The addresses assigned to DHCPv6 clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCPv6 Snooping (or using the static bindings configured with IPv6 Source Guard). DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port.
Use the IP Service > DHCPv6 > Snooping (Configure Global) page to enable DHCPv6 Snooping globally on the switch, or to configure MAC Address Verification.
Enables DHCPv6 snooping globally. (Default: Disabled)
Enables the insertion of remote-id option 37 information into DHCPv6 client messages. Remote-id option information such as the port attached to the client, DUID, and VLAN ID is used by the DHCPv6 server to assign preassigned configuration data specific to the DHCPv6 client. (Default: Disabled)
DHCPv6 provides a relay mechanism for sending information about the switch and its DHCPv6 clients to the DHCPv6 server. Known as DHCPv6 Option 37, it allows compatible DHCPv6 servers to use the information when assigning IP addresses, or to set other services or policies for clients.
When DHCPv6 Snooping Information Option 37 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCPv6 request packets forwarded by the switch and in reply packets sent back from the DHCPv6 server.
When the DHCPv6 Snooping Option 37 is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCPv6 client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
DHCPv6 snooping must be enabled for the DHCPv6 Option 37 information to be inserted into packets. When enabled, the switch will either drop, keep or remove option 37 information in incoming DHCPv6 packets. Packets are processed as follows:
If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to the settings specified.
If an incoming packet is a DHCPv6 request packet without option 37 information, enabling the DHCPv6 snooping information option will add option 37 information to the packet.
If an incoming packet is a DHCPv6 reply packet with option 37 information, enabling the DHCPv6 snooping information option will remove option 37 information from the packet.
Sets the remote-id option policy for DHCPv6 client packets that include Option 37 information.
When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
Drops the client’s request packet instead of relaying it. (This is the default policy.)
Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
Replaces the Option 37 remote-ID in the client’s request with the relay agent’s remote-ID (when DHCPv6 snooping is enabled), and forwards the packets to trusted ports.
Use the IP Service > DHCPv6 > Snooping (Configure VLAN) page to enable or disable DHCPv6 snooping on specific VLANs.
Command Usage
When DHCPv6 snooping enabled globally and enabled on a VLAN, DHCPv6 packet filtering will be performed on any untrusted ports within the VLAN.
When the DHCPv6 snooping is globally disabled, DHCPv6 snooping can still be configured for specific VLANs, but the changes will not take effect until DHCPv6 snooping is globally re-enabled.
When DHCPv6 snooping is enabled globally, and then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
Parameters
ID of a configured VLAN.
Use the IP Service > DHCP > Snooping6 (Configure Interface) page to configure switch interfaces as trusted or untrusted, and set the maximum number of entries which can be stored in the binding database for an interface.
Command Usage
A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Set all interfaces connected to DHCv6 servers within the local network or fire wall to trusted, and all other interfaces outside the local network or fire wall to untrusted.
When DHCPv6 snooping is enabled globally and enabled on a VLAN, DHCPv6 packet filtering will be performed on any untrusted ports within the VLAN according to the default status, or as specifically configured for an interface.
When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed.
Additional considerations when the switch itself is a DHCPv6 client - The port(s) through which it submits a client request to the DHCPv6 server must be configured as trusted.
Parameters
Port or trunk identifier.
Enables or disables a port as trusted. (Default: Disabled)
Sets the maximum number of entries which can be stored in the binding database for an interface. (Range: 1-5; Default: 5
Shows the maximum number of entries which can be stored in the binding database for an interface.
Use the IP Service > DHCPv6 > Snooping (Show Information - Binding) page to display entries in the binding table.
IPv6 link-layer address associated with the entry
IPv6 address corresponding to the client.
The time (number of seconds) for which this IPv6 address is leased to the client.
VLAN to which this entry is bound.
Port or trunk to which this entry is bound.
Entry types include:
NA - Non-temporary address.
TA - Temporary address.
Removes all dynamically learned snooping entries from flash memory.
Use the IP Service > DHCPv6 > Snooping (Show Information – Statistics) page to display information on client, server, and relay packets.
Packet states include received, sent and dropped.
Includes Solicit, Request, Confirm, Renew, Rebind, Decline, Release and Information-request.
Includes Advertise, Reply, and Reconfigure.
Includes Relay-forward and Relay-reply.