Configuring DHCPv6 Snooping
DHCPv6 Snooping Overview
- DHCPv6 Option 18 and DHCPv6 Option 37
- Limit the Number of DHCPv6 Clients
How to Configure DHCPv6 Snooping
Monitoring DHCPv6 Snooping
Configuration Example for DHCPv6 Snooping

Configuring DHCPv6 Snooping

DHCPv6 Snooping Overview

The DHCP Version 6 (DHCPv6) Snooping feature enhances security by recording IPv6 address obtained by monitoring DHCP messages. This feature allows a network administrator to compare the IPv6 address obtained when the user browses the internet, to the IPv6 addresses in the DHCPv6 server and confirm a user's identity by looking at the MAC address associated to the IPv6 address.

DHCPv6 snooping requires configuring a port as trusted or untrusted. Trusted ports connect to either DHCP servers or ports of other devices in the network. Untrusted ports connect to either DHCP clients or other networks. A DHCPv6 snooping-enabled device monitors and validates the DHCPv6 messages that it receives. Untrusted ports drop the DHCPv6-reply and DHCPv6-advertise messages that are received from DHCP servers. Trusted ports forward the received DHCP messages to the correct IPv6 address.

DHCPv6 Option 18 and DHCPv6 Option 37

A DHCPv6 relay agent is used to relay messages between the client and the server.

The DHCPv6 allows configuring a relay agent with the following two options:

The interface-ID option or also known as Option 18 allows a relay agent to send the interface ID to identify the port which has received the information from client side. If a relay agent receives a RELAY-RELAY packet that contains also the interface ID, the relay agent relays this information to client side through the interface enabled with the interface-ID option.
The remote-ID option or also known as Option 37 allows a relay device to include either the hostname or the IPv4 or IPv6 address of the relay device during transmission.

Limit the Number of DHCPv6 Clients

A DHCPv6 server addresses can be exhausted if a network attacker requests multiple IPv6 addresses disguised as multiple users. To avoid this, you can limit the number of DHCPv6 clients with any of the following methods:

Limit the number of DHCPv6 clients access to a device's physical port: In this case, an attack will be restricted to a physical port and not the whole network.
Limit the number of DHCPv6 clients access to a specific VLAN: In this case, an attack will be restricted to the attacker and the users connected in the same VLAN rather than the entire network.

How to Configure DHCPv6 Snooping

The following sections provide configuration information about DHCPv6 snooping.

Configure DHCPv6 Snooping

To configure DHCPv6 snooping, perform this procedure:

Procedure

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device#configure terminal`	Enters global configuration mode.
Step 3	dhcpv6-snooping Example: `Device(config)#dhcpv6-snooping`	Enables DHCPv6 snooping on the device.
Step 4	interface ethernet `port/slot` Example: `Device(config)#interface ethernet 1/1`	Enters interface configuration mode.
Step 5	dhcpv6-snooping trust Example: `Device(config-if)#dhcp-snooping trust`	Specifies the port that is connected to the DHCPv6 server as a trusted port.

Configuring Link-Down Operation

When a link in the network goes down, you can configure the device to remove the corresponding entry in the binding database.

To configure link-down operation, perform this procedure:

Procedure

Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

dhcpv6-snooping port-down-action fast-remove

Example:

Device(config)#dhcpv6-snooping port-down-action fast-remove

(Optional) Configures the link-down operation on the port.

Limit DHCPv6-Client Number Accessed to the Port

To limit the number of DHCPv6 client access to a port, perform this procedure:

Procedure

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device#configure terminal`	Enters global configuration mode.
Step 3	interface ethernet `port/slot` Example: `Device(config)#interface ethernet 1/1`	Enters interface configuration mode.
Step 4	dhcpv6-snooping max-clients `client_number` Example: `Device(config-if-ethernet-1/1)#dhcpv6-snooping max-clients`	(Optional) Configures the numbers of DHCPv6 clients accessed to physical port according to network status. `client_number` : The range must be from 0 to 2048.
Step 5	exit Example: `Device(config-if-ethernet-1/1)#exit`	Exits interface configuration mode. `client_number` : The range must be from 0 to 2048.
Step 6	vlan `vlan list` Example: `Device(config-if-vlan)#vlan 11`	Creates a VLAN for a single port or a list of ports..
Step 7	dhcpv6-snooping max-clients `client_number` Example: `Device(config-if-vlan)#dhcpv6-snooping max-clients`	Configures the numbers of DHCPv6 clients accessed to physical port according to network status. `client_number` : The range must be from 0 to 2048.

Configure DHCPv6 Option

To configure DHCPv6 option, perform this procedure:

Procedure

Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

dhcpv6-snooping information option {18 | 37}

Example:

Device(config)#dhcpv6-snooping information option 18

Enables DHCPv6 snooping on the device.

18 : Enables DHCPv6 option 18.
37 : Enables DHCPv6 option 37.

Monitoring DHCPv6 Snooping

Use the following commands to monitor DHCPv6 snooping

Table 1. Commands to Monitor DHCPv6 Snooping
Command	Purpose
show dhcpv6-snooping clients	Displays the correspondence between IPV6 addresses and MAC addresses recorded by DHCPv6 Snooping.
show dhcpv6-snooping {interface \| vlan}	On an interface: Displays the DHCPv6 snooping state, the trusted port information, the number of DHCPv6 clients allowed on the physical port, and the number of currently connected DHCPv6 clients. On a VLAN: Display the DHCPv6 snooping state and the number of DHCPv6 clients that belong to the specified VLAN.

Configuration Example for DHCPv6 Snooping

This example shows how to configure DHCPv6 Snooping on a device whose ethernet 1/1 interface is connected to the DHCPv6 Server and ethernet 1/2 interface is connected to the DHCPv6 client. It sets ethernet 1/1 port as a trusted port.

Device# configure terminal
Device(config)# dhcpv6-snooping

Device(config)# interface ethernet 1/1
Device(config-if-ethernet-1/1)# dhcpv6-snooping trust

This example shows how to configure DHCPv6 option 18 on a device.

Device# configure terminal
Device(config)# dhcpv6-snooping
Device(config)# dhcpv6-snooping information option 18

OLT Network Configuration, Cisco Catalyst PON Series Switches

Bias-Free Language

Results

Chapter: Configuring DHCPv6 Snooping

Configuring DHCPv6 Snooping

DHCPv6 Snooping Overview

DHCPv6 Option 18 and DHCPv6 Option 37

Limit the Number of DHCPv6 Clients

How to Configure DHCPv6 Snooping

Configure DHCPv6 Snooping

Procedure

Example:

Example:

Example:

Example:

Example:

Configuring Link-Down Operation

Procedure

Example:

Example:

Example:

Limit DHCPv6-Client Number Accessed to the Port

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure DHCPv6 Option

Procedure

Example:

Example:

Example:

Monitoring DHCPv6 Snooping

Configuration Example for DHCPv6 Snooping

Was this Document Helpful?

Contact Cisco