interface (SLAAC Snooping)

Syntax

Hierarchy Level

Description

Configure interface-level parameters for IPv6 stateless address auto-configuration (SLAAC) snooping. SLAAC enables an IPv6 client to generate its own local and global addresses using a combination of locally-available information and information advertised by routers through Neighbor Discovery Protocol (NDP). NDP messages are unsecured, which makes SLAAC susceptible to attacks that involve the spoofing (or forging) of link-layer addresses. IPv6 clients using SLAAC for dynamic address assignment are validated against the SLAAC snooping binding table before being allowed access to the network.

The remaining statements are explained separately. See CLI Explorer.

Options

(interface-name | all)

Configure SLAAC snooping parameters on the specified interface or on all interfaces.

mark-interface trusted

Configure the interface as trusted. The binding entry for the trusted interface is added to the SLAAC snooping table using the same process as for untrusted interfaces. When a DAD request is received on a trusted port with an IP/MAC entry that already exists on an untrusted port, SLAAC snooping sends a unicast DAD towards the untrusted port to see whether the host is live. If the host responds with an NA message on the untrusted port, the lease time is renewed for the existing binding entry. If there is no response (NA) on the untrusted port, the corresponding binding entry is deleted.

If the entry for the untrusted port is deleted, the binding for the trusted port is not created immediately. When the trusted port starts to send data traffic, it will send an NS message. At that time, SLAAC snooping adds the new binding on the trusted port.

Note:

Maximum number of DAD contentions is not applicable to trusted interfaces.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 19.2R1.

ON THIS PAGE