The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes the Dynamic Host Configuration Protocol version 6 (DHCPv6) Guard feature. This feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. In addition, to provide a finer level of filter granularity, messages can be filtered based on the address of the sending server or relay agent, or by the prefixes and addresses ranges listed in the reply message. This functionality helps to prevent traffic redirection or denial of service (DoS).
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About DHCPv6 Guard
The DHCPv6 Guard feature blocks reply and advertisement messages that come from unauthorized DHCP servers and relay agents.
Packets are classified into one of the three DHCP type messages. All client messages are always switched regardless of device role. DHCP server messages are only processed further if the device role is set to server. Further processing of server messages includes DHCP server advertisements (for source validation and server preference) and DHCP server replies (for permitted prefixes).
If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device role configuration.
How to Configure DHCPv6 Guard
1.
enable
2.
configure
terminal
3.
ipv6
access-list
access-list-name
4.
permit
host
address
any
5.
exit
6.
ipv6
prefix-list
list-name
permit
ipv6-prefix
128
7.
ipv6
dhcp
guard
policy
policy-name
8.
device-role {client |
server}
9.
match
server
access-list
ipv6-access-list-name
10.
match
reply
prefix-list
ipv6-prefix-list-name
11.
preference
min
limit
12.
preference
max
limit
13.
trusted-port
14.
exit
15.
interface
type
number
16.
switchport
17.
exit
18.
exit
19.
show
ipv6
dhcp
guard
policy [policy-name]
Configuration Examples for DHCPv6 Guard
The following example displays a sample configuration for DHCPv6 Guard:
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
DHCP commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco IOS IP Addressing Services Command Reference |
DHCP conceptual and configuration information |
Cisco IOS IP Addressing Services Configuration Guide |
Standard |
Title |
---|---|
No new or modified standards/RFCs are supported by this feature. |
— |
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
DHCP—DHCPv6 Guard |
Cisco IOS XE Release 3.8S |
The DHCP—DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The following commands were introduced or modified: device-role , ipv6 dhcp guard attach-policy (DHCPv6 Guard), ipv6 dhcp guard policy, match reply prefix-list, match server access-list, preference (DHCPv6 Guard), show ipv6 dhcp guard policy, trusted-port (DHCPv6 Guard). |