Commands For Dhcpv6 Snooping

7.6 Commands for DHCPv6 Snooping

7.6.1 clear ipv6 dhcp snooping binding

Command: clear ipv6 dhcp snooping binding {<MAC> | <ipv6 address> | interface {ethernet <IFNAME> | port-channel <IFNAME> | <IFNAME>} | all}
Function: Clear DHCPv6 snooping binds.
Parameters:

  • <MAC>: delete the bind for a specific MAC address.
  • <ipv6 address>: delete the bind for a specific IPv6 address.
  • <IFNAME>: port name.
  • all: delete all DHCPv6 Snooping binds.

Command mode: Admin Mode
Default: None.
Usage guide: Delete one port (or all ports) dynamic DHCPv6 Snooping bind information.
Example: Clear all DHCPv6 snooping dynamic binds.

active500EM#clear ipv6 dhcp snooping binding all

 

7.6.2 debug ipv6 dhcp snooping binding

Command: debug ipv6 dhcp snooping binding
Function: Debug DHCPv6 snooping bind information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Display the DHCPv6 snooping bind processing information including: create/delete the bind.
Example: Enable debug DHCPv6 Snooping bind information.

active500EM#debug ipv6 dhcp snooping binding
%Jan 16 02:25:14 2006 DHCP6SNP BINDING: Do binding info from client 00-19-e0-3f-d1-83,
interface Ethernet1/0/11, type 1, transaction-ID 3873
%Jan 16 02:25:14 2006 DHCP6SNP BINDING: Create new binding.
%Jan 16 02:25:14 2006 DHCP6SNP BINDING: Do binding info from client 00-00-00-11-22-33,
interface Ethernet1/0/2, type 2, transaction-ID 3873
%Jan 16 02:25:14 2006 DHCP6SNP BINDING: release binding :: MAC 00-19-e0-3f-d1-83 on default Ethernet1/0/11
%Jan 16 02:25:16 2006 DHCP6SNP BINDING: Do binding info from client 00-19-e0-3f-d1-83,
interface Ethernet1/0/11, type 3, transaction-ID 30305
%Jan 16 02:25:16 2006 DHCP6SNP BINDING: Create new binding.
%Jan 16 02:25:16 2006 DHCP6SNP BINDING: Do binding info from client 00-00-00-11-22-33,
interface Ethernet1/0/2, type 7, transaction-ID 30305

 

7.6.3 debug ipv6 dhcp snooping event

Command: debug ipv6 dhcp snooping event
Function: Debug DHCPv6 Snooping event information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Enable this command to show the processing information of the events for DHCPv6 Snooping. The events shown include sending/deleting the security policy events (black hole MAC, port shutdown/no shutdown) and the error prompt.
Example: Enable debug DHCPv6 Snooping event information.

active500EM#debug ipv6 dhcp snooping event
%Jan 16 02:25:14 2006 DHCP6SNP EVENT: add blackhole 00-19-e0-3f-d1-83 on interface Ethernet1/0/13
%Jan 16 02:35:15 2006 DHCP6SNP EVENT: delete blackhole 00-19-e0-3f-d1-83 on interface Ethernet1/0/13

 

7.6.4 debug ipv6 dhcp snooping packet

Command: debug ipv6 dhcp snooping packet
Function: Debug DHCPv6 Snooping packet information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: The DHCPv6 Snooping packet processing information includes the type of the receiving packets, the source and destination MAC of the packets, client DUID, IA address, preferred lifetime, valid lifetime, and packets dropped.
Example: Enable debug DHCPv6 snooping packet information.

