IPv6 Network Defense

DSNOOPv6 and DIPLDv6

DSNOOPv6 enables network defenses for IPv6 on HP switches. It provides protection against network disruption by blocking unintended/rogue DHCPv6 Servers.

DSNOOPv6, when used with Dynamic IP Lockdown (DIPLD), provides network defense against source address spoofing. For example, a wireless access point with a DHCP Server running by default hands out IP addresses to wired clients that fall under a different subnet. DHCPv6 Snooping (DSNOOP) helps protect a network from unintended/rogue DHCP Servers handing out IP address leases to hosts on the network.

In an IPv6 network, addresses are predominately assigned via Router Advertisements. However, RA is limited in its ability to provide all of the network configurations to hosts. By managing their networks with DHCP(v4/v6) Servers, administrators can increase their network range and security. Since customer networks have both IPv4 and IPv6 configurations, enabling the DHCPv6-Snooping feature provides an additional network defense level of protection.

DSNOOPv6 operates similarly to DSNOOPv4. To decide which switch ports DHCPv6 packets are accepted from and forwarded to, packets are intercepted, examined and validated on DHCPv6 protocol fields. The Client IP address binding information is maintained by the switch in a binding table.


	NOTE: The DIPLDv6 limits will be different on different switch platforms due to hardware limitations.


	IMPORTANT: DIPLDv6 support is not available for the following HP Switch-series: 2615 (J9565A) and 2915 (J9562A).

Configuring DHCPv6 snooping

Enabling DHCPv6 snooping

To globally enable DHCPv6 snooping, enter:


HP Switch(config)# dhcpv6-snooping

Use the no form of the command to disable DHCPv6 snooping.

Enabling DHCPv6 snooping on VLANs

After you globally enable DHCPv6, use this command to enable DHCPv6 snooping on a VLAN or range of VLANs.

Syntax

[no]dhcpv6-snooping <vlan-id-range>

Use the no form of the command to disable DHCPv6 snooping on a VLAN.

vlan-id-range

Specifies the VLAN or range of VLANs on which to enable DHCPv6 snooping.

Configuring an authorized DHCPv6 server for snooping

Use this command to configure an authorized DHCPv6 server.

Syntax

dhcpv6-snooping authorized-server <IPv6-address>

IPv6-address

Specifies the IP address of a trusted DHCP server.

If no authorized servers are configured, all DHCP server addresses are considered valid. Maximum: 20 authorized servers.

Configuring a lease entry file for DHCPv6 snooping

Use this command to configure lease database transfer options for DHCPv6 snooping

Syntax

[no]dhcpv6-snooping database [file <ASCII string>] [delay <15-86400>] [timeout <0-86400>]

file <ASCII string>

Specifies the database URL in the form: "tftp://<IP-ADDR>/<FILENAME>" with a maximum length of 255 characters, IP-ADDR can be an IPv4 or an IPv6 address. IPv6 addresses must be enclosed in square brackets.

delay <15-86400>

Specifies the seconds to delay before writing to the lease database file. Valid values are 15 to -86400. Default is 300 seconds.

timeout <0-86400>

Specifies the seconds to wait for the lease file transfer to finish before a failure message is displayed. Valid values are 0 to 86400. Default is 300 seconds. If 0 is specified, the file transfer is retried indefinitely.

Configuring DHCPv6 snooping max binding

Use this command to configure the maximum number of binding addresses allowed per port. . If you configure the max-bindings value before enabling DHCPv6-snooping, the limit you enter is immediately applied, and the bindings are not allowed to exceed the max-bindings value. If you set the max-bindings value after enabling DHCPv6-snooping, the following occurs:

If current bindings are greater than the max-binding value, the configuration is applied when clients release their Ipv6 addresses.
If current bindings are lesser than that of the the max-binding value, the configuration is immediately applied.

Syntax

[no]dhcpv6-snooping max-bindings <port-list> <1-8192>

port-list

Specifies the ports on which to apply max-bindings.

