Configuring IPv6 DHCP Guard Policies

The DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. This functionality helps to prevent traffic redirection or denial of service (DoS).

This section contains payload examples and CLIs to demonstrate how to use the NX-API REST API to configure IPv6 RA guard policies on Cisco Nexus 3000 and 9000 Series switches and to show how the REST APIs correspond to the CLI commands. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html/

Configuring the Maximum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

ipv6 dhcp guard policy Pol1
 preference max 123

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfInstDhcpGuard	sys/sisf/dhcpguard-{policyName}

sisfInstDhcpGuard Properties

The following table contains information about the sisfInstDhcpGuard properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
PolicyName	string:Basic	Name of dhcp guard policy	A sequence of characters
PreferenceMax	sisf:preferenceMax (scalar:Uint16)	Configure maximum allowed advertised server preference	RANGE: [0 , 255] DEFAULT: 255

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Configuration of the Maximum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

ipv6 dhcp guard policy Pol1
 no preference max 123

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfInstDhcpGuard	sys/sisf/dhcpguard-{policyName}

sisfInstDhcpGuard Properties

The following table contains information about the sisfInstDhcpGuard properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
PolicyName	string:Basic	Name of dhcp guard policy	A sequence of characters
PreferenceMax	sisf:preferenceMax (scalar:Uint16)	Configure maximum allowed advertised server preference	RANGE: [0 , 255] DEFAULT: 255

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Minimum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

ipv6 dhcp guard policy Pol1
 preference min 123

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfInstDhcpGuard	sys/sisf/dhcpguard-{policyName}

sisfInstDhcpGuard Properties

The following table contains information about the sisfInstDhcpGuard properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
PolicyName	string:Basic	Name of dhcp guard policy	A sequence of characters
PreferenceMin	sisf:preferenceMin (scalar:Uint16)	Configure minimum allowed advertised server preference	RANGE: [0 , 255] DEFAULT: 0

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Configuration of the Minimum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

ipv6 dhcp guard policy Pol1
 no preference min 123

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfInstDhcpGuard	sys/sisf/dhcpguard-{policyName}

sisfInstDhcpGuard Properties

The following table contains information about the sisfInstDhcpGuard properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
PolicyName	string:Basic	Name of dhcp guard policy	A sequence of characters
PreferenceMin	sisf:preferenceMin (scalar:Uint16)	Configure minimum allowed advertised server preference	RANGE: [0 , 255] DEFAULT: 0

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Trusted Port (No Policing) for an IPv6 DHCP Guard Policy

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

ipv6 dhcp guard policy Pol1
 trusted-port

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfInstDhcpGuard	sys/sisf/dhcpguard-{policyName}

sisfInstDhcpGuard Properties

The following table contains information about the sisfInstDhcpGuard properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
PolicyName	string:Basic	Name of dhcp guard policy	A sequence of characters
TrustedPortEnabled	scalar:Bool	Setup trusted port	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Trusted Port (No Policing) Configuration for an IPv6 DHCP Guard Policy

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

ipv6 dhcp guard policy Pol1
 no trusted-port

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfInstDhcpGuard	sys/sisf/dhcpguard-{policyName}

sisfInstDhcpGuard Properties

The following table contains information about the sisfInstDhcpGuard properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
PolicyName	string:Basic	Name of dhcp guard policy	A sequence of characters
TrustedPortEnabled	scalar:Bool	Setup trusted port	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Attaching an IPv6 DHCP Guard Policy to an Ethernet Interface

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface eth 1/16
 ipv6 dhcp guard attach-policy POL1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfFhsIf	sys/sisf/fhsif-{[id]}

sisfFhsIf Properties

The following table contains information about the sisfFhsIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
dhcpGuardPolicyName	string:Basic	Attach a dhcp guard policy of FHS feature	A sequence of characters
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Removing an IPv6 DHCP Guard Policy from an Ethernet Interface

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface eth 1/16
 no ipv6 dhcp guard attach-policy POL1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
sisfEntity	sys/sisf
sisfFhsIf	sys/sisf/fhsif-{[id]}

sisfFhsIf Properties

The following table contains information about the sisfFhsIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
dhcpGuardPolicyName	string:Basic	Attach a dhcp guard policy of FHS feature	A sequence of characters
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Attaching an IPv6 DHCP Guard Policy to a Switchport Interface

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/3
 switchport
  ipv6 dhcp guard attach-policy POL1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-{[id]}
sisfEntity	sys/sisf
sisfFhsIf	sys/sisf/fhsif-{[id]}

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
layer	l1:Layer (scalar:Enum8)	Administrative port layer	SELECTION: 1 - Layer2 2 - Layer3 DEFAULT: Layer2
userCfgdFlags	l1:userCfgdFlags (scalar:Bitmask8)	Port User Config Flags	SELECTION: 0 - none 1 - admin_state 2 - admin_layer 4 - admin_router_mac 8 - admin_dce_mode 16 - admin_mtu DEFAULT: none

sisfFhsIf Properties

The following table contains information about the sisfFhsIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
dhcpGuardPolicyName	string:Basic	Attach a dhcp guard policy of FHS feature	A sequence of characters
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Removing an IPv6 DHCP Guard Policy from a Switchport Interface

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

interface ethernet 1/3
 switchport
  no ipv6 dhcp guard attach-policy POL1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-{[id]}
sisfEntity	sys/sisf
sisfFhsIf	sys/sisf/fhsif-{[id]}

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
layer	l1:Layer (scalar:Enum8)	Administrative port layer	SELECTION: 1 - Layer2 2 - Layer3 DEFAULT: Layer2
userCfgdFlags	l1:userCfgdFlags (scalar:Bitmask8)	Port User Config Flags	SELECTION: 0 - none 1 - admin_state 2 - admin_layer 4 - admin_router_mac 8 - admin_dce_mode 16 - admin_mtu DEFAULT: none

sisfFhsIf Properties

The following table contains information about the sisfFhsIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
dhcpGuardPolicyName	string:Basic	Attach a dhcp guard policy of FHS feature	A sequence of characters
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Attaching an IPv6 DHCP Guard Policy to a VLAN Configuration

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

vlan config 127
 ipv6 dhcp guard attach-policy POL1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
bdEntity	sys/bd
l2VlanConfig	sys/bd/vlanconfig-{[accEncap]}
sisfEntity	sys/sisf
sisfFhsVlan	sys/sisf/fhsvlan-{vlanID}

l2VlanConfig Properties

The following table contains information about the l2VlanConfig properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
accEncap	base:Encap	Access Encapsulation	SELECTION: unknown, vlan-%d or vxlan-%d

sisfFhsVlan Properties

The following table contains information about the sisfFhsVlan properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
dhcpGuardPolicyName	string:Basic	Attach a dhcp guard policy of FHS feature	A sequence of characters
vlanID	sisf:VlanID (scalar:Uint16)	Vlan Number	RANGE: [1 , 4096]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Removing an IPv6 DHCP Guard Policy from a VLAN Configuration

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

vlan configuration 127
 no ipv6 dhcp guard attach-policy POL1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
topSystem	sys
bdEntity	sys/bd
l2VlanConfig	sys/bd/vlanconfig-{[accEncap]}
sisfEntity	sys/sisf
sisfFhsVlan	sys/sisf/fhsvlan-{vlanID}

l2VlanConfig Properties

The following table contains information about the l2VlanConfig properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
accEncap	base:Encap	Access Encapsulation	SELECTION: unknown, vlan-%d or vxlan-%d

sisfFhsVlan Properties

The following table contains information about the sisfFhsVlan properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
dhcpGuardPolicyName	string:Basic	Attach a dhcp guard policy of FHS feature	A sequence of characters
vlanID	sisf:VlanID (scalar:Uint16)	Vlan Number	RANGE: [1 , 4096]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html