IPv6 DHCPv6 Guard

Hello Nitay

In IPv4, DHCP always builds the binding table, without the use of DHCP snooping. When you enable DHCP snooping, it will build the DHCP snooping binding table. These are two different tables. The first is used by DHCP to simply list the IP address leases that have been given out to particular hosts. You can view this table using the show ip dhcp binding command like so:

Router#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
10.16.173.0         24d9.2141.0ddd          Jan 12 2013 03:42 AM    Automatic
10.16.173.18        24d9.214a.6dd3          Jan 12 2013 04:59 AM    Automatic
10.16.173.21        24d9.214a.eee9          Jan 12 2013 03:49 AM    Automatic
10.16.173.24        24d9.214a.13d6          Jan 12 2013 03:12 AM    Automatic

This table includes IP lease, the corresponding MAC address of the host, the lease expiration and the type.

Now the DHCP snooping binding table is different. This table keeps track of DHCP addresses and includes information such as VLAN number and interface information. The important thing here is the interface info maintained by the table. Information on this table can be seen using several commands such as:

SW1#show ip dhcp snooping 

<--output ommitted --> 

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1              no          10        
FastEthernet0/2              yes         unlimited

and…

SW1#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0C:29:28:5C:6C   192.168.1.1      85655       dhcp-snooping   1     FastEthernet0/1

I know I went into a lot of detail, but I just want to be clear. Now when it comes to IPv6, DHCPv6 creates a binding table that corresponds IPv6 addresses to MAC addresses just like DHCP does. This is a fundamental part of how DHCPv6 works. But, DHCPv6 Guard, unlike DHCP snooping, does not build a DHCP snooping binding table.

I hope this has been helpful!

Laz

1 Like