dhcpv6 snooping nomatch-packet ipv6 action forward

Function

The dhcpv6 snooping nomatch-packet ipv6 action forward command configures a forward policy for checking whether IPv6 packets match entries in the DHCPv6 snooping binding table on an interface.

The undo dhcpv6 snooping nomatch-packet ipv6 action forward command restores the discard policy for checking whether IPv6 packets match entries in the DHCPv6 snooping binding table on an interface.

By default, a strong policy is used to check whether IPv6 packets on an interface match the DHCPv6 snooping binding table.

Format

dhcpv6 snooping nomatch-packet ipv6 action forward

undo dhcpv6 snooping nomatch-packet ipv6 action forward

Parameters

None

Views

100GE interface view, 10GE interface view, 25GE interface view, 400GE interface view, 40GE interface view, 50GE interface view, Eth-Trunk interface view, FlexE sub-interface view, FlexE interface view, GE optical interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, VE sub-interface view, Sub-interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
dhcp write

Usage Guidelines

Usage Scenario

In DHCPv6 applications, if IPv6/MAC spoofing attacks occurs, you can configure the device to check IPv6 packets by determining whether the source IPv6 address and source MAC address in IPv6 packets match entries in the DHCPv6 snooping binding table. The rules for checking whether IPv6 packets match entries in the DHCPv6 snooping binding table are classified into discard and forward policies.

  • Discard policy: If matching entries in the DHCPv6 snooping binding table cannot be found based on the source IPv6 address, prefix, VLAN ID, and VPN information in IPv6 packets, the packets are directly discarded. If the matching entries in DHCPv6 snooping binding table are found based on the source IPv6 address, prefix, VLAN ID, and VPN information in the IPv6 packets but the source MAC address and interface information do not match, the device discards the packets.
  • Forward policy: If the matching entries in the DHCPv6 snooping binding table cannot be found based on the source IPv6 address, prefix, VLAN ID, and VPN information in the IPv6 packets, the packets are forwarded normally. If matching entries in the DHCPv6 snooping binding table are found based on the source IPv6 address, prefix, VLAN ID, and VPN information in the IPv6 packets but the source MAC address and interface information do not match, the device discards the packets. By default, the discard policy is used to check whether IPv6 packets on an interface match entries in the DHCPv6 snooping binding table. To switch the policy to the forward policy, run the dhcpv6 snooping nomatch-packet ipv6 action forward command.

Prerequisites

DHCPv6 snooping has been enabled globally using the dhcpv6 snooping enable command in the system view.

DHCPv6 snooping has been enabled on the interface using the dhcpv6 snooping enable command in the interface view.

Example

# Configure the forward policy for checking IPv6 packets against the DHCPv6 snooping binding table On GE 0/1/0.
<HUAWEI> system-view
[~HUAWEI] dhcpv6 snooping enable
[*HUAWEI] interface GigabitEthernet 0/1/0
[*HUAWEI-GigabitEthernet0/1/0] dhcpv6 snooping enable
[*HUAWEI-GigabitEthernet0/1/0] dhcpv6 snooping nomatch-packet ipv6 action forward
Parent Topic: DHCPv6 Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >