Introduction To Ipv6 Filtering - H3C S3100 Series Operation Manual

Ensuring DHCPv6 clients to obtain IP addresses from authorized DHCPv6 servers
If there is an unauthorized DHCPv6 server on a network, the DHCPv6 clients may obtain invalid IPv6
addresses. With DHCPv6 snooping, the ports of a device can be configured as trusted or untrusted,
ensuring the clients to obtain IPv6 addresses from authorized DHCPv6 servers.
Trusted: A trusted port forwards DHCPv6 messages normally to guarantee that DHCPv6 clients
can obtain valid IPv6 addresses from a DHCPv6 server.
Untrusted: An untrusted port discards the DHCPv6 reply message packets from any DHCPv6
server to prevent DHCPv6 clients from receiving invalid IPv6 addresses.
Figure 1-6 Configure trusted and untrusted ports
DHCPv6 server
Trusted
Untrusted
DHCPv6 client
DHCPv6 reply messages
As shown in Figure
server should be configured as a trusted port to forward reply messages from the DHCPv6 server, so
that the DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server.

Introduction to IPv6 Filtering

Among the S3100 series Ethernet switches, only the S3100-EI series support IPv6 Filtering.
With the IPv6 filtering function enabled on the user access port of the device, the device can block
illegal usages of network resources and improve the network security. For example, IPv6 filtering
function can prevent an illegal host from pretending to be a legal user to access the network.
DHCPv6 snooping
Untrusted
Unauthorized
DHCPv6 server
1-6, a DHCPv6 snooping device's port that is connected to an authorized DHCPv6
1-11