Cisco Catalyst 2960-X Security Configuration Manual page 484
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
How to Configure an IPv6 DHCP Guard Policy
Command or Action
Step 4
[no] match server access-list ipv6-access-list-name
Example:
;;Assume a preconfigured IPv6 Access List
as follows:
Switch(config)# ipv6 access-list my_acls
Switch(config-ipv6-acl)# permit host
FE80::A8BB:CCFF:FE01:F700 any
;;configure DCHPv6 Guard to match approved
access list.
Switch(config-dhcp-guard)#
access-list my_acls
Step 5
[no] match reply prefix-list ipv6-prefix-list-name
Example:
;;Assume a preconfigured IPv6 prefix list
as follows:
Switch(config)# ipv6 prefix-list my_prefix
permit 2001:0DB8::/64 le 128
;; Configure DCHPv6 Guard to match prefix
Switch(config-dhcp-guard)#
prefix-list my_prefix
Step 6
[no]preference{ max limit | min limit }
Example:
Switch(config-dhcp-guard)# preference max
250
Switch(config-dhcp-guard)#preference min 150
Step 7
[no] trusted-port
Example:
Switch(config-dhcp-guard)# trusted-port
Step 8
default {device-role | trusted-port}
Example:
Switch(config-dhcp-guard)# default
device-role
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
460
Purpose
• server—Specifies that the attached device is a DHCPv6 server.
Server messages are allowed on this port.
(Optional). Enables verification that the advertised DHCPv6 server
or relay address is from an authorized server access list (The
destination address in the access list is 'any'). If not configured, this
check will be bypassed. An empty access list is treated as a permit
all.
match server
(Optional) Enables verification of the advertised prefixes in DHCPv6
reply messages from the configured authorized prefix list. If not
configured, this check will be bypassed. An empty prefix list is
treated as a permit.
match reply
Configure max and min when device-role is serverto filter DCHPv6
server advertisements by the server preference value. The defaults
permit all advertisements.
max limit—(0 to 255) (Optional) Enables verification that the
advertised preference (in preference option) is less than the specified
limit. Default is 255. If not specified, this check will be bypassed.
min limit—(0 to 255) (Optional) Enables verification that the
advertised preference (in preference option) is greater than the
specified limit. Default is 0. If not specified, this check will be
bypassed.
(Optional) trusted-port—Sets the port to a trusted mode. No further
policing takes place on the port.
Note
(Optional) default—Sets a command to its defaults.
Configuring IPv6 First Hop Security
If you configure a trusted port then the device-role option
is not available.
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
