slaac-snooping
Syntax
slaac-snooping {
interface (interface-name | all) {
auto-dad {
retries retry-count;
retrans-interval seconds;
}
mark-interface {
trusted;
}
max-allowed-contentions {
count integer;
duration seconds;
}
}
link-local {
expiry interval seconds;
}
vlans (vlan-name | all);
}
Hierarchy Level
[edit forwarding-options access-security]
Description
Configure IPv6 stateless address auto-configuration (SLAAC) snooping. SLAAC enables an IPv6 client to generate its own addresses using a combination of locally-available information and information advertised by routers through Neighbor Discovery Protocol (NDP). NDP messages are unsecured, which makes SLAAC susceptible to attacks that involve the spoofing (or forging) of link-layer addresses. IPv6 clients using SLAAC for dynamic address assignment are validated against the SLAAC snooping binding table before being allowed access to the network.
SLAAC snooping is similar to DHCP snooping, in that it snoops packets to build a table of IP-MAC address bindings. SLAAC snooping extracts address information from DAD packets exchanged during the SLAAC process to build the SLAAC snooping table. The address bindings in this table are used to inspect and validate NDP/IP packets sent by IPv6 clients using SLAAC.
You must configure SLAAC snooping to allow IPv6 clients using SLAAC access to the network.
The remaining statements are explained separately. See CLI Explorer.
Options
link-local expiry interval seconds |
Configure the expiration period for a link-local address learned by SLAAC. When the lease for the address expires, the snooping device sends a DAD message with the client address as the target. If the client is still reachable, the lease is renewed.
|
vlans (vlan-name |
all) |
Configure SLAAC snooping on a specific VLAN or on all VLANs. |
Required Privilege Level
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 19.2R1.