IPV6 DHCPv6 Guard



Key points

-Define Northbound and Southbound traffic.

-Drop DHCP traffic from Southbound


configure terminal
ipv6 access-list acl1
 permit host FE80::A8BB:CCFF:FE01:F700 any
ipv6 prefix-list abc permit 2001:0DB8::/64 le 128	
ipv6 dhcp guard policy pol1
 device-role server
 match server access-list acl1
 match reply prefix-list abc
 preference min 0
 preference max 255
interface GigabitEthernet 0/2/0
 ipv6 dhcp guard attach-policy pol1 vlan add 1
 vlan 1
  ipv6 dhcp guard attach-policy pol1
show ipv6 dhcp guard policy pol1

IPV6 security RAguard config Key points

IPV6 RAguard – router advertisement guard



Key points

-Need the link local address that RA is coming from

-Need the payload prefix that it will be advertising

Configure interface role  – monitor | router | switch

Configuring the IPv6 RA Guard Policy on the Device


  1.    enable
  2.    configure terminal
  3.    ipv6 nd raguard policy policy-name
  4.    device-role {host | router}
  5.    hop-limit {maximum | minimum limit}
  6.   managed-config-flag {on | off}
  7.    match ipv6 access-list ipv6-access-list-name
  8.    match ra prefix-list ipv6-prefix-list-name
  9.   other-config-flag {on | off}
  10.    router-preference maximum {high | low | medium}
  11.   trusted-port

12.   exit

Example: IPv6 RA Guard Configuration

Device(config)# interface fastethernet 3/13
Device(config-if)# ipv6 nd raguard attach-policy
Device# show running-config interface fastethernet 3/13
Building configuration... 
Current configuration : 129 bytes 
interface FastEthernet3/13 
 switchport access vlan 222 
 switchport mode access 
 access-group mode prefer port 
 ipv6 nd raguard 


Device# show ipv6 snooping capture-policy interface ethernet 0/0

Hardware policy registered on Ethernet 0/0 
Protocol     Protocol value   Message   Value     Action    Feature 
ICMP         58               RS        85        punt      RA Guard 
                                                  punt      ND Inspection 
ICMP         58               RA        86        drop      RA guard 
                                                  punt      ND Inspection 
ICMP         58               NS        87        punt      ND Inspection 
ICM          58               NA        88        punt      ND Inspection 
ICMP         58               REDIR     89        drop      RA Guard 
                                                  punt      ND Inspection