IPv6 First Hop Security
685 Cisco Sx350 Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
• RELAY-REPL
Note 1. Assigned addresses are not verified if a value of the Status Code option (if
it presents) differs from the following ones:
• Success
• UseMulticast
Note 2. In RELAY-REPL messages DHCPv6 Guard validates the message
encapsulated in the DHCP-relay-message option.
Use the disable keyword to disable verification of the assigned IPv6 addresses in
replies.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard policy configuration mode, matches the assigned
addresses to the prefix list named list1: all assigned IPv6 addresses must belong
to
2001:0DB8:100:200/64 or to 2001:0DB8:100::/48. The "ge 128" parameter must
be configured for each prefix of the prefix-list with prefix length less than
128.
switchxxxxxx(config)#
ipv6 dhcp guard policy
policy1
switchxxxxxx(config-dhcp-guard)#
match reply prefix-list
list1
switchxxxxxx(config-dhcp-guard)#
exit
switchxxxxxx(config)#
ipv6 prefix-list list1 deny
2001:0DB8:100:200/64 ge
128
switchxxxxxx(config)#
ipv6 prefix-list list1 permit
2001:0DB8:100::/48 ge
128
29.58 match server address
To enable verification of the source IPv6 address in messages sent by DHCPv6
servers or DHCPv6 Relays to a configured prefix list within a DHCPv6 Guard
policy, use the match server address command in DHCPv6 Guard Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
match server address {prefix-list
ipv6-prefix-list-name
} | disable
To Next Page
Loading...
