Chapter 9
| General Security Measures
DHCPv6 Snooping
– 323 –
DHCP Server Packet
■
If a DHCP server packet is received on an untrusted port, drop this
packet and add a log entry in the system.
■
If a DHCPv6 Reply packet is received from a server on a trusted port, it
will be processed in the following manner:
a. Check if IPv6 address in IA option is found in binding table:
■
If yes, continue to C.
■
If not, continue to B.
b. Check if IPv6 address in IA option is found in binding cache:
■
If yes, continue to C.
■
If not, check failed, and forward packet to trusted port.
c. Check status code in IA option:
■
If successful, and entry is in binding table, update lease time
and forward to original destination.
■
If successful, and entry is in binding cache, move entry from
binding cache to binding table, update lease time and forward
to original destination.
■
Otherwise, remove binding entry. and check failed.
■
If a DHCPv6 Relay packet is received, check the relay message
option in Relay-Forward or Relay-Reply packet, and process
client and server packets as described above.
◆ If DHCPv6 snooping is globally disabled, all dynamic bindings are removed
from the binding table.
◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s)
through which the switch submits a client request to the DHCPv6 server must
be configured as trusted (using the ipv6 dhcp snooping trust command). Note
that the switch will not add a dynamic entry for itself to the binding table when
it receives an ACK message from a DHCPv6 server. Also, when the switch sends
out DHCPv6 client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCPv6 server, any packets received from
untrusted ports are dropped.
To Next Page
Loading...
