Port-based filtering using device-role is an interface-level configuration. Only a DHCPv6 server or relay agent can send a DHCPv6 advertisement or reply. By configuring the device-role attached to the port (whether it is a client or server), the rogue server generating DHCPv6 advertisement or reply packets can be blocked if these packets are received on a port configured as a client. Device-role can be applied only on port, and not on MLT, SMLT, or VLAN. If you configure device-role on an MLT, SMLT, or VLAN, you must configure same device-role on all the MLT, SMLT, or VLAN member ports.
In DHCPv6 Guard Topology 1, only DHCPv6 server packets (that is, advertisement, reply) received on a port configured as a Server port accept the packets and process them for security validation and forwarding. The Client port drops the packets if it receives packets generated from a DHCPv6 rogue server.