv6 DHCP: Allocating address 2001::83A:E2C3:5E66:5FFF in binding for FE80::219:AAFF:FE00:B298, IAID 00030001
Apr 27 12:43:05.035: IPv6 DHCP: Updating binding address entry for address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.035: IPv6 DHCP: Setting timer on 2001::83A:E2C3:5E66:5FFF for 60 seconds
Apr 27 12:43:05.035: IPv6 DHCP: Sending ADVERTISE to FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.047: IPv6 DHCP: Received REQUEST from FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.047: IPv6 DHCP: Using interface pool DHCP-POOL
Apr 27 12:43:05.047: IPv6 DHCP: Looking up pool 2001::/64 entry with username '000300010019AA00B29800030001'
Apr 27 12:43:05.047: IPv6 DHCP: Poolentry for user found
Apr 27 12:43:05.047: IPv6 DHCP: Found address 2001::83A:E2C3:5E66:5FFF in binding for FE80::219:AAFF:FE00:B298, IAID 00030001
Apr 27 12:43:05.047: IPv6 DHCP: Updating binding address entry for address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.047: IPv6 DHCP: Setting timer on 2001::83A:E2C3:5E66:5FFF for 172800 seconds
Apr 27 12:43:05.047: IPv6 DHCP: Sending REPLY to FE80::219:AAFF:FE00:B298 on FastEthernet0/0
r1#
Apr 27 12:43:04.939: IPv6 DHCP: Received ADVERTISE from FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
Apr 27 12:43:04.939: IPv6 DHCP: Adding server FE80::21E:4AFF:FE60:ED80
Apr 27 12:43:04.939: IPv6 DHCP: Sending REQUEST to FF02::1:2 on FastEthernet0/0
Apr 27 12:43:04.939: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST (ADDR_ADVERTISE_RECEIVED) on FastEthernet0/0
Apr 27 12:43:04.947: IPv6 DHCP: Received REPLY from FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
Apr 27 12:43:04.947: IPv6 DHCP: Processing options
r3#
Apr 27 12:43:04.947: IPv6 DHCP: Adding address 2001::83A:E2C3:5E66:5FFF/128 to FastEthernet0/0
Apr 27 12:43:04.951: IPv6 DHCP: T1 set to expire in 43200 seconds
Apr 27 12:43:04.951: IPv6 DHCP: T2 set to expire in 69120 seconds
Apr 27 12:43:04.951: IPv6 DHCP: Configuring domain name test.com
Apr 27 12:43:04.951: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0
r3#

Switch:

sw1#
Mar 30 04:30:31.121: %SYS-5-CONFIG_I: Configured from console by console
sw1#
sw1#
Mar 30 04:30:32.354: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Mar 30 04:30:33.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
sw1#
Mar 30 04:31:02.779: IPv6 DHCP: Received SOLICIT from FE80::219:AAFF:FE00:B298 on Vlan1
Mar 30 04:31:02.779: IPv6 DHCP: Pool DHCP-POOL cannot be found
Mar 30 04:31:02.796: IPv6 DHCP: Received REQUEST from FE80::219:AAFF:FE00:B298 on Vlan1
Mar 30 04:31:02.796: IPv6 DHCP: SERVERID option in REQUEST from FE80::219:AAFF:FE00:B298 on Vlan1 does not match
sw1#
Mar 30 04:31:02.796: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per box (2) V=1 I=Gi1/0/3 M=001E.4A60.ED80
Mar 30 04:31:02.796: %SISF-6-ENTRY_CREATED: Entry created A=2001::83A:E2C3:5E66:5FFF V=1 I=Gi1/0/3 P=0024 M=0019.AA00.B298
sw1#
Mar 30 04:31:07.099: %SISF-6-ENTRY_CREATED: Entry created A=FE80::21E:4AFF:FE60:ED80 V=1 I=Gi1/0/1 P=0005 M=001E.4A60.ED80
sw1#

Let’s check the current settings:

r3#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::219:AAFF:FE00:B298 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001::83A:E2C3:5E66:5FFF, subnet is 2001::83A:E2C3:5E66:5FFF/128 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:B298
    FF02::1:FF66:5FFF
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
r3#
 
sw1#sh ipv6 neighbors binding 
Binding Table has 5 entries, 2 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::21E:4AFF:FE60:ED80                001E.4A60.ED80  Gi1/0/1      1  0005   46s  REACHABLE  17 s             
L   FE80::206:F6FF:FEF7:4240                0006.F6F7.4240  Vl1          1  0100   90mn REACHABLE                   
DH  2001::83A:E2C3:5E66:5FFF                0019.AA00.B298  Gi1/0/3      1  0024  116s  STALE      164502 s         
S   2001::100                               001E.4A60.ED80  Gi1/0/1      1  0100   56s  REACHABLE  4 s try 0        
L   2001::1                                 0006.F6F7.4240  Vl1          1  0100   87mn REACHABLE 
 
 
sw1#

r1#sh ipv6 dhcp pool 
DHCPv6 pool: DHCP-POOL
  Address allocation prefix: 2001::/64 valid 172800 preferred 86400 (1 in use, 0 conflicts)
  Link-address prefix: 2001::1/64
  Link-address prefix: 2001::100/64
  Domain name: test.com
  Active clients: 1 
 
 
r1#sh ipv6 dhcp binding 
Client: FE80::219:AAFF:FE00:B298 
  DUID: 000300010019AA00B298
  Username : unassigned
  IA NA: IA ID 0x00030001, T1 43200, T2 69120
    Address: 2001::83A:E2C3:5E66:5FFF
            preferred lifetime 86400, valid lifetime 172800
            expires at Apr 29 2014 12:43 PM (172658 seconds)
r1#

 
 
sw1#sh ipv6 dhcp guard policy 
Dhcp guard policy: DHCP-POLICY
        Device Role: dhcp client
        Target: Gi1/0/3 

Dhcp guard policy: DHCP-POLICY-SERVER
        Device Role: dhcp server
        Target: Gi1/0/1 
        Max Preference: 255
        Min Preference: 0

sw1#

No comments:

Post a Comment