active500EM#debug ipv6 dhcp snooping packet
%Jan 16 02:18:01 2006 DHCP6SNP EVENT: Parse packet SOLICIT from fe80::219:e0ff:fe3f:d183
src MAC 00-19-e0-3f-d1-83 interface Ethernet1/0/11 vlan 1
%Jan 16 02:18:01 2006 DHCP6SNP PACKET: Receive DHCPv6 packet SOLICIT from fe80::219:e0ff:fe3f:d183
src MAC 00-19-e0-3f-d1-83, dst MAC 33-33-00-01-00-02,
interface Ethernet1/0/11 vlan 1,
transaction-ID 2469, smac host flag 0, dmac host flag 0
%Jan 16 02:18:01 2006 DHCP6SNP PACKET: Forward packet SOLICIT (protocol 0x819)
%Jan 16 02:18:01 2006 DHCP6SNP PACKET: to vlan 1 except port Ethernet1/0/11 (designPort flag 0)
%Jan 16 02:18:01 2006 DHCP6SNP PACKET: and return packet to network stack
%Jan 16 02:18:01 2006 DHCP6SNP EVENT: Parse packet ADVERTISE from fe80::200:ff:fe11:2233
src MAC 00-00-00-11-22-33 interface Ethernet1/0/2 vlan 1
%Jan 16 02:18:01 2006 DHCP6SNP PACKET: Receive DHCPv6 packet ADVERTISE from fe80::200:ff:fe11:2233
src MAC 00-00-00-11-22-33, dst MAC 00-19-e0-3f-d1-83,
interface Ethernet1/0/2 vlan 1,
transaction-ID 2469, smac host flag 1, dmac host flag 0
%Jan 16 02:18:01 2006 DHCP6SNP PACKET: Forward packet ADVERTISE (protocol 0x819)
%Jan 16 02:18:01 2006 DHCP6SNP PACKET: to exact port Ethernet1/0/11 (designPort flag 1)
%Jan 16 02:18:03 2006 DHCP6SNP EVENT: Parse packet REQUEST from fe80::219:e0ff:fe3f:d183
src MAC 00-19-e0-3f-d1-83 interface Ethernet1/0/11 vlan 1
%Jan 16 02:18:03 2006 DHCP6SNP PACKET: Receive DHCPv6 packet REQUEST from fe80::219:e0ff:fe3f:d183
src MAC 00-19-e0-3f-d1-83, dst MAC 33-33-00-01-00-02,
interface Ethernet1/0/11 vlan 1,
transaction-ID 16424, smac host flag 0, dmac host flag 0
%Jan 16 02:18:03 2006 DHCP6SNP PACKET: Forward packet REQUEST (protocol 0x819)
%Jan 16 02:18:03 2006 DHCP6SNP PACKET: to vlan 1 except port Ethernet1/0/11 (designPort flag 0)
%Jan 16 02:18:03 2006 DHCP6SNP PACKET: and return packet to network stack
%Jan 16 02:18:03 2006 DHCP6SNP EVENT: Parse packet REPLY from fe80::200:ff:fe11:2233
src MAC 00-00-00-11-22-33 interface Ethernet1/0/2 vlan 1
%Jan 16 02:18:03 2006 DHCP6SNP PACKET: Receive DHCPv6 packet REPLY from fe80::200:ff:fe11:2233
src MAC 00-00-00-11-22-33, dst MAC 00-19-e0-3f-d1-83,
interface Ethernet1/0/2 vlan 1,
transaction-ID 16424, smac host flag 1, dmac host flag 0
%Jan 16 02:18:03 2006 DHCP6SNP PACKET: Forward packet REPLY (protocol 0x819)
%Jan 16 02:18:03 2006 DHCP6SNP PACKET: to exact port Ethernet1/0/11 (designPort flag 1)

 

7.6.5 ipv6 dhcp snooping action

Command: ipv6 dhcp snooping action {shutdown | blackhole} [recovery <second>] no ipv6 dhcp snooping action
Function: After an error is detected by DHCPv6 snooping, this command configures the action and the duration on the port. The no command cancels the configuration.
Parameters:

  • shutdown | blackhole: after DHCPv6 Snooping receives the DHCPv6 response packet from a non-trusted port, this action is taken.
  • <second>: duration between the action execution and recovery. The valid range is from 1 to 3600.

Command mode: Port Mode
Default: There is no user-defined action. The default action is not recovered and there is no recovery time.
Usage guide: Set the user-defined action for non-trusted port. If the security policy changes, clear the security policy sent to the hardware.
Example: Set the user-defined action for a non-trusted port.

active500EM(config-if-ethernet1/0/1)#ipv6 dhcp snooping action shutdown recovery 100

 

7.6.6 ipv6 dhcp snooping action MaxNum

Command: ipv6 dhcp snooping action {<max-num> | default}
Function: After an error is detected by DHCPv6 snooping, set the maximum number of blackhole MACs on each non-trusted port.
Parameters:

  • <max-num>: The maximum number of blackhole MACs that can be sent after DHCPv6 snooping receives the DHCPv6 response packet from a non-trusted port. The valid range is from 1 to 200.

Command mode: Global Mode
Default: Limit blackhole MAC to 10.
Usage guide: Sets the maximum number of the blackhole MAC to avoid switch resource exhaustion caused by attacks. If the number of alarms is larger than the set value, then the earliest blackhole MAC will be recovered while the new blackhole MAC takes effect.
Example: After the error is detected by DHCPv6 Snooping, set the maximum number of blackhole MACs as 100 on each non-trusted port.

active500EM(config)#ipv6 dhcp snooping action 100

 

7.6.7 ipv6 dhcp snooping binding enable

Command: ipv6 dhcp snooping binding enable
no ipv6 dhcp snooping binding enable
Function: Enable the DHCPv6 Snooping binding function globally. The no command disables the function.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: Enabling the DHCPv6 snooping binding function to monitor the DHCPv6 packets allows the establishment of DHCPv6 snooping binding. This command limits the dynamic and static binding. After disabling global DHCPv6 snooping, the device stops establishing the bind according to DHCPv6 packets.
Example: Establish DHCPv6 snooping binding according to DHCPv6 reply packets.

active500EM(config)#ipv6 dhcp snooping binding enable

 

7.6.8 ipv6 dhcp snooping binding nd

Command: ipv6 dhcp snooping binding nd
no ipv6 dhcp snooping binding nd
Function: Globally enable the function that DHCPv6 snooping binds ND. The no command disables the function.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: After this function is globally enabled, send static ND while setting up DHCPv6 snooping binding and convert already existing DHCPv6 snooping binding into static ND entry. After disabling global DHCPv6 snooping, the static ND entries will not be set according to DHCPv6 snooping binding. All the corresponding static ND entries set by DHCP snooping binding will be deleted.
Example: Send the static ND entries according to the DHCPv6 snooping bind.

active500EM(config)#ipv6 dhcp snooping binding nd

 

7.6.9 ipv6 dhcp snooping binding user

Command: ipv6 dhcp snooping binding user <MAC> address <ipv6-address> vlan <vid> interface [ethernet | port-channel] <ifname>
no ipv6 dhcp snooping binding user <MAC-address>
Function: Users set the static binding entries. The no command deletes the list entry.
Parameters:

  • <MAC>: MAC address
  • <ipv6-address>: IPv6 address.
  • <vid>: VLAN ID. The valid range is from 1 to 4094.
  • <ifname>: access interface of the statically bound user.

Command mode: Global Mode
Default: No static list entry.
Usage guide: Add the static list entry to the bind table. For DHCPv6 snooping binding data, MAC address and IPv6 address cannot be in conflict. The static bind data can cover the dynamic bind data and cannot be covered by the dynamic bind data. Port name is the name of a Port-Channel or Ethernet port. It allows the Port-Channel to be specified and authenticates the validity of the Port-Channel name. The command cannot configure an Ethernet port that does not exist. In addition, check that the MAC and IPv6 address are valid. The MAC must configure the unicast MAC. IPv6 addresses cannot be link local, loopback, or multicast addresses. If the port name exists, it must exist in the vid specified by the VLAN. After enabling DHCPv6 Snooping and DHCPv6 snooping binds, the static bind command can be set.
Example: Set up DHCPv6 snooping static binding.

active500EM(config)#ipv6 dhcp snooping binding user mac 00-03-0F-01-02-03 address 2010::10 vlan 10 interface ethernet 1/0/13

 

7.6.10 ipv6 dhcp snooping binding user-control

Command: ipv6 dhcp snooping binding user-control
no ipv6 dhcp snooping binding user-control
Function: Enable the DHCPv6 snooping binding user-access-control funtion. The no command disables the function.
Parameters: None.
Command mode: Port Mode
Default: Disabled.
Usage guide: The global DHCPv6 snooping function must be enabled first in order to enable the user-access-control function. This command can not be configured under Port-Channel mode. The no command clears all DHCPv6 Snooping user-access-control rules on the port. However, binds are not deleted.
Example: Enable the user-access-control funtion which is bound by DHCPv6 Snooping.

active500EM(config-if-ethernet1/0/1)#ipv6 dhcp snooping binding user-control

 

7.6.11 ipv6 dhcp snooping binding-limit

Command: ipv6 dhcp snooping binding-limit <max-num>
no ipv6 dhcp snooping binding-limit
Function: Set the maximum dynamic bind number which is allowed to be set on the port for DHCPv6 snooping. The no command will not limit the number of dynamic binds on the port.
Parameters:

  • <max-num>: maximum number of dynamic binds the port allows to be set. The valid range is from 1 to 100.

