Introduction to DHCPv6 snooping Basic Functions
DHCPv6 snooping is one security feature of DHCPv6 (Dynamic Host Configuration Protocol for IPv6) and has the following two functions:
- Record the corresponding relation of the MAC address and IPv6 address of the DHCPv6 client:
Considering the security, the network administrator may need to record the IPv6 address used when the user accesses the network, confirming the corresponding relation of the user host IPv6 address and the IPv6 address got from the DHCPv6 server.
DHCPv6 snooping listens to the DHCPv6 request packet and the DHCPv6 response packet received by the trust port and records the MAC address of the DHCPv6 client and the obtained IPv6 address. The administrator can view the IPv6 address information got by the DHCPv6 client via the bound entry recorded by DHCPv6 snooping.
- Ensure that the client gets the IPv6 address from the valid server
If there is unauthorized DHCPv6 server in the network, the DHCPv6 client may get the wrong IPv6 address, resulting in the communication abnormality or security risks. To ensure that the DHCPv6 client can get the IPv6 address from the valid DHCPv6 server, the DHCPv6 snooping function permits configuring the port as the trust port or un-trust port:
- Trust port is the port directly or indirectly connected to the valid DHCPv6 server. The trust port forwards the received DHCPv6 response packet normally, so as to ensure that the DHCPv6 client can get the correct IP address.
- Un-trust port is the port not directly or indirectly connected to the valid DHCPv6 server. If the un-trust port receives the DHCPv6 response packet sent by the DHCPv6 server, drop it, so as to prevent the DHCPv6 client from getting the wrong IPv6 address.