(Optional) Configuring the Alarm Function for IPv6/MAC Spoofing Attacks

This section describes how to configure the device to generate an alarm when the number of discarded IPv6/MAC spoofing attack packets reaches the specified threshold.

Context

After a DHCPv6 snooping binding table is configured, if the information in an IPv6 packet under an IPv6/MAC spoofing attack is inconsistent with that in the binding table, the IPv6 packet will be discarded. You can also configure an alarm threshold for discarding packets. An alarm is generated when the number of discarded packets exceeds the specified threshold.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dhcpv6 snooping check ipv6 enable

    The IPv6 packet check function is enabled on the interface.

  4. Run dhcpv6 snooping alarm ipv6 enable

    The alarm function is enabled for IPv6/MAC spoofing attacks on the interface.

  5. (Optional) Run dhcpv6 snooping alarm ipv6 threshold threshold-value

    An alarm threshold is set for discarding IPv6 packets on the interface.

    Alternatively, you can run the dhcpv6 snooping alarm threshold threshold-value command in the system view to set a global alarm threshold for IPv6 packet discarding.

    If the alarm function for discarding IPv6 packets has been enabled on an interface but no alarm threshold is configured on the interface, the alarm threshold configured in the system view is used. If an alarm threshold is configured both globally and on the interface, the alarm threshold configured on the interface is used.

  6. Run commit

    The configuration is committed.

Parent Topic: Configuring IPv6/MAC Spoofing Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >