PurposeCommand or Action
(Optional) Filters out DHCPv6 replies and DHCPv6 advertisements
on the port that are not from a device of the specified role. Default
is client.
[no]device-role {client | server}
Example:
Switch(config-dhcp-guard)# device-role server
Step 3
• client—Default value, specifies that the attached device is a
client. Server messages are dropped on this port.
• server—Specifies that the attached device is a DHCPv6 server.
Server messages are allowed on this port.
(Optional). Enables verification that the advertised DHCPv6 server
or relay address is from an authorized server access list (The
[no] match server access-list ipv6-access-list-name
Example:
;;Assume a preconfigured IPv6 Access List
Step 4
destination address in the access list is 'any'). If not configured, this
check will be bypassed. An empty access list is treated as a permit
all.
as follows:
Switch(config)# ipv6 access-list my_acls
Switch(config-ipv6-acl)# permit host
FE80::A8BB:CCFF:FE01:F700 any
;;configure DCHPv6 Guard to match approved
access list.
Switch(config-dhcp-guard)# match server
access-list my_acls
(Optional) Enables verification of the advertised prefixes in DHCPv6
reply messages from the configured authorized prefix list. If not
[no] match reply prefix-list ipv6-prefix-list-name
Example:
;;Assume a preconfigured IPv6 prefix list
Step 5
configured, this check will be bypassed. An empty prefix list is
treated as a permit.
as follows:
Switch(config)# ipv6 prefix-list my_prefix
permit 2001:0DB8::/64 le 128
;; Configure DCHPv6 Guard to match prefix
Switch(config-dhcp-guard)# match reply
prefix-list my_prefix
Configure max and min when device-role is serverto filter DCHPv6
server advertisements by the server preference value. The defaults
permit all advertisements.
[no]preference{ max limit | min limit }
Example:
Switch(config-dhcp-guard)# preference max
250
Switch(config-dhcp-guard)#preference min 150
Step 6
max limit—(0 to 255) (Optional) Enables verification that the
advertised preference (in preference option) is less than the specified
limit. Default is 255. If not specified, this check will be bypassed.
min limit—(0 to 255) (Optional) Enables verification that the
advertised preference (in preference option) is greater than the
specified limit. Default is 0. If not specified, this check will be
bypassed.
(Optional) trusted-port—Sets the port to a trusted mode. No further
policing takes place on the port.
[no] trusted-port
Example:
Switch(config-dhcp-guard)# trusted-port
Step 7
If you configure a trusted port then the device-role option
is not available.
Note
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
701
How to Configure an IPv6 DHCP Guard Policy
To Next Page
Loading...
Need help?
General
