Configuring Dhcpv6 Snooping; Overview; Ensuring That Dhcpv6 Clients Obtain Ipv6 Addresses From Authorized Dhcpv6 Servers - HP 3600 v2 Series Configuration Manual

Configuring DHCPv6 snooping

A DHCPv6 snooping device does not work if it is between a DHCPv6 relay agent and a DHCPv6 server.
The DHCPv6 snooping device works when it is between a DHCPv6 client and a DHCPv6 relay agent or
between a DHCPv6 client and a DHCPv6 server.
You can configure only Layer 2 Ethernet ports or Layer 2 aggregate interfaces as DHCPv6 snooping
trusted ports. For more information about aggregate interfaces, see Layer 2—LAN Switching
Configuration Guide.

Overview

DHCPv6 snooping is security feature with the following functions:
• Ensure that DHCPv6 clients obtain IPv6 addresses from authorized DHCPv6 servers.
Record IP-to-MAC mappings of DHCPv6 clients.
•
Ensuring that DHCPv6 clients obtain IPv6 addresses from
authorized DHCPv6 servers
If DHCPv6 clients obtain invalid IPv6 addresses and network configuration parameters from an
unauthorized DHCP server, they will be unable to communicate normally with other network devices.
With DHCPv6 snooping, the ports of a device can be configured as trusted or untrusted to make sure that
the clients obtain IPv6 addresses only from authorized DHCPv6 servers.
Trusted—A trusted port forwards DHCPv6 messages normally.
•
• Untrusted—An untrusted port discards reply messages from any DHCPv6 server.
Figure 71 Trusted and untrusted ports
Untrusted
DHCPv6 client
DHCPv6 reply messages
A DHCPv6 snooping device's port that is connected to an authorized DHCPv6 server, DHCPv6 relay
agent, or another DHCPv6 snooping device should be configured as a trusted port. The trusted port
forwards reply messages from the authorized DHCPv6 server. Other ports are configured as untrusted so
DHCPv6 server
Trusted
DHCPv6 snooping
Untrusted
Unauthorized
DHCPv6 server
167