Configuring IPv6 DHCP Guard Policies
The DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device role assigned to the receiving switch port, trunk, or VLAN. This functionality helps to prevent traffic redirection or denial of service (DoS).
This section contains payload examples and CLIs to demonstrate how to use the NX-API REST API to configure IPv6 RA guard policies on Cisco Nexus 3000 and 9000 Series switches and to show how the REST APIs correspond to the CLI commands. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 7.x.
Configuring the Maximum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
Configuring the Maximum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfInstDhcpGuard": {
"attributes": {
"PolicyName": "Pol1",
"PreferenceMax": "123"
}}}]}}
{
imdata:[]
}
<System>
<sisf-items>
<dhcpguard-items>
<InstDhcpGuard-list>
<PolicyName>Pol1</PolicyName>
<PreferenceMax>123</PreferenceMax>
</InstDhcpGuard-list>
</dhcpguard-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
ipv6 dhcp guard policy Pol1
preference max 123
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Deleting the Configuration of the Maximum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
Deleting the Configuration of the Maximum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfInstDhcpGuard": {
"attributes": {
"PolicyName": "Pol1",
"PreferenceMax": "255"
}}}]}}
{
imdata:[]
}
<System>
<sisf-items>
<dhcpguard-items>
<InstDhcpGuard-list>
<PolicyName>Pol1</PolicyName>
<PreferenceMax>255</PreferenceMax>
</InstDhcpGuard-list>
</dhcpguard-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
ipv6 dhcp guard policy Pol1
no preference max 123
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring the Minimum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
Configuring the Minimum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfInstDhcpGuard": {
"attributes": {
"PolicyName": "POL1",
"PreferenceMin": "123"
}}}]}}
{
imdata:[]
}
<System>
<sisf-items>
<dhcpguard-items>
<InstDhcpGuard-list>
<PolicyName>POL1</PolicyName>
<PreferenceMin>123</PreferenceMin>
</InstDhcpGuard-list>
</dhcpguard-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
ipv6 dhcp guard policy Pol1
preference min 123
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Deleting the Configuration of the Minimum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
Deleting the Configuration of the Minimum Number for the Allowed Advertised Server Preference of an IPv6 DHCP Guard Policy
http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfInstDhcpGuard": {
"attributes": {
"PolicyName": "POL1",
"PreferenceMin": "0"
}}}]}}
{
imdata:[]
}
<System>
<sisf-items>
<dhcpguard-items>
<InstDhcpGuard-list>
<PolicyName>POL1</PolicyName>
<PreferenceMin>0</PreferenceMin>
</InstDhcpGuard-list>
</dhcpguard-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
ipv6 dhcp guard policy Pol1
no preference min 123
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring Trusted Port (No Policing) for an IPv6 DHCP Guard Policy
Configuring Trusted Port (No Policing) for an IPv6 DHCP Guard Policy
http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfInstDhcpGuard": {
"attributes": {
"PolicyName": "Pol1",
"TrustedPortEnabled": "yes"
}}}]}}
{
imdata:[]
}
<System>
<sisf-items>
<dhcpguard-items>
<InstDhcpGuard-list>
<PolicyName>Pol1</PolicyName>
<TrustedPortEnabled>true</TrustedPortEnabled>
</InstDhcpGuard-list>
</dhcpguard-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
ipv6 dhcp guard policy Pol1
trusted-port
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Deleting the Trusted Port (No Policing) Configuration for an IPv6 DHCP Guard Policy
Deleting the Trusted Port (No Policing) Configuration for an IPv6 DHCP Guard Policy
http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfInstDhcpGuard": {
"attributes": {
"PolicyName": "Pol1",
"TrustedPortEnabled": "no"
}}}]}}
{
imdata:[]
}
<System>
<sisf-items>
<dhcpguard-items>
<InstDhcpGuard-list>
<PolicyName>Pol1</PolicyName>
<TrustedPortEnabled>false</TrustedPortEnabled>
</InstDhcpGuard-list>
</dhcpguard-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
ipv6 dhcp guard policy Pol1
no trusted-port
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Attaching an IPv6 DHCP Guard Policy to an Ethernet Interface
Attaching an IPv6 DHCP Guard Policy to an Ethernet Interface
POST http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfFhsIf": {
"attributes": {
"dhcpGuardPolicyName": "POL1",
"id": "eth1/16",
}}}]}}
{
"imdata": []
}
<System>
<sisf-items>
<fhsif-items>
<FhsIf-list>
<id>eth1/16</id>
<dhcpGuardPolicyName>POL1</dhcpGuardPolicyName>
