Manualshelf

Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048T-ON
331332333334335336337338339340
Debugging the IPv6 DHCP
To debug the IPv6 DHCP, use the following command.
Display debug information for IPV6 DHCP.
EXEC Privilege mode
debug ipv6 dhcp
IPv6 DHCP Snooping MAC-Address Verication
Congure to enable verify source mac-address in the DHCP packet against the mac address stored in the snooping binding table.
Enable IPV6 DHCP snooping .
CONFIGURATION mode
ipv6 dhcp snooping verify mac-address
Drop DHCP Packets on Snooped VLANs Only
Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE.
Line cards maintain a list of snooped VLANs. When the binding table lls, DHCP packets are dropped only on snooped VLANs, while such
packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made.
However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease in size. After the table usage falls
below the maximum limit of 4000 entries, new IP address assignments are allowed.
To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the snooping
binding table created using the ACK packets from the trusted port.
DellEMC#show ip dhcp snooping binding
Codes : S - Static D - Dynamic
IP Address MAC Address Expires(Sec) Type VLAN Interface
================================================================
10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 1/2
10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 1/1
10.1.1.253 00:00:4d:57:f8:e8 172740 D Vl 10 Te 1/3
10.1.1.254 00:00:4d:69:e8:f2 172740 D Vl 10 Te 1/5
Total number of Entries in the table : 4
Dynamic ARP Inspection
Dynamic address resolution protocol (ARP) inspection prevents ARP spoong by forwarding only ARP frames that have been validated
against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device.
ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant entry already exists in
its ARP cache, it overwrites the existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoong. ARP spoong is a technique attackers use to inject false IP-to-MAC
mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-service (DoS) attacks,
among others.
340
Dynamic Host Conguration Protocol (DHCP)