DHCP Server Packet
If a DHCP server packet is received on an untrusted port, drop this
■
packet and add a log entry in the system.
If a DHCPv6 Reply packet is received from a server on a trusted port, it
■
will be processed in the following manner:
A.
Check if IPv6 address in IA option is found in binding table:
If yes, continue to C.
■
■
If not, continue to B.
B.
Check if IPv6 address in IA option is found in binding cache:
If yes, continue to C.
■
If not, check failed, and forward packet to trusted port.
■
C.
Check status code in IA option:
If successful, and entry is in binding table, update lease time and
■
forward to original destination.
If successful, and entry is in binding cache, move entry from binding
■
cache to binding table, update lease time and forward to original
destination.
Otherwise, remove binding entry. and check failed.
■
If a DHCPv6 Relay packet is received, check the relay message option in
■
Relay-Forward or Relay-Reply packet, and process client and server
packets as described above.
◆
If DHCPv6 snooping is globally disabled, all dynamic bindings are removed
from the binding table.
◆
Additional considerations when the switch itself is a DHCPv6 client – The port(s)
through which the switch submits a client request to the DHCPv6 server must
be configured as trusted (using the
that the switch will not add a dynamic entry for itself to the binding table when
it receives an ACK message from a DHCPv6 server. Also, when the switch sends
out DHCPv6 client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCPv6 server, any packets received from
untrusted ports are dropped.
Chapter 8
ipv6 dhcp snooping trust
– 295 –
| General Security Measures
DHCPv6 Snooping
command). Note