</FhsIf-list>
</fhsif-items>
</sisf-items>
</System>
Note: This example was added in Release 7.0(3)I7(1).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface eth 1/16
ipv6 dhcp guard attach-policy POL1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Removing an IPv6 DHCP Guard Policy from an Ethernet Interface
Removing an IPv6 DHCP Guard Policy from an Ethernet Interface
POST http://<mgmt0_IP>/api/mo/sys/sisf.json
{
"sisfEntity": {
"children": [
{
"sisfFhsIf": {
"attributes": {
"dhcpGuardPolicyName": "",
"id": "eth1/16",
}}}]}}
{
"imdata": []
}
<System>
<sisf-items>
<fhsif-items>
<FhsIf-list>
<id>eth1/16</id>
<dhcpGuardPolicyName></dhcpGuardPolicyName>
</FhsIf-list>
</fhsif-items>
</sisf-items>
</System>
Note: This example was added in Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface eth 1/16
no ipv6 dhcp guard attach-policy POL1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Attaching an IPv6 DHCP Guard Policy to a Switchport Interface
Attaching an IPv6 DHCP Guard Policy to a Switchport Interface
http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3",
"layer": "Layer2",
"userCfgdFlags": "admin_layer"
}
}
}
]
}
},
{
"sisfEntity": {
"children": [
{
"sisfFhsIf": {
"attributes": {
"dhcpGuardPolicyName": "POL1",
"id": "eth1/3"
}}}]}}]}}
{
imdata:[]
}
<System>
<intf-items>
<phys-items>
<PhysIf-list>
<id>eth1/3</id>
<layer>Layer2</layer>
<userCfgdFlags>admin_layer</userCfgdFlags>
</PhysIf-list>
</phys-items>
</intf-items>
<sisf-items>
<FhsIf-items>
<FhsIf-list>
<id>eth1/3</id>
<dhcpGuardPolicyName>POL1</dhcpGuardPolicyName>
</FhsIf-list>
</FhsIf-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/3
switchport
ipv6 dhcp guard attach-policy POL1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Removing an IPv6 DHCP Guard Policy from a Switchport Interface
Removing an IPv6 DHCP Guard Policy from a Switchport Interface
http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"interfaceEntity": {
"children": [
{
"l1PhysIf": {
"attributes": {
"id": "eth1/3",
"layer": "Layer2",
"userCfgdFlags": "admin_layer"
}
}
}
]
}
},
{
"sisfEntity": {
"children": [
{
"sisfFhsIf": {
"attributes": {
"dhcpGuardPolicyName": "",
"id": "eth1/3"
}}}]}}]}}
{
imdata:[]
}
<System>
<intf-items>
<phys-items>
<PhysIf-list>
<id>eth1/3</id>
<layer>Layer2</layer>
<userCfgdFlags>admin_layer</userCfgdFlags>
</PhysIf-list>
</phys-items>
</intf-items>
<sisf-items>
<FhsIf-items>
<FhsIf-list>
<id>eth1/3</id>
<dhcpGuardPolicyName></dhcpGuardPolicyName>
</FhsIf-list>
</FhsIf-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
interface ethernet 1/3
switchport
no ipv6 dhcp guard attach-policy POL1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Attaching an IPv6 DHCP Guard Policy to a VLAN Configuration
Attaching an IPv6 DHCP Guard Policy to a VLAN Configuration
POST http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"bdEntity": {
"children": [
{
"l2VlanConfig": {
"attributes": {
"accEncap": "vlan-127"
}
}
}
]
}
},
{
"sisfEntity": {
"children": [
{
"sisfFhsVlan": {
"attributes": {
"dhcpGuardPolicyName": "POL1",
"vlanID": "127"
}
}
}
]
}
}
]
}
}
{
'imdata': []
}
<System>
<bd-items>
<vlanconfig-items>
<VlanConfig-list>
<accEncap>vlan-127</accEncap>
</VlanConfig-list>
</vlanconfig-items>
</bd-items>
<sisf-items>
<fhsvlan-items>
<FhsVlan-list>
<vlanID>127</vlanID>
<dhcpGuardPolicyName>POL1</dhcpGuardPolicyName>
</FhsVlan-list>
</fhsvlan-items>
</sisf-items>
</System>
Note: This example was added in Release 7.0(3)I7(1).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
vlan config 127
ipv6 dhcp guard attach-policy POL1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Removing an IPv6 DHCP Guard Policy from a VLAN Configuration
Removing an IPv6 DHCP Guard Policy from a VLAN Configuration
http://<mgmt0_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"bdEntity": {
"children": [
{
"l2VlanConfig": {
"attributes": {
"accEncap": "vlan-127"
}
}
}
]
}
},
{
"sisfEntity": {
"children": [
{
"sisfFhsVlan": {
"attributes": {
"dhcpGuardPolicyName": "",
"vlanID": "127"
}
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<bd-items>
<vlanconfig-items>
<VlanConfig-list>
<accEncap>vlan-127</accEncap>
</VlanConfig-list>
</vlanconfig-items>
</bd-items>
<sisf-items>
<fhsvlan-items>
<FhsVlan-list>
<vlanID>127</vlanID>
<dhcpGuardPolicyName></dhcpGuardPolicyName>
</FhsVlan-list>
</fhsvlan-items>
</sisf-items>
</System>
Note: This example was added in Release Cisco NX-OS Release 7.0(3)I7(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
vlan configuration 127
no ipv6 dhcp guard attach-policy POL1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html