C
HAPTER
25
| General Security Measures
DHCPv6 Snooping
– 911 –
ipv6 dhcp snooping This command enables DHCPv6 snooping globally. Use the no form to
restore the default setting.
SYNTAX
[no] ipv6 dhcp snooping
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
â—† Network traffic may be disrupted when malicious DHCPv6 messages are
received from an outside source. DHCPv6 snooping is used to filter
DHCPv6 messages received on an unsecure interface from outside the
network or fire wall. When DHCPv6 snooping is enabled globally by this
command, and enabled on a VLAN interface by the ipv6 dhcp snooping
vlan command, DHCP messages received on an untrusted interface (as
specified by the no ipv6 dhcp snooping trust command) from a device
not listed in the DHCPv6 snooping table will be dropped.
â—† When enabled, DHCPv6 messages entering an untrusted interface are
filtered based upon dynamic entries learned via DHCPv6 snooping.
â—† Table entries are only learned for trusted interfaces. Each entry
includes a MAC address, IPv6 address, lease time, binding type, VLAN
identifier, and port identifier.
â—† When DHCPv6 snooping is enabled, the rate limit for the number of
DHCPv6 messages that can be processed by the switch is 100 packets
per second. Any DHCPv6 packets in excess of this limit are dropped.
â—† Filtering rules are implemented as follows:
â–
If global DHCPv6 snooping is disabled, all DHCPv6 packets are
forwarded.
â–
If DHCPv6 snooping is enabled globally, and also enabled on the
VLAN where the DHCPv6 packet is received, DHCPv6 packets are
forwarded for a trusted port as described below.
â–
If DHCPv6 snooping is enabled globally, and also enabled on the
VLAN where the DHCP packet is received, but the port is not
trusted, DHCP packets are processed according to message type as
follows:
DHCP Client Packet
â–
Request: Update entry in binding cache, recording client’s
DHCPv6 Unique Identifier (DUID), server’s DUID, Identity
Association (IA) type, IA Identifier, and address (4 message
exchanges to get IPv6 address), and forward to trusted port.
To Next Page
Loading...
Need help?
General
