ipv6 dhcp snooping check request-message
Use ipv6 dhcp snooping check request-message to enable the DHCPv6-REQUEST check feature for the received DHCPv6-RENEW, DHCPv6-DECLINE, and DHCPv6-RELEASE messages.
Use undo ipv6 dhcp snooping check request-message to disable the DHCPv6-REQUEST check feature.
Syntax
ipv6 dhcp snooping check request-message
undo ipv6 dhcp snooping check request-message
Default
DHCPv6-REQUEST check is disabled.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
S-channel interface/S-channel aggregate interface view
VSI interface/VSI aggregate interface view
Predefined user roles
network-admin
Usage guidelines
Use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. The feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.
If any of the criteria in an entry is matched, the device compares the entry with the message information.
If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.
If they are different, the device considers the message forged and discards it.
If no matching entry is found, the device forwards the message to the DHCPv6 server.
Examples
# Enable DHCPv6-REQUEST check.
<Sysname> system-view [Sysname] interface Ten-GigabitEthernet1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] ipv6 dhcp snooping check request-message