EasyManua.ls Logo

Digisol DG-GS4528SE - Page 898

Digisol DG-GS4528SE
1416 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
C
HAPTER
27
| General Security Measures
DHCPv6 Snooping
– 912 –
If a DHCPv6 packet from a client passes the filtering criteria above,
it will only be forwarded to trusted ports in the same VLAN.
DHCP Server Packet
n
If a DHCP server packet is received on an untrusted port, drop
this packet and add a log entry in the system.
n
If a DHCPv6 Reply packet is received from a server on a trusted
port, it will be processed in the following manner:
A. Check if IPv6 address in IA option is found in binding table:
n
If yes, continue to C.
n
If not, continue to B.
B. Check if IPv6 address in IA option is found in binding cache:
n
If yes, continue to C.
n
If not, check failed, and forward packet to trusted port.
C. Check status code in IA option:
n
If successful, and entry is in binding table, update lease
time and forward to original destination.
n
If successful, and entry is in binding cache, move entry
from binding cache to binding table, update lease time
and forward to original destination.
n
Otherwise, remove binding entry. and check failed.
n
If a DHCPv6 Relay packet is received, check the relay message
option in Relay-Forward or Relay-Reply packet, and process
client and server packets as described above.
u If DHCPv6 snooping is globally disabled, all dynamic bindings are
removed from the binding table.
u Additional considerations when the switch itself is a DHCPv6 client
The port(s) through which the switch submits a client request to the
DHCPv6 server must be configured as trusted (using the ipv6 dhcp
snooping trust command). Note that the switch will not add a dynamic
entry for itself to the binding table when it receives an ACK message
from a DHCPv6 server. Also, when the switch sends out DHCPv6 client
packets for itself, no filtering takes place. However, when the switch
receives any messages from a DHCPv6 server, any packets received
from untrusted ports are dropped.
EXAMPLE
This example enables DHCPv6 snooping globally for the switch.
Console(config)#ipv6 dhcp snooping
Console(config)#
RELATED COMMANDS
ipv6 dhcp snooping vlan (913)
ipv6 dhcp snooping trust (914)

Table of Contents

Related product manuals