DHCP--DHCPv6 Guard
This module describes the Dynamic Host Configuration Protocol version 6 (DHCPv6) Guard feature. This feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. In addition, to provide a finer level of filter granularity, messages can be filtered based on the address of the sending server or relay agent, or by the prefixes and addresses ranges listed in the reply message. This functionality helps to prevent traffic redirection or denial of service (DoS).
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for DHCPv6 Guard
Information About DHCPv6 Guard
DHCPv6 Guard Overview
The DHCPv6 Guard feature blocks reply and advertisement messages that come from unauthorized DHCP servers and relay agents.
Packets are classified into one of the three DHCP type messages. All client messages are always switched regardless of device role. DHCP server messages are only processed further if the device role is set to server. Further processing of server messages includes DHCP server advertisements (for source validation and server preference) and DHCP server replies (for permitted prefixes).
If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device role configuration.
How to Configure DHCPv6 Guard
Configuring DHCP--DHCPv6 Guard
DETAILED STEPS
Configuration Examples for DHCPv6 Guard
Example: Configuring DHCP--DHCPv6 Guard
The following example displays a sample configuration for DHCPv6 Guard:
enable configure terminal ipv6 access-list acl1 permit host FE80::A8BB:CCFF:FE01:F700 any ipv6 prefix-list abc permit 2001:0DB8::/64 le 128 ipv6 dhcp guard policy pol1 device-role server match server access-list acl1 match reply prefix-list abc preference min 0 preference max 255 trusted-port interface GigabitEthernet 0/2/0 switchport ipv6 dhcp guard attach-policy pol1 vlan add 1 vlan 1 ipv6 dhcp guard attach-policy pol1 show ipv6 dhcp guard policy pol1
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
DHCP commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco IOS IP Addressing Services Command Reference |
DHCP conceptual and configuration information |
Cisco IOS IP Addressing Services Configuration Guide |
Standards/RFCs
Standard |
Title |
---|---|
No new or modified standards/RFCs are supported by this feature. |
-- |
MIBs
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for DHCP--DHCPv6 Guard
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for DHCP--DHCPv6 Guard |
Feature Name | Releases | Feature Information |
---|---|---|
DHCP--DHCPv6 Guard |
15.2(4)S 15.0(2)SE 15.1(2)SG Cisco IOS XE Release 3.8S Cisco IOS XE Release 3.2SE |
The DHCP--DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The following commands were introduced or modified: device-role , ipv6 dhcp guard attach-policy (DHCPv6 Guard), ipv6 dhcp guard policy, match reply prefix-list, match server access-list, preference (DHCPv6 Guard), show ipv6 dhcp guard policy, trusted-port (DHCPv6 Guard). |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.