Configure DHCPv6 Guard in dhcp-guard Mode

About this task

Configures DHCPv6 Guard under dhcp-guard mode.

Procedure

Enter DHCP-guard Configuration mode.

enable

configure terminal

ipv6 fhs dhcp-guard policy WORD<1-64>
Specify IPv6 access list to verify IPv6 source address of DHCPv6 packets..

match server access-list <ipv6-access-list-name>
Remove DHCPv6 Guard filtering for the sender‘s IPv6 addresses.

no match server access-list

OR

default match server access-list
Specify IPv6 prefix list to verify advertised prefixes.

match reply prefix-list <ipv6–prefix-list-name>
Remove DHCPv6 Guard filtering for advertised prefixes.

no match reply prefix-list

OR

default match reply prefix-list
Specify the minimum limit for verification of the advertised preference.

preference min-limit <0–255>
Set the minimum limit for verification of the advertised preference to its default value.

default preference min-limit
Specify the maximum limit for verification of the advertised preference.

preference max-limit <0–255>
Set the maximum limit for verification of the advertised preference to its default value.

default preference max-limit

Variable Definitions

The following table defines parameters for the dhcp-guard configuration mode commands.


Variable	Description
match server access-list `<ipv6–access-list-name>`	Enables verification of the sender‘s IPv6 address in inspected messages from the configured authorized device source access list specified. Note: If the access-list is not attached, the IPv6 source address in DHCPv6 packet is not validated. If the list is attached and it does not match any entries in IPv6 access list, the switch drops the DHCPv6 packet. If you wish to change this behavior, add an entry with IPv6 prefix“0::0/0” with the Allow option, which changes the default drop to default Allow.
{ no \| default } match server access-list	Removes the sender‘s IPv6 address based DHCPv6 Guard filtering.
match reply prefix-list `<ipv6–prefix-list-name>`	Enables verification of the advertised prefixes in DHCPv6 reply messages from the configured authorized prefix list. If prefix-list is not configured, this check is bypassed. Note: If the access-list is not attached, the inspection does not occur. If the list is attached and advertised IPv6 address does not match any IPv6 prefixes in the list, the switch drops the DHCPv6 packet. If you wish to change this behavior, add an IPv6 access list entry with prefix 0::0/0 with the Allow option, which changes the default drop to default Allow.
{ no \| default } match reply prefix-list	Removes the advertised prefix-based DHCPv6 Guard filtering.
preference min-limit`<0–255>`	Enables validation of advertised preference (in preference option) to check if it is greater than the specified limit. If preference is not specified, this field in the packet is not validated. While changing the preference limit, ensure the maximum limit is greater than the minimum limit.
default preference min-limit	Sets the specified limit to its default value. By default, the value is 0.
preference max-limit`<0–255>`	Enables validation of advertised preference (in preference option) to check if it is less than the specified limit. If preference is not specified, this field in the packet is not validated. Note: The preference value in the packet is not validated if both minimum and maximum values are zero.
default preference max-limit	Sets the specified limit to its default value. By default, the value is 0.