Introduction to ipv6 filtering – H3C Technologies H3C S3100 Series Switches User Manual

1-11

Ensuring DHCPv6 clients to obtain IP addresses from authorized DHCPv6 servers

If there is an unauthorized DHCPv6 server on a network, the DHCPv6 clients may obtain invalid IPv6

addresses. With DHCPv6 snooping, the ports of a device can be configured as trusted or untrusted,

ensuring the clients to obtain IPv6 addresses from authorized DHCPv6 servers.

z

Trusted: A trusted port forwards DHCPv6 messages normally to guarantee that DHCPv6 clients

can obtain valid IPv6 addresses from a DHCPv6 server.

z

Untrusted: An untrusted port discards the DHCPv6 reply message packets from any DHCPv6

server to prevent DHCPv6 clients from receiving invalid IPv6 addresses.

Figure 1-6 Configure trusted and untrusted ports

Trusted

DHCPv6 server

DHCPv6 snooping

Untrusted

Untrusted

Unauthorized

DHCPv6 server

DHCPv6 client

DHCPv6 reply messages

As shown in

Figure 1-6

, a DHCPv6 snooping device’s port that is connected to an authorized DHCPv6

server should be configured as a trusted port to forward reply messages from the DHCPv6 server, so

that the DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server.

Introduction to IPv6 Filtering

Among the S3100 series Ethernet switches, only the S3100-EI series support IPv6 Filtering.

With the IPv6 filtering function enabled on the user access port of the device, the device can block

illegal usages of network resources and improve the network security. For example, IPv6 filtering

function can prevent an illegal host from pretending to be a legal user to access the network.