DHCPv6 Guard Policy Configuration

Configure the DHCPv6 Guard policy to block DHCPv6 reply and advertisement messages that originate from unauthorized DHCPv6 servers and relay agents that forward DHCPv6 packets from servers to clients. You can view, create or delete a DHCPv6 Guard policy.

Create DHCPv6 Guard Policy

About this task

Use this procedure to create the DHCPv6 Guard policy to block DHCPv6 reply and advertisement messages that originate from unauthorized DHCPv6 servers and relay agents.

Procedure

  1. In the navigation pane, expand Configuration > IPv6.
  2. Select FHS.
  3. Select the DHCPv6 Guard Policy tab.
  4. Select Insert.
  5. Configure the parameters for the DHCPv6 Guard policy.
  6. Select Insert.
  7. Optional: Select Refresh to update the results.

DHCPv6 Guard Policy Field Descriptions

Use the data in the following table to use the DHCPv6 Guard Policy tab.

Name

Description

PolicyName

Specifies the policy name to create or modify DHCPv6 Guard policy.

ServerAccessListName

Enables verification of the sender IPv6 address in the DHCPv6 reply or advertisement packets against attached IPv6 server access list.
Note:

If the access-list is not attached, the source IPv6 address is not validated. If the list is attached and it does not match with any entries in attached IPv6 access list, the switch drops the DHCPv6 packet. To change this behavior, add an entry in the IPv6 access list with prefix 0::0/0 with access type as allow, which changes the drop by default to allow by default.

ReplyPrefixListName

Enables verification of the advertised prefixes in DHCPv6 reply messages against the attached prefix list. If not configured, this check is bypassed.
Note:

If the access-list is not attached, the advertised address/prefix is not validated. If the list is attached and it does not match with any entries in attached IPv6 access list, the switch drops the DHCPv6 packet. To change this behavior, an entry in the IPv6 access list with prefix 0::0/0 with access type as allow, which changes the drop by default to allow by default.

PrefLimitMin

Enables verification if the advertised preference (in reference option) is greater than the specified limit. If not specified, this check does not occur.

The value range is from 0 to 255.

PrefixLimitMax

Enables verification if the advertised preference (in preference option) is less than the specified limit. If not specified, this check does not occur.

The value range is from 0 to 255.
Note:

If both the maximum and minimum limit is 0, this preference check is ignored.

View a DHCPv6 Guard Policy

About this task

Use this procedure to display configured DHCPv6 Guard policies.

Procedure

  1. In the navigation pane, expand Configuration > IPv6.
  2. Select FHS.
  3. Select the DHCPv6 Guard Policy tab.

DHCPv6 Guard Policy Field Descriptions

Use the data in the following table to use the DHCPv6 Guard Policy tab.

Name

Description

PolicyName

Specifies the policy name to create or modify DHCPv6 Guard policy.

ServerAccessListName

Enables verification of the sender IPv6 address in the DHCPv6 reply or advertisement packets against attached IPv6 server access list.
Note:

If the access-list is not attached, the source IPv6 address is not validated. If the list is attached and it does not match with any entries in attached IPv6 access list, the switch drops the DHCPv6 packet. To change this behavior, add an entry in the IPv6 access list with prefix 0::0/0 with access type as allow, which changes the drop by default to allow by default.

ReplyPrefixListName

Enables verification of the advertised prefixes in DHCPv6 reply messages against the attached prefix list. If not configured, this check is bypassed.
Note:

If the access-list is not attached, the advertised address/prefix is not validated. If the list is attached and it does not match with any entries in attached IPv6 access list, the switch drops the DHCPv6 packet. To change this behavior, an entry in the IPv6 access list with prefix 0::0/0 with access type as allow, which changes the drop by default to allow by default.

PrefLimitMin

Enables verification if the advertised preference (in reference option) is greater than the specified limit. If not specified, this check does not occur.

The value range is from 0 to 255.

PrefixLimitMax

Enables verification if the advertised preference (in preference option) is less than the specified limit. If not specified, this check does not occur.

The value range is from 0 to 255.
Note:

If both the maximum and minimum limit is 0, this preference check is ignored.

Delete a DHCPv6 Guard Policy

About this task

Use this procedure to delete the created DHCPv6 Guard policy.

Note

Note

If the policy is already attached to an interface, you cannot delete the policy.

Procedure

  1. In the navigation pane, expand Configuration > IPv6.
  2. Select FHS.
  3. Select the DHCPv6 Guard Policy tab.
  4. Select a row from DHCPv6 Guard policies to delete.
  5. Select Delete.