IPv6 DHCPv6 Guard policy not applied to switchports

Routing & Switching
1

I am trying to practice IPv6 DHCPv6 Guard on a virtual IOS L2 switch inside EVE-ng and while the commands I have implemented on the virtual switch are working the ipv6 dhcp guard policy is not being bound to the interfaces.

Switch Image Info: Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]

SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#ipv6 dhcp guard policy DHCP_SERVER
SW1(config-dhcp-guard)#device-role server
SW1(config-dhcp-guard)#exit
SW1(config)#
SW1(config)#
SW1(config)#ipv6 dhcp guard policy DHCP_CLIENT
SW1(config-dhcp-guard)#device-role client
SW1(config-dhcp-guard)#exit
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#ipv6 dhcp guard attach-policy DHCP_SERVER
SW1(config)#
SW1(config)#interface range GigabitEthernet 0/2 - 3
SW1(config-if-range)#ipv6 dhcp guard attach-policy DHCP_CLIENT
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#end
SW1#
*Apr  5 17:20:51.285: %SYS-5-CONFIG_I: Configured from console by console
SW1#
SW1#

SW1#show ipv6 dhcp guard policy
Dhcp guard policy: DHCP_CLIENT
Device Role: dhcp client
Target: Box

Dhcp guard policy: DHCP_SERVER
Device Role: dhcp server
Target: none
Max Preference: 255
Min Preference: 0

SW1#sh run int gi0/1
Building configuration...

Current configuration : 54 bytes
!
interface GigabitEthernet0/1
 negotiation auto
end

SW1#sh run int gi0/2
Building configuration...

Current configuration : 54 bytes
!
interface GigabitEthernet0/2
 negotiation auto
end

SW1#sh run int gi0/3
Building configuration...

Current configuration : 54 bytes
!
interface GigabitEthernet0/3
 negotiation auto
end

Why aren’t the DHCPv6 policies being bound to the interfaces?

Thanks in advance,

Adil

2

Hello Adil

Thanks for sharing your specific scenario with us! I don’t have an immediate answer for your query, however, I do have some additional information that will hopefully guide you to the right solution.

First of all, it may be that the vIOS_L2 image that’s being used in EVE-NG may have some limitations as far as some features go. IPv6 First Hop Security (FHS) features including DHCPv6 Guard, RA Guard, and IPv6 ND Inspection are all heavily dependent on specialized hardware ASICs found in physical Catalyst switches. Because vIOS_L2 does not emulate these ASICs, the feature may be only partially implemented.

The CLI parser accepts the commands since no syntax error is shown, but the backend process that actually programs the policy into the forwarding plane is either absent or unsupported. As a result, the command is silently dropped and does not appear in show run interface, which is consistent with your output.

Note that the Target: Box value indicates the policy was applied at a global/device level rather than to a specific interface, which is what you configured. This seems to be a symptom of the platform not properly associating the policy with the physical interface.

Now having said all of that, the issue may be elsewhere, so I mention one more thing here. You may be missing the IPv6 Snooping configuration on the VLAN. Even on physical Catalyst hardware, there is an additional prerequisite for this to function correctly. IPv6 FHS features like DHCPv6 Guard require IPv6 Snooping to be enabled on the VLAN before interface-level policy bindings will take effect. This is a known dependency in the IOS FHS framework.

Check to see if your configuration is missing the following, as this info is not included in your configs you shared:

vlan configuration 1
 ipv6 snooping

While this may not resolve the issue on EVE-NG (due to platform limitations), it would be required on physical hardware. Try it out to see if this is indeed the issue, and let us know! I look forward to hearing your results!

I hope this has been helpful!

Laz

3

Hi Laz,

I tried adding the additional command under “vlan configuration 1” and unfortunately it didn’t work.

SW1#show ipv6 dhcp guard policy
Dhcp guard policy: DHCP_CLIENT
Device Role: dhcp client
Target: none

Dhcp guard policy: DHCP_SERVER
Device Role: dhcp server
Target: vlan 1 Box
Max Preference: 255
Min Preference: 0

Here’s the full config:

SW1#sh run
Building configuration...

Current configuration : 3107 bytes
!
! Last configuration change at 15:22:18 UTC Mon Apr 6 2026
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip dhcp snooping vlan 1
ip dhcp snooping
ip cef
ipv6 snooping
ipv6 dhcp guard policy DHCP_CLIENT
!
ipv6 dhcp guard policy DHCP_SERVER
device-role server
!
no ipv6 cef
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan configuration 1
ipv6 snooping
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
negotiation auto
!
interface GigabitEthernet0/1
negotiation auto
!
interface GigabitEthernet0/2
switchport mode access
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet0/3
switchport mode access
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet1/0
negotiation auto
!
interface GigabitEthernet1/1
negotiation auto
!
interface GigabitEthernet1/2
negotiation auto
!
interface GigabitEthernet1/3
negotiation auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
!
!
control-plane
!
banner exec ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at [http://www.cisco.com/go/eula](http://www.cisco.com/go/eula). Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at [http://www.cisco.com/go/eula](http://www.cisco.com/go/eula). Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at [http://www.cisco.com/go/eula](http://www.cisco.com/go/eula). Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
line aux 0
line vty 0 4
!
!
end
4

Hello Adil

It seems then that you have confirmed that the issue is indeed due to platform limitations in the vIOS_L2 virtual switch image. While the CLI accepts the configuration commands without syntax errors, the backend forwarding plane does not actually implement the policy.

DHCPv6 Guard and other similar features are hardware-dependent and rely on specialized ASICs and TCAM memory found in physical Catalyst switches. Unfortunately, the features don’t run correctly on the emulator.

I hope this has been helpful!

Laz