IPv6 First Hop Security
OL-32830-01 Command Line Interface Reference Guide
•
RELAY-REPL
Note 1. Assigned addresses are not verified if a value of the Status Code option (if
it presents) differs from the following ones:
•
Success
•
UseMulticast
Note 2. In RELAY-REPL messages DHCPv6 Guard validates the message
encapsulated in the DHCP-relay-message option.
Use the disable keyword to disable verification of the assigned IPv6 addresses in
replies.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard policy configuration mode, matches the assigned
addresses to the prefix list named list1: all assigned IPv6 addresses must belong
to
2001:0DB8:100:200/64 or to 2001:0DB8:100::/48. The "ge 128" parameter must
be configured for each prefix of the prefix-list with prefix length less than
128.
switchxxxxxx(config)#
switchxxxxxx(config-dhcp-guard)#
switchxxxxxx(config-dhcp-guard)# exit
switchxxxxxx(config)# ipv6 prefix-list list1 deny 2001:0DB8:100:200/64 ge
128
switchxxxxxx(config)# ipv6 prefix-list list1 permit 2001:0DB8:100::/48 ge
128
25.58 match server address
To enable verification of the source IPv6 address in messages sent by DHCPv6
servers or DHCPv6 Relays to a configured prefix list within a DHCPv6 Guard
policy, use the match server address command in DHCPv6 Guard Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
match server address {prefix-list
ipv6 dhcp guard policy policy1
match reply prefix-list list1
ipv6-prefix-list-name
25
} | disable
562