DHCPv6 snooping overview

As a DHCPv6 security feature, DHCPv6 snooping can implement the following functions.

• Ensuring DHCPv6 clients to obtain IPv6 addresses from authorized DHCPv6 servers

• Recording IP-to-MAC mappings of DHCPv6 clients

If there is an unauthorized DHCPv6 server on a network, DHCPv6 clients may obtain invalid IPv6 addresses and network configuration parameters, and cannot communicate with other network devices. With DHCPv6 snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IPv6 addresses from authorized DHCPv6 servers.

• Trusted: A trusted port forwards DHCPv6 messages normally.

• Untrusted: An untrusted port discards the reply messages from any DHCPv6 server.

A DHCPv6 snooping device's port that is connected to an authorized DHCPv6 server, DHCPv6 relay agent, or another DHCPv6 snooping device should be configured as a trusted port to forward reply messages from the authorized DHCPv6 server, whereas other ports are configured as untrusted so that the DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server only. As shown in Figure 61, configure the port that connects to the DHCPv6 server as a trusted port, and other ports as untrusted.

DHCPv6 snooping reads DHCPv6 messages to create and update DHCPv6 snooping entries, including MAC addresses of clients, IPv6 addresses obtained by the clients, ports that connect to DHCPv6 clients, and VLANs to which the ports belong. You can use the display ipv6 dhcp snooping user-binding command to view the IPv6 address obtained by each client, so that you can manage and monitor the clients' IPv6 addresses.