DHCP—DHCPv6 Guard
This module describes the Dynamic Host Configuration Protocol version 6 (DHCPv6) Guard feature. This feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. In addition, to provide a finer level of filter granularity, messages can be filtered based on the address of the sending server or relay agent, or by the prefixes and addresses ranges listed in the reply message. This functionality helps to prevent traffic redirection or denial of service (DoS).
- Finding Feature Information
- Restrictions for DHCPv6 Guard
- Information About DHCPv6 Guard
- How to Configure DHCPv6 Guard
- Configuration Examples for DHCPv6 Guard
- Additional References
- Feature Information for DHCP—DHCPv6 Guard
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for DHCPv6 Guard
Information About DHCPv6 Guard
DHCPv6 Guard Overview
The DHCPv6 Guard feature blocks reply and advertisement messages that come from unauthorized DHCP servers and relay agents.
Packets are classified into one of the three DHCP type messages. All client messages are always switched regardless of device role. DHCP server messages are only processed further if the device role is set to server. Further processing of server messages includes DHCP server advertisements (for source validation and server preference) and DHCP server replies (for permitted prefixes).
If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device role configuration.
How to Configure DHCPv6 Guard
Configuring DHCP—DHCPv6 Guard
1.
enable
2.
configure
terminal
3.
ipv6
access-list
access-list-name
4.
permit
host
address
any
5.
exit
6.
ipv6
prefix-list
list-name
permit
ipv6-prefix
128
7.
ipv6
dhcp
guard
policy
policy-name
8.
device-role {client |
server}
9.
match
server
access-list
ipv6-access-list-name
10.
match
reply
prefix-list
ipv6-prefix-list-name
11.
preference
min
limit
12.
preference
max
limit
13.
trusted-port
14.
exit
15.
interface
type
number
16.
switchport
17.
ipv6
dhcp
guard [attach-policy
policy-name] [vlan {add |
all |
all |
except |
none |
remove}
vlan-id][ ...
vlan-id]]
18.
exit
19.
vlan
vlan-id
20.
ipv6
dhcp
guard [attach-policy
policy-name]
21.
exit
22.
exit
23.
show
ipv6
dhcp
guard
policy [policy-name]
DETAILED STEPS
Configuration Examples for DHCPv6 Guard
Example: Configuring DHCP—DHCPv6 Guard
The following example displays a sample configuration for DHCPv6 Guard:
enable configure terminal ipv6 access-list acl1 permit host FE80::A8BB:CCFF:FE01:F700 any ipv6 prefix-list abc permit 2001:0DB8::/64 le 128 ipv6 dhcp guard policy pol1 device-role server match server access-list acl1 match reply prefix-list abc preference min 0 preference max 255 trusted-port interface GigabitEthernet 0/2/0 switchport ipv6 dhcp guard attach-policy pol1 vlan add 1 vlan 1 ipv6 dhcp guard attach-policy pol1 show ipv6 dhcp guard policy pol1
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
DHCP commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco IOS IP Addressing Services Command Reference |
DHCP conceptual and configuration information |
Cisco IOS IP Addressing Services Configuration Guide |
Standards/RFCs
Standard |
Title |
---|---|
No new or modified standards/RFCs are supported by this feature. |
— |
MIBs
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for DHCP—DHCPv6 Guard
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
DHCP—DHCPv6 Guard |
15.2(1)E |
The DHCP—DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The following commands were introduced or modified: device-role , ipv6 dhcp guard attach-policy (DHCPv6 Guard), ipv6 dhcp guard policy, match reply prefix-list, match server access-list, preference (DHCPv6 Guard), show ipv6 dhcp guard policy, trusted-port (DHCPv6 Guard). |