Chapter 9
| General Security Measures
DHCPv6 Snooping
ā 354 ā
ā
If a DHCPv6 Reply packet is received from a server on a trusted port, it
will be processed in the following manner:
A. Check if IPv6 address in IA option is found in binding table:
ā
If yes, continue to C.
ā
If not, continue to B.
B. Check if IPv6 address in IA option is found in binding cache:
ā
If yes, continue to C.
ā
If not, check failed, and forward packet to trusted port.
C. Check status code in IA option:
ā
If successful, and entry is in binding table, update lease time
and forward to original destination.
ā
If successful, and entry is in binding cache, move entry from
binding cache to binding table, update lease time and forward
to original destination.
ā
Otherwise, remove binding entry. and check failed.
ā
If a DHCPv6 Relay packet is received, check the relay message option in
Relay-Forward or Relay-Reply packet, and process client and server
packets as described above.
ā If DHCPv6 snooping is globally disabled, all dynamic bindings are removed
from the binding table.
ā Additional considerations when the switch itself is a DHCPv6 client ā The port(s)
through which the switch submits a client request to the DHCPv6 server must
be configured as trusted (using the ipv6 dhcp snooping trust command). Note
that the switch will not add a dynamic entry for itself to the binding table when
it receives an ACK message from a DHCPv6 server. Also, when the switch sends
out DHCPv6 client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCPv6 server, any packets received from
untrusted ports are dropped.
Example
This example enables DHCPv6 snooping globally for the switch.
Console(config)#ipv6 dhcp snooping
Console(config)#
Related Commands
ipv6 dhcp snooping vlan (357)
ipv6 dhcp snooping trust (358)
To Next Page
Loading...
