Chapter 9
| General Security Measures
DHCPv6 Snooping
– 354 –
â–
If a DHCPv6 Reply packet is received from a server on a trusted port, it
will be processed in the following manner:
A. Check if IPv6 address in IA option is found in binding table:
â–
If yes, continue to C.
â–
If not, continue to B.
B. Check if IPv6 address in IA option is found in binding cache:
â–
If yes, continue to C.
â–
If not, check failed, and forward packet to trusted port.
C. Check status code in IA option:
â–
If successful, and entry is in binding table, update lease time
and forward to original destination.
â–
If successful, and entry is in binding cache, move entry from
binding cache to binding table, update lease time and forward
to original destination.
â–
Otherwise, remove binding entry. and check failed.
â–
If a DHCPv6 Relay packet is received, check the relay message option in
Relay-Forward or Relay-Reply packet, and process client and server
packets as described above.
â—† If DHCPv6 snooping is globally disabled, all dynamic bindings are removed
from the binding table.
◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s)
through which the switch submits a client request to the DHCPv6 server must
be configured as trusted (using the ipv6 dhcp snooping trust command). Note
that the switch will not add a dynamic entry for itself to the binding table when
it receives an ACK message from a DHCPv6 server. Also, when the switch sends
out DHCPv6 client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCPv6 server, any packets received from
untrusted ports are dropped.
Example
This example enables DHCPv6 snooping globally for the switch.
Console(config)#ipv6 dhcp snooping
Console(config)#
Related Commands
ipv6 dhcp snooping vlan (357)
ipv6 dhcp snooping trust (358)
To Next Page
Loading...
Need help?
General