IPv6 DHCP Snooping Interface Configuration

Use the IPv6 DHCP Snooping Interface Configuration page to view and configure the IPv6 DHCP (Dynamic Host Configuration Protocol) snooping settings for each interface. The IPv6 DHCP snooping feature processes incoming DHCPv6 messages.

For RELEASE and DECLINE messages, the feature compares the receive interface and VLAN with the client's interface and VLAN in the binding database. If the interfaces do not match, the application logs the event (when logging of invalid packets is enabled) and drops the message. If MAC address validation is globally enabled, messages that pass the initial validation are checked to verify that the source MAC address and the DHCPv6 client hardware address match. Where there is a mismatch, IPv6 DHCP snooping logs the event (when logging of invalid packets is enabled) and drops the packet. To change the IPv6 DHCP Snooping settings for one or more interfaces, select each entry to modify and click Edit. The same settings are applied to all selected interfaces.

To access this page, click Switching > IPv6 DCHP Snooping > Base > Interface Configuration in the navigation menu.

Click to expand in new window

IPv6 DHCP Snooping Interface Configuration Fields

Field Description
Interface The interface associated with the rest of the data in the row. When configuring the settings for one or more interfaces, this field identifies each interface that is being configured.
Trust State The trust state configured on the interface. The trust state is one of the following:
  • Disabled: The interface is considered to be untrusted and could potentially be used to launch a network attack. DHCPv6 server messages are checked against the bindings database. On untrusted ports, IPv6 DHCP snooping enforces the following security rules:
    • DHCPv6 packets from a DHCPv6 server (ADVERTISE, REPLY, and RECONFIGURE) are dropped.
    • RELEASE and DECLINE messages are dropped if the MAC address is in the snooping database but the binding's interface is other than the interface where the message was received.
    • DHCPv6 packets are dropped when the source MAC address does not match the client hardware address if MAC Address Validation is globally enabled.
  • Enabled: The interface is considered to be trusted and forwards DHCPv6 server messages without validation.
Log Invalid Packets The administrative mode of invalid packet logging on the interface. When enabled, the IPv6 DHCP snooping feature generates a log message when an invalid packet is received and dropped by the interface.
Rate Limit (pps) The rate limit value for DHCPv6 packets received on the interface. To prevent DHCPv6 packets from being used as a DoS attack when IPv6 DHCP snooping is enabled, the snooping application enforces a rate limit for DHCPv6 packets received on untrusted interfaces. If the incoming rate of DHCPv6 packets exceeds the value of this object during the amount of time specified for the burst interval, the port will be shut down. You must administratively enable the port to allow it to resume traffic forwarding.
Burst Interval (Seconds) The burst interval value for rate limiting on this interface. If the rate limit is unspecified, then burst interval has no meaning.

If you change any of the parameters, click Submit to apply the changes to the system. If you want the switch to retain the new values across a power cycle, you must save the configuration.

Click Refresh to refresh the page with the most current data from the switch.