Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

slaac-snooping

Syntax

Hierarchy Level

Description

Configure IPv6 stateless address auto-configuration (SLAAC) snooping. SLAAC enables an IPv6 client to generate its own addresses using a combination of locally-available information and information advertised by routers through Neighbor Discovery Protocol (NDP). NDP messages are unsecured, which makes SLAAC susceptible to attacks that involve the spoofing (or forging) of link-layer addresses. IPv6 clients using SLAAC for dynamic address assignment are validated against the SLAAC snooping binding table before being allowed access to the network.

SLAAC snooping is similar to DHCP snooping, in that it snoops packets to build a table of IP-MAC address bindings. SLAAC snooping extracts address information from DAD packets exchanged during the SLAAC process to build the SLAAC snooping table. The address bindings in this table are used to inspect and validate NDP/IP packets sent by IPv6 clients using SLAAC.

Note:

You must configure SLAAC snooping to allow IPv6 clients using SLAAC access to the network.

The remaining statements are explained separately. See CLI Explorer.

Options

link-local expiry interval seconds

Configure the expiration period for a link-local address learned by SLAAC. When the lease for the address expires, the snooping device sends a DAD message with the client address as the target. If the client is still reachable, the lease is renewed.

  • Default: 86400 seconds

  • Range: 60 to 86400 seconds

vlans (vlan-name | all)

Configure SLAAC snooping on a specific VLAN or on all VLANs.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 19.2R1.