1-10The user legality check is based on the source IPv6 address and source MAC address in the ND packetto check whether the user is legal on the VLAN where the port receives the packet. The check includesthose based on the IPv6 static binding entry, the security entry of ND snooping and of DHCPv6snooping. If all the three entries above are available, the check processes are as follows:z First check the IPv6 static binding entry. If a static binding entry is found corresponding to thesource IPv6 address and source MAC address, then the ND packet is considered legal andforwarded. If a static binding entry is found but inconsistent to the source IPv6 address and sourceMAC address, then the ND packet is considered illegal and discarded. If no static binding entry isfound that corresponds to the source IPv6, then keep on checking the security entry of DHCPv6snooping and ND snooping.z After the check based on the IPv6 static binding entry is the check on the security entry of DHCPv6snooping and ND snooping. If either one is legal, then the ND packet is considered legal andforwarded.z If no checks find matched entries, then the packet is considered legal and discarded directly.z The IPv6 static binding entry is generated through the ipv6 source static binding command. Formore information, see Configuring IPv6 Filtering.z The security entry of DHCPv6 snooping is generated automatically through DHCPv6 snoopingitself. For more information, see Configuring DHCPv6 Snooping.z The security entry of ND snooping is generated automatically through ND snooping itself. For moreinformation, see Configuring ND snooping.Introduction to DHCPv6 SnoopingAmong the S3100 series Ethernet switches, only the S3100-EI series support DHCPv6 snooping.For the sake of security, the IPv6 addresses used by online DHCPv6 clients need to be tracked for theadministrator to verify the corresponding relationship between the IPv6 addresses the DHCPv6 clientsobtained from DHCPv6 servers and the MAC addresses of the DHCPv6 clients. As a DHCPv6 securityfeature, DHCPv6 snooping can implement the following:z Recording IP-to-MAC mappings of DHCPv6 clientsz Ensuring DHCPv6 clients to obtain IP addresses from authorized DHCPv6 serversRecording IPv6-to-MAC mappings of DHCPv6 clientsDHCPv6 snooping reads DHCPv6-REQUEST messages and DHCPv6-ACK messages from trustedports to record DHCPv6 snooping entries, including MAC addresses of clients, IPv6 addressesobtained by the clients, ports that connect to DHCPv6 clients, and VLANs to which the ports belong.With DHCPv6 snooping entries. The network administrator can check out which IPv6 addresses areassigned to the DHCPv6 clients with the display dhcp-snooping ipv6 command.