1-8192

Specifies the maximum number of binding addresses.

Configuring traps for DHCPv6 snooping

Use this command to configure traps for DHCPv6 snooping.

Syntax

[no]snmp-server enable traps dhcpv6-snooping [[out-of-resources] | [errant-reply]]

out-of-resources

Sends a trap message when the number of bindings exceeds the maximum limit of 8192 bindings.

errant-reply

Sends a trap message when a DHCPv6 reply packet is received on an untrusted port or from an un-authorized server.

Clearing DHCPv6 snooping statistics

Use this command in switch config mode to clear DHCPv6 snooping statistics.

Syntax

clear dhcpv6-snooping statistics

Enabling debug logging for DHCPv6 snooping

To enable debug logging for DHCPv6 snooping, use this command.

Syntax

[no]debug security dhcpv6-snooping [config|event|packet]

config

Displays DHCPv6 snooping configuration messages.

event

Displays DHCPv6 snooping event messages.

packet

Displays DHCPv6 snooping packet messages.

DHCPv6 show commands

Use this command to show DHCPv6 snooping information.

Syntax

show dhcpv6-snooping [stats] [bindings]

stats	Shows DHCPv6 snooping statistics.
bindings	Shows DHCPv6 binding state entries in a tabular format.

Examples

The following example shows all available DHCPv6 snooping information.

HP Switch(config)# show dhcpv6 snooping
DHCP Snooping Information
DHCP Snooping        : Yes
Enabled VLANs        : 1 13 16
Remote-ID            : MAC
Store Lease Database : Yes
URL                  : tftp://120.93.49.9/avi 
Read at boot         : no 
Write Delay          : 300 
Write Timeout        : 300 
File Status          : up-to-date 
Write Attempts       : 0 
Write Failures       : 0 
Last Successful File Update 

                Max       Current  Bindings
Port   Trust    Bindings  Static   Dynamic
_____  ______   ________  _______  _________
 1     Yes         -         -       -
 2     No         20        20       3
 4     No         3*        3        6
 4     No         543       231      10
 13    No         -         3        6
 48    Yes        -         -        -

Ports 3,5-12,14-47 are untrusted.
Note that show commands list only those ports that have bindings on them.
Ports 3, 5, 6,8 are untrusted as they are not listed in table and they do 
not have associated bindings.

The following example shows DHCPv6 snooping statistics.

HP Switch(config)# show dhcpv6 snooping stats

Packet Type   Action    Reason                          Count
___________   ______    ______                          _____
server        forward   from trusted port               0
client        forward   to trusted port                 0
server        drop      received on validating port     0
server        drop      unauthorized server             0
client        drop      destination on validating port  0
client        drop      relay reply on validating port  0
client        drop      bad DHCPv6 release request      0
client        drop      failed verify MAC check         0
client        drop      failed on max-binding limit     0

prev	up	next
DHCP snooping	home	Dynamic ARP protection

file <ASCII string>	Specifies the database URL in the form: "tftp://<IP-ADDR>/<FILENAME>" with a maximum length of 255 characters, IP-ADDR can be an IPv4 or an IPv6 address. IPv6 addresses must be enclosed in square brackets.
delay <15-86400>	Specifies the seconds to delay before writing to the lease database file. Valid values are 15 to -86400. Default is 300 seconds.
timeout <0-86400>	Specifies the seconds to wait for the lease file transfer to finish before a failure message is displayed. Valid values are 0 to 86400. Default is 300 seconds. If 0 is specified, the file transfer is retried indefinitely.

port-list	Specifies the ports on which to apply max-bindings.
1-8192	Specifies the maximum number of binding addresses.

out-of-resources	Sends a trap message when the number of bindings exceeds the maximum limit of 8192 bindings.
errant-reply	Sends a trap message when a DHCPv6 reply packet is received on an untrusted port or from an un-authorized server.

config	Displays DHCPv6 snooping configuration messages.
event	Displays DHCPv6 snooping event messages.
packet	Displays DHCPv6 snooping packet messages.