If there is an unauthorized DHCPv6 server on a network, DHCPv6 clients may obtain invalid IPv6 addresses and network configuration parameters, and cannot communicate with other network devices. With DHCPv6 snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IPv6 addresses from authorized DHCPv6 servers.
- Trusted: A trusted port forwards DHCPv6 messages normally.
- Untrusted: An untrusted port discards the reply messages from any DHCPv6 server
A DHCPv6 snooping device’s port that is connected to an authorized DHCPv6 server, DHCPv6 relay agent, or another DHCPv6 snooping device should be configured as a trusted port to forward reply messages from the authorized DHCPv6 server, whereas other ports are configured as untrusted so that the DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server only.
Recording IP-to-MAC mappings of DHCPv6 clients
DHCPv6 snooping reads DHCPv6 messages to create and update DHCPv6 snooping entries, including MAC addresses of clients, IPv6 addresses obtained by the clients, ports that connect to DHCPv6 clients, and VLANs to which the ports belong. You can use the display ipv6 dhcp snooping user-binding command to view the IPv6 address obtained by each client, so that you can manage and monitor the clients’ IPv6 addresses.Network diagram for DHCPv6 snooping configuration
Configuration procedure
# Enable DHCPv6 snooping globally.<SwitchB> system-view
[SwitchB] ipv6 dhcp snooping enable
# Add GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3 to VLAN 2.
[SwitchB] vlan 2
[SwitchB-vlan2] port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3
# Enable DHCPv6 snooping for VLAN 2.
[SwitchB-vlan2] ipv6 dhcp snooping vlan enable
[SwitchB] quit
# Configure GigabitEthernet1/0/1 as a DHCPv6 snooping trusted port.
[SwitchB] interface GigabitEthernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust
