Introduction to dhcpv6 snooping, Recording ipv6-to-mac mappings of dhcpv6 clients – H3C Technologies H3C S3100 Series Switches User Manual

1-10

The user legality check is based on the source IPv6 address and source MAC address in the ND packet

to check whether the user is legal on the VLAN where the port receives the packet. The check includes

those based on the IPv6 static binding entry, the security entry of ND snooping and of DHCPv6

snooping. If all the three entries above are available, the check processes are as follows:

z

First check the IPv6 static binding entry. If a static binding entry is found corresponding to the

source IPv6 address and source MAC address, then the ND packet is considered legal and

forwarded. If a static binding entry is found but inconsistent to the source IPv6 address and source

MAC address, then the ND packet is considered illegal and discarded. If no static binding entry is

found that corresponds to the source IPv6, then keep on checking the security entry of DHCPv6

snooping and ND snooping.

z

After the check based on the IPv6 static binding entry is the check on the security entry of DHCPv6

snooping and ND snooping. If either one is legal, then the ND packet is considered legal and

forwarded.

z

If no checks find matched entries, then the packet is considered legal and discarded directly.

z

The IPv6 static binding entry is generated through the ipv6 source static binding command. For

more information, see

Configuring IPv6 Filtering

.

z

The security entry of DHCPv6 snooping is generated automatically through DHCPv6 snooping

itself. For more information, see

Configuring DHCPv6 Snooping

.

z

The security entry of ND snooping is generated automatically through ND snooping itself. For more

information, see

Configuring ND snooping

.

Introduction to DHCPv6 Snooping

Among the S3100 series Ethernet switches, only the S3100-EI series support DHCPv6 snooping.

For the sake of security, the IPv6 addresses used by online DHCPv6 clients need to be tracked for the

administrator to verify the corresponding relationship between the IPv6 addresses the DHCPv6 clients

obtained from DHCPv6 servers and the MAC addresses of the DHCPv6 clients. As a DHCPv6 security

feature, DHCPv6 snooping can implement the following:

z

Recording IP-to-MAC mappings of DHCPv6 clients

z

Ensuring DHCPv6 clients to obtain IP addresses from authorized DHCPv6 servers

Recording IPv6-to-MAC mappings of DHCPv6 clients

DHCPv6 snooping reads DHCPv6-REQUEST messages and DHCPv6-ACK messages from trusted

ports to record DHCPv6 snooping entries, including MAC addresses of clients, IPv6 addresses

obtained by the clients, ports that connect to DHCPv6 clients, and VLANs to which the ports belong.

With DHCPv6 snooping entries. The network administrator can check out which IPv6 addresses are

assigned to the DHCPv6 clients with the display dhcp-snooping ipv6 command.