Command mode: Port Mode
Default: No limitation.
Usage guide: When the limitation number is modified to a smaller value, the redundant dynamic binds will be deleted. The aged and interim binds will be deleted first. The static binds, which are created through the user configuration, are not limited in number.
Example: Set the allowed maximum dynamic bind number to 10.

active500EM(config-if-ethernet1/0/1)#ipv6 dhcp snooping binding-limit 10

 

7.6.12 ipv6 dhcp snooping enable

Command: ipv6 dhcp snooping enable
no ipv6 dhcp snooping enable
Function: Enable DHCPv6 snooping globally. The no command disables the function.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: After enabling the DHCPv6 Snooping function globally, DHCPv6 snooping can be configured in a port. The DHCPv6 packets of all ports cannot be forwarded directly and are copied to the CPU to be processed and forwarded by DHCPv6 snooping. After disabling the global DHCPv6 snooping function and all port functions of DHCPv6 snooping, the DHCPv6 packets are forwarded directly and do not need to be copied to the CPU. DHCPv6 snooping will no longer process DHCPv6 packets.
Example: Enable the monitoring function of DHCPv6 snooping globally.

active500EM(config)#ipv6 dhcp snooping enable

 

7.6.13 ip dhcp snooping trust

Command: ipv6 dhcp snooping trust
no ipv6 dhcp snooping trust
Function: Set the port to a trusted port. The no command sets the port to a non-trusted port.
Parameters: None.
Command mode: Port Mode
Default: Non-trusted port.
Usage guide: When a port turns into a trusted port from a non-trusted port, the original security policy of the port will be deleted. This clears all blackhole MAC or other security configurations. This command allows DHCPv6 responding packets of this port to be forwarded. When a port turns into a non-trusted port from a trusted port, the DHCPv6 responding packets will not be forwarded and will be dropped.
Example: Set the port as a trusted port.

active500EM(config-if-ethernet1/0/1)#ipv6 dhcp snooping trust

 

7.6.14 show ipv6 dhcp snooping binding

Command: show ipv6 dhcp snooping binding {<MAC> | <ipv6-address> | interface [ethernet | port-channel] <ifname> | all}
Function: Show the DHCPv6 Snooping bind information.
Parameters:

  • <MAC>: specific MAC address.
  • <ipv6-address>: specific IPv6 address.
  • <ifname>: port ID.
  • all: all DHCPv6 snooping binding.

Command mode: Any Mode
Default: None.
Usage guide: Displays the specified (one port or all ports) DHCPv6 snooping bind information.
Example: Disable DHCPv6 snooping bind information.

active500EM(config)#show ipv6 dhcp snooping binding all
DHCPv6 Snooping is enabled
DHCPv6 Snooping binding count 1, static binding 0
MAC                  IPv6 address   Interface       Vlan ID    State
-----------------------------------------------------------------------------------
00-19-e0-3f-d1-83    2001::100      Ethernet1/0/13     1       DHCPv6-BOUND

 

7.6.15 show ipv6 dhcp snooping interface

Command: show ipv6 dhcp snooping interface [ethernet | port-channel] <ifname>
Function: Display the DHCPv6 Snooping current port configuration.
Parameters: <ifname>: port name.
Command mode: Any Mode.
Default: None.
Usage guide: This command displays the port information. The information displayed includes related configuration and detailed bind data and warning data.
Example: Display the current DHCPv6 snooping port cofiguration.

active500EM(config)#show ipv6 dhcp snooping interface ethernet 1/0/13
interface Ethernet1/0/13 user config:
trust attribute: untrust
action: none
binding user control: disabled
recovery interval: infinite
Alarm info: 0
Dynamic binding info: 1
---------------------------------------------------------
DHCPv6 Snooping Binding built at MON JAN 16 02:40:29 2006
      Time Stamp: 5634
      Vlan: 1, Port: Ethernet1/0/13
      Client MAC: 00-19-e0-3f-d1-83
      Client IPv6 addr: 2001::200
      Lease: 259200(s)
      Flag: Dynamic
Static Binding info: 0

 


Return to Controller Wired CLI Table of Contents