279
Setting the maximum number of DHCPv6
snooping entries
Perform this task to prevent the system resources from being overused.
To set the maximum number of DHCPv6 snooping entries:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Set the maximum number
of DHCPv6 snooping
entries for the interface to
learn.
ipv6
dhcp
snooping
max-learning-num
number
By default, the number of DHCPv6
snooping entries for an interface to
learn is not limited.
Enabling DHCPv6-REQUEST check
Perform this task to use the DHCPv6-REQUEST check function to protect the DHCPv6 server
against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew
leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages
disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge
DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6
clients that still need the IP addresses.
The DHCPv6-REQUEST check function enables the DHCPv6 snooping device to check every
received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6
snooping entries.
• If any criterion in an entry is matched, the device compares the entry with the message
information.
{ If they are consistent, the device considers the message valid and forwards it to the
DHCPv6 server.
{ If they are different, the device considers the message forged and discards it.
• If no matching entry is found, the device forwards the message to the DHCPv6 server.
To enable DHCPv6-REQUEST check:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Enable
DHCPv6-REQUEST
check.
ipv6 dhcp snooping check
request-message
By default, DHCPv6-REQUEST check is
disabled.
You can enable the function only on Layer
2 Ethernet interfaces and Layer 2
aggregate interfaces.
To Next Page
Loading...
Need help?
General
