DHCP Server Packet
If a DHCP server packet is received on an untrusted port, drop this
■
packet and add a log entry in the system.
If a DHCPv6 Reply packet is received from a server on a trusted port, it
■
will be processed in the following manner:
a.
Check if IPv6 address in IA option is found in binding table:
If yes, continue to C.
■
■
If not, continue to B.
b.
Check if IPv6 address in IA option is found in binding cache:
If yes, continue to C.
■
If not, check failed, and forward packet to trusted port.
■
c.
Check status code in IA option:
If successful, and entry is in binding table, update lease time
■
and forward to original destination.
If successful, and entry is in binding cache, move entry from
■
binding cache to binding table, update lease time and forward
to original destination.
Otherwise, remove binding entry. and check failed.
■
If a DHCPv6 Relay packet is received, check the relay message
■
option in Relay-Forward or Relay-Reply packet, and process
client and server packets as described above.
◆
If DHCPv6 snooping is globally disabled, all dynamic bindings are removed
from the binding table.
◆
Additional considerations when the switch itself is a DHCPv6 client – The port(s)
through which the switch submits a client request to the DHCPv6 server must
be configured as trusted (using the
that the switch will not add a dynamic entry for itself to the binding table when
it receives an ACK message from a DHCPv6 server. Also, when the switch sends
out DHCPv6 client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCPv6 server, any packets received from
untrusted ports are dropped.
Chapter 9
ipv6 dhcp snooping trust
– 323 –
| General Security Measures
DHCPv6 Snooping
command). Note