DSNOOPv6 enables network defenses for IPv6 on switches. It provides protection against network disruption by blocking unintended/rogue servers.

DSNOOPv6, when used with Dynamic IP Lockdown (DIPLD), provides network defense against source address spoofing. For example, a wireless access point with a DHCP Server running by default hands out IP addresses to wired clients that fall under a different subnet. DHCPv6 Snooping (DSNOOP) helps protect a network from unintended/rogue DHCP Servers handing out IP address leases to hosts on the network.

In an IPv6 network, addresses are predominately assigned via Router Advertisements. However, RA is limited in its ability to provide all of the network configurations to hosts. By managing their networks with DHCP(v4/v6) Servers, administrators can increase their network range and security. Since customer networks have both IPv4 and IPv6 configurations, enabling the DHCPv6-Snooping feature provides an additional network defense level of protection.

DSNOOPv6 operates similarly to DSNOOPv4. To decide which switch ports DHCPv6 packets are accepted from and forwarded to, packets are intercepted, examined and validated on DHCPv6 protocol fields. The Client IP address binding information is maintained by the switch in a binding table.


The DIPLDv6 limits will be different on different switch platforms due to hardware limitations.