DHCPv6 Snooping Configuration

Overview

Function Introduction

DHCPv6 snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCPv6 servers. The DHCPv6 snooping feature performs the following activities:

  • Validate DHCPv6 messages received from untrusted sources and filters out invalid messages.

  • Build and maintain the DHCPv6 snooping binding database, which contains information about untrusted hosts with leased IPv6 addresses.

  • The DHCPv6 snooping feature is implemented in software basis. All DHCPv6 messages are intercepted in the chip and directed to the CPU for processing.

Principle Description

N/A

Configuration

image

  1. DHCPv6 Snooping

This figure is the networking topology for testing DHCPv6 snooping functions. We need two PCs and one Switch# to construct the test bed.

  • PC A is used as a DHCPv6 server.

  • PC B is used as a DHCPv6 client.

  • Switch A is used as a DHCPv6 Snooping device.

step 1 Enter the configure mode

Switch# configure terminal

step 2 Enter the vlan configure mode and create the vlan

Switch(config)# vlan database
Switch(config-vlan)# vlan 2
Switch(config-vlan)# exit

step 3 Enter the interface configure mode and set the attributes of the interface

Switch(config)# interface eth-0-11
Switch(config-if)# switchport
Switch(config-if)# switchport access vlan 2
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface eth-0-12
Switch(config-if)# switchport
Switch(config-if)# switchport access vlan 2
Switch(config-if)# dhcpv6 snooping trust
Switch(config-if)# no shutdown
Switch(config-if)# exit

step 4 Enable DHCPv6 snooping globally and set the attributes

Switch(config)# service dhcpv6 enable
Switch(config)# dhcpv6 snooping
Switch(config)# dhcpv6 snooping vlan 2

step 5 Exit the configure mode

Switch(config)# end

step 6 Validation

Check the interface configuration.

Switch# show running-config interface eth-0-12

| !

interface eth-0-12
switchport access vlan 2
dhcpv6 snooping trust

| !

Switch# show running-config interface eth-0-11

| !

interface eth-0-11
switchport access vlan 2

| !

Check the dhcpv6 service status.

Switch# show services
Networking services configuration:
Service Name Status

| ============================================================

dhcp disable
dhcpv6 enable

Show dhcpv6 snooping statistics.

Switch# show dhcpv6 snooping config
dhcpv6 snooping service: enabled
dhcpv6 snooping switch: enabled
dhcpv6 snooping vlan 2

Enable DHCPv6 snooping global feature

Switch# show dhcpv6 snooping statistics
DHCPv6 snooping statistics:

| ============================================================

DHCPv6 packets 21
Packets forwarded 21
Packets invalid 0
Packets dropped 0

Step 5 Show dhcpv6 snooping binding information

Switch# show dhcpv6 snooping binding all
DHCPv6 snooping binding table:
VLAN MAC Address Lease(s) Interface IPv6 Address

| ============================================================

2 0058.3fa1.7ed9 978 eth-0-11 2001:1000::2

Application cases {application-cases-88}

N/A