220
Restrictions and guidelines
The rate set on the Layer 2 aggregate interface applies to all members of the aggregate interface. If
a member interface leaves the aggregation group, it uses the rate set in its Ethernet interface view.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum rate at which an interface can receive DHCPv6 packets.
ipv6 dhcp snooping rate-limit rate
By default, incoming DHCPv6 packets on an interface are not rate limited.
Enabling DHCPv6-REQUEST check
About DHCPv6-REQUEST check
Perform this task to use the DHCPv6-REQUEST check feature to protect the DHCPv6 server
against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew
leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages
disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge
DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6
clients that still need the IP addresses.
The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every
received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6
snooping entries.
• If any criterion in an entry is matched, the device compares the entry with the message
information.
{ If they are consistent, the device considers the message valid and forwards it to the
DHCPv6 server.
{ If they are different, the device considers the message forged and discards it.
• If no matching entry is found, the device forwards the message to the DHCPv6 server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCPv6-REQUEST check.
ipv6 dhcp snooping check request-message
By default, DHCPv6-REQUEST check is disabled.
Configuring a DHCPv6 packet blocking port
About DHCPv6 packet blocking port
Perform this task to configure a port as a DHCPv6 packet blocking port. The DHCPv6 packet
blocking port drops all incoming DHCP requests.
To Next Page
Loading...
Need help?
General