- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Using Lightweight DHCPv6 Relay Agent (LDRA)
In Layer 2 networks that have many nodes on a single link, a DHCP server would normally be unaware of how a DHCP client is attached to the network. In a DHCPv6 deployment, you can use a Lightweight DHCPv6 Relay Agent (LDRA) to add relay agent information to a DHCPv6 message to identify the client-facing interface of the access node that received the message. The server can use this information to assign IP addresses, prefixes, and other configuration parameters for the client.
DHCPv6 relay agents are typically used to forward DHCPv6 messages between clients and servers or other relay agents when they are not on the same IPv6 link node. The relay agent can add information to the messages before relaying them. When the client and server reside on the same IPv6 link, LDRA enables a switching device to perform the function of intercepting DHCPv6 messages and inserting relay agent information that can be used for client identification. The LDRA acts as a relay agent, but without performing the routing function necessary to forward messages to a server or relay agent that resides on a different IPv6 link.
When the LDRA receives a DHCPv6 Solicit message from a client, it encapsulates that message within a DHCPv6 Relay-Forward message, which it then forwards to the server or another relay agent. Before it forwards the Relay-Forward message, the LDRA can also insert relay information by using one or more of the following options:
option-16(Vendor ID)—Option 16 provides the server with information about the vendor that manufactured the hardware on which the DHCPv6 client is running. Option 16 is the DHCPv6 equivalent of thevendor-idsuboption of DHCP option 82.option-18(Interface ID)—A unique identifier for the interface on which the client DHCPv6 packet is received. Suboptions can be configured to include a prefix with the interface ID or to change the type of information used to identify the interface. Option 18 is the DHCPv6 equivalent of thecircuit-idsuboption of DHCP option 82.option-37(Remote ID)—A unique identifier for the remote host. Suboptions can be configured to include a prefix with the remote ID or to change the interface portion of the ID. Option 37 is the DHCPv6 equivalent of theremote-idsuboption of DHCP option 82.
You must configure LDRA if you configure DHCPv6 options at the
[edit vlan vlan-name forwarding-options
dhcp-security dhcpv6-options] hierarchy level. Option 16,
option 37, and option 79 are included in the Relay-Forward
message only if they are explicitly configured. Option 18 is
mandatory in Relay-Forward messages and is included even if it is
not explicitly configured. However, suboptions of option 18 are
included only if they are configured using the option-18 statement at the [edit vlan vlan-name forwarding-options dhcp-security dhcpv6-options] hierarchy
level.
To configure LDRA to enable DHCPv6 options:
