Dhcpv6 Snooping Configuration; Dhcpv6 Snooping Overview - HP A5120 EI Series Configuration Manual

DHCPv6 snooping configuration

NOTE:

A DHCPv6 snooping switch does not work if it is between a DHCPv6 relay agent and a DHCPv6 server. The
DHCPv6 snooping switch works when it is between a DHCPv6 client and a DHCPv6 relay agent or between a
DHCPv6 client and a DHCPv6 server.

You can configure only Layer 2 Ethernet interfaces or Layer 2 aggregate interfaces as DHCPv6 snooping trusted
ports. For more information about aggregate interfaces, see the

DHCPv6 snooping overview

DHCPv6 snooping is a security feature with the following uses:
Ensure that DHCPv6 clients obtain IPv6 addresses from authorized DHCPv6 servers.

Recording IP-to-MAC mappings of DHCPv6 clients.

Ensuring that DHCPv6 clients obtain IPv6 addresses from authorized DHCPv6 servers
If DHCPv6 clients obtain invalid IPv6 addresses and network configuration parameters from an
unauthorized DHCPv6 server, they will be unable to communicate normally with other network devices.
With DHCPv6 snooping, the ports of a switch can be configured as trusted or untrusted, to ensure that
the clients obtain IPv6 addresses only from authorized DHCPv6 servers.
 Trusted: A trusted port forwards DHCPv6 messages normally.
 Untrusted: An untrusted port discards reply messages from any DHCPv6 server.
Figure 70 Trusted and untrusted ports
DHCPv6 server
Trusted
Untrusted
DHCPv6 client
DHCPv6 reply messages
A DHCPv6 snooping switch's port that is connected to an authorized DHCPv6 server, DHCPv6 relay
agent, or another DHCPv6 snooping switch, should be configured as a trusted port. The trusted port
forwards reply messages from the authorized DHCPv6 server. Other ports are configured as untrusted so
DHCPv6 snooping
Untrusted
Unauthorized
DHCPv6 server
Layer 2—LAN Switching Configuration Guide
162
.