27 April, 2015

Configure DHCPv6 Guard

### Configure DHCPv6 Guard

! Defines the IPv6 access list and enters IPv6 access list configuration mode
Device(config)# ipv6 access-list acl1

! Sets the conditions in the named IP access list.
Device(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
Device(config-ipv6-acl)# exit

! Creates an entry in an IPv6 prefix list.
Device(config)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128

! Defines the DHCPv6 guard policy name and enters DHCP guard configuration mode.
Device(config)# ipv6 dhcp guard policy pol1

! Specifies the device role of the device attached to the target (interface or VLAN).
Device(config-dhcp-guard)# device-role server

! (Optional) Enables verification of the advertised DHCPserver and relay address in inspected messages from the configured authorized server access list. If not configured, this 
check will be bypassed. An empty access list is treated as a permit.
Device(config-dhcp-guard)# match server access-list acl1

! (Optional) Enables verification of the advertised prefixes in DHCP reply messages from the configured authorized prefix list. If not configured, this check will be bypassed. An empty prefix list is treated as a permit.
Device(config-dhcp-guard)# match reply prefix-list abc

! (Optional) Enables verification that the advertised preference (in preference option) is greater than the specified limit. If not specified, this check will be bypassed.
Device(config-dhcp-guard)# preference min 0

! (Optional) Enables verification that the advertised preference (in preference option) is less than the specified limit. If not specified, this check will be bypassed.
Device(config-dhcp-guard)# preference max 255

! (Optional)Specifies that this policy is being applied to trusted ports. All DHCP guard policing will be disabled.
Device(config-dhcp-guard)# trusted-port
Device(config-dhcp-guard)# exit

! Specifies an interface and entersinterface configuration mode
Device(config)# interface GigabitEthernet 0/2/0
Device(config-if)# switchport

! Attaches a DHCPv6 guard policy to an interface. The attach-policy and vlan keywords are optional in the interface command. If no VLAN number is specified, traffic from all VLANs on the port will be checked.
Device(config-if)# ipv6 dhcp guard attach-policy pol1 vlan add 1
Device(config-if)# exit

! Specifies a VLAN and enters VLAN configuration mode.
Device(config)# vlan 1

! Attaches a DHCPv6 guard policy to a VLAN.
Device(config-vlan)# ipv6 dhcp guard attach-policy pol1
Device(config-vlan)# exit

! Displays the policy configuration as well as all the interfaces where the policy is applied.
Device# show ipv6 dhcp policy guard pol1
At
Tags:: , , ,