dhcpv6 snooping nomatch-packet ipv6 action forward(System view)

Usage Scenario

In DHCPv6 applications, if IPv6/MAC spoofing attacks occurs, you can configure the device to check IPv6 packets by determining whether the source IPv6 address and source MAC address in IPv6 packets match entries in the DHCPv6 snooping binding table. The rules for checking whether IPv6 packets match entries in the DHCPv6 snooping binding table are classified into discard and forward policies.

• Discard policy: If matching entries in the DHCPv6 snooping binding table cannot be found based on the source IPv6 address, prefix, VLAN ID, and VPN information in IPv6 packets, the packets are directly discarded. If the matching entries in DHCPv6 snooping binding table are found based on the source IPv6 address, prefix, VLAN ID, and VPN information in the IPv6 packets but the source MAC address and interface information do not match, the device discards the packets.
• Forward policy: If the matching entries in the DHCPv6 snooping binding table cannot be found based on the source IPv6 address, prefix, VLAN ID, and VPN information in the IPv6 packets, the packets are forwarded normally. If matching entries in the DHCPv6 snooping binding table are found based on the source IPv6 address, prefix, VLAN ID, and VPN information in the IPv6 packets but the source MAC address and interface information do not match, the device discards the packets. By default, the discard policy is used to check whether IPv6 packets on an interface match entries in the DHCPv6 snooping binding table. To switch the policy to the forward policy, run the dhcpv6 snooping nomatch-packet ipv6 action forward command.

Prerequisites

DHCPv6 snooping has been enabled globally using the dhcpv6 snooping enable command.