Configuring Dhcpv6 Packet Rate Limit; Enabling Dhcpv6-Request Check - HPE FlexNetwork 10500 Series Configuration Manual
Layer 3-ip services
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Security configuration manual (702 pages) ,
- Network management and monitoring command reference (423 pages)
Table of Contents
Advertisement
Step
3.
Set the maximum number
of DHCPv6 snooping
entries for the interface to
learn.
Configuring DHCPv6 packet rate limit
This DHCPv6 packet rate limit feature discards exceeding DHCPv6 packets to prevent attacks that
send large numbers of DHCPv6 packets.
To configure DHCPv6 packet rate limit:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Set the maximum rate
at which an interface
can receive DHCPv6
packets.
Enabling DHCPv6-REQUEST check
Perform this task to use the DHCPv6-REQUEST check feature to protect the DHCPv6 server
against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew
leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages
disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge
DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6
clients that still need the IP addresses.
The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every
received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6
snooping entries.
•
If any criterion in an entry is matched, the device compares the entry with the message
information.
If they are consistent, the device considers the message valid and forwards it to the
DHCPv6 server.
If they are different, the device considers the message forged and discards it.
•
If no matching entry is found, the device forwards the message to the DHCPv6 server.
To enable DHCPv6-REQUEST check:
Step
1.
Enter system view.
2.
Enter interface view.
Command
ipv6 dhcp snooping
max-learning-num max-number
Command
system-view
interface interface-type
interface-number
ipv6 dhcp snooping
rate-limit rate
Command
system-view
interface interface-type
interface-number
231
Remarks
By default, the number of DHCPv6
snooping entries for an interface to
learn is not limited.
Remarks
N/A
N/A
By default, incoming DHCPv6 packets on an
interface are not rate limited.
The rate configured on a Layer 2 aggregate
interface applies to all members of the
aggregate interface. If a member interface
leaves the aggregation group, it uses the rate
configured in its Ethernet interface view.
Remarks
N/A
N/A
Advertisement
Table of Contents
Troubleshooting
