DSNOOPv6 enables network defenses for IPv6 on HP switches. It provides protection against network disruption by blocking unintended/rogue DHCPv6 Servers.
DSNOOPv6, when used with Dynamic IP Lockdown (DIPLD), provides network defense against source address spoofing. For example, a wireless access point with a DHCP Server running by default hands out IP addresses to wired clients that fall under a different subnet. DHCPv6 Snooping (DSNOOP) helps protect a network from unintended/rogue DHCP Servers handing out IP address leases to hosts on the network.
In an IPv6 network, addresses are predominately assigned via Router Advertisements. However, RA is limited in its ability to provide all of the network configurations to hosts. By managing their networks with DHCP(v4/v6) Servers, administrators can increase their network range and security. Since customer networks have both IPv4 and IPv6 configurations, enabling the DHCPv6-Snooping feature provides an additional network defense level of protection.
DSNOOPv6 operates similarly to DSNOOPv4. To decide which switch ports DHCPv6 packets are accepted from and forwarded to, packets are intercepted, examined and validated on DHCPv6 protocol fields. The Client IP address binding information is maintained by the switch in a binding table.
|
|
NOTE: The DIPLDv6 limits will be different on different switch platforms due to hardware limitations. |
|
|
|
|
IMPORTANT: DIPLDv6 support is not available for the following HP Switch-series: 2615 (J9565A) and 2915 (J9562A). |
|
|
After you globally enable DHCPv6, use this command to enable DHCPv6 snooping on a VLAN or range of VLANs.
Syntax
Use this command to configure lease database transfer options for DHCPv6 snooping
Syntax
Use this command to configure the maximum number of binding addresses allowed per port. . If you configure the max-bindings value before enabling DHCPv6-snooping, the limit you enter is immediately applied, and the bindings are not allowed to exceed the max-bindings value. If you set the max-bindings value after enabling DHCPv6-snooping, the following occurs:
Syntax
Use this command to show DHCPv6 snooping information.
Syntax
Examples
The following example shows all available DHCPv6 snooping information.
HP Switch(config)# show dhcpv6 snooping DHCP Snooping Information DHCP Snooping : Yes Enabled VLANs : 1 13 16 Remote-ID : MAC Store Lease Database : Yes URL : tftp://120.93.49.9/avi Read at boot : no Write Delay : 300 Write Timeout : 300 File Status : up-to-date Write Attempts : 0 Write Failures : 0 Last Successful File Update Max Current Bindings Port Trust Bindings Static Dynamic _____ ______ ________ _______ _________ 1 Yes - - - 2 No 20 20 3 4 No 3* 3 6 4 No 543 231 10 13 No - 3 6 48 Yes - - - Ports 3,5-12,14-47 are untrusted. Note that show commands list only those ports that have bindings on them. Ports 3, 5, 6,8 are untrusted as they are not listed in table and they do not have associated bindings.The following example shows DHCPv6 snooping statistics.
HP Switch(config)# show dhcpv6 snooping stats Packet Type Action Reason Count ___________ ______ ______ _____ server forward from trusted port 0 client forward to trusted port 0 server drop received on validating port 0 server drop unauthorized server 0 client drop destination on validating port 0 client drop relay reply on validating port 0 client drop bad DHCPv6 release request 0 client drop failed verify MAC check 0 client drop failed on max-binding limit 0