317
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
Use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client
spoofing attacks. The feature enables the DHCPv6 snooping device to check every received
DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping
entries.
• If any criterion in an entry is matched, the device compares the entry with the message
information.
{ If they are consistent, the device considers the message valid and forwards it to the
DHCPv6 server.
{ If they are different, the device considers the message forged and discards it.
• If no matching entry is found, the device forwards the message to the DHCPv6 server.
Examples
# Enable DHCPv6-REQUEST check.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping check request-message
ipv6 dhcp snooping deny
Use ipv6 dhcp snooping deny to configure a port as DHCPv6 packet blocking port.
Use undo ipv6 dhcp snooping deny to restore the default.
Syntax
ipv6 dhcp snooping deny
undo ipv6 dhcp snooping deny
Default
A port does not block DHCPv6 requests.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
A DHCPv6 packet blocking port drops all incoming DHCPv6 requests.
Examples
# Configure HundredGigE 1/0/1 as a DHCPv6 packet blocking port.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping deny
To Next Page
Loading...
Need help?
General