beautypg.com

Enabling dhcpv6-request check, Configuring dhcpv6 packet rate limit, Optional. ) – H3C Technologies H3C S5560 Series Switches User Manual

Page 217

background image

202

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Set the maximum number
of DHCPv6 snooping

entries for the interface to
learn.

ipv6 dhcp snooping
max-learning-num number

By default, the number of DHCPv6
snooping entries for an interface to
learn is not limited.

Enabling DHCPv6-REQUEST check

Perform this task to use the DHCPv6-REQUEST check function to protect the DHCPv6 server against

DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew leases for
legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages disable the victim

DHCPv6 server from releasing the IP addresses. Attackers can also forge DHCPv6-DECLINE or

DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP

addresses.
The DHCPv6-REQUEST check function enables the DHCPv6 snooping device to check every received
DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.

If any of the criteria in an entry is matched, the device compares the entry with the message
information.

{

If they are consistent, the device considers the message valid and forwards it to the DHCPv6
server.

{

If they are different, the device considers the message forged and discards it.

If no matching entry is found, the device forwards the message to the DHCPv6 server.

To enable DHCPv6-REQUEST check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Enable DHCPv6-REQUEST

check.

ipv6 dhcp snooping check
request-message

By default, DHCPv6-REQUEST check is
disabled.
You can enable the function only on Layer

2 Ethernet interfaces, Layer 2 aggregate
interfaces.

Configuring DHCPv6 packet rate limit

This DHCPv6 packet rate limit feature discards exceeding DHCPv6 packets to prevent attacks that send

large numbers of DHCPv6 packets.
To configure DHCPv6 packet rate limit:

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: