Chapter 9
| General Security Measures
DHCPv6 Snooping
– 350 –
Command Usage
◆ A trusted interface is an interface that is configured to receive only messages
from within the network. An untrusted interface is an interface that is
configured to receive messages from outside the network or fire wall.
◆ Set all ports connected to DHCv6 servers within the local network or fire wall to
trusted, and all other ports outside the local network or fire wall to untrusted.
◆ When DHCPv6 snooping is enabled globally using the ipv6 dhcp snooping
command, and enabled on a VLAN with ipv6 dhcp snooping vlan command,
DHCPv6 packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an
interface with the no ipv6 dhcp snooping trust command.
◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6
snooping bindings associated with this port are removed.
◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s)
through which it submits a client request to the DHCPv6 server must be
configured as trusted.
Example
This example sets port 5 to untrusted.
Console(config)#interface ethernet 1/5
Console(config-if)#no ipv6 dhcp snooping trust
Console(config-if)#
Related Commands
ipv6 dhcp snooping (344)
ipv6 dhcp snooping vlan (348)
clear ipv6 dhcp
snooping binding
This command clears DHCPv6 snooping binding table entries from RAM. Use this
command without any optional keywords to clear all entries from the binding
table.
Syntax
clear ipv6 dhcp snooping binding [mac-address ipv6-address]
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
ipv6-address - Corresponding IPv6 address. This address must be entered
according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-
separated 16-bit hexadecimal values. One double colon may be used in the
address to indicate the appropriate number of zeros required to fill the
undefined fields.
To Next Page
Loading...
Need help?
General