interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about all DHCPv6 clients.

Examples

# Display the DHCPv6 client information on VLAN-interface 2.

<Sysname> display ipv6 dhcp client interface vlan-interface 2

Vlan-interface2:

Type: Stateful client requesting address and prefix

State: OPEN

Client DUID: 0003000100e002000000

Preferred server:

Reachable via address: FE80::2E0:1FF:FE00:18

Server DUID: 0003000100e001000000

IA_NA: IAID 0x00000642, T1 50 sec, T2 80 sec

Address: 1:1::2/128

Preferred lifetime 100 sec, valid lifetime 200 sec

Will expire on Feb 4 2014 at 15:37:20(288 seconds left)

IA_PD: IAID 0x00000642, T1 50 sec, T2 80 sec

Prefix: 12:34::/48

Preferred lifetime 100 sec, valid lifetime 200 sec

Will expire on Mar 27 2014 at 08:13:24 (199 seconds left)

DNS server addresses:

2:2::3

Domain name:

aaa.com

SIP server addresses:

2:2::4

SIP server domain names:

bbb.com

Options:

Code: 88

Length: 3 bytes

Hex: AABBCC

Table 1 Command output

Field	Description
Type	Types of DHCPv6 client: · Stateful client requesting address—A DHCPv6 client that requests an IPv6 address. · Stateful client requesting prefix—A DHCPv6 client that requests an IPv6 prefix. · Stateful client requesting address and prefix—A DHCPv6 client that requests an IPv6 address and prefix. · Stateless client—A DHCPv6 client that requests configuration parameters other than an IPv6 address and prefix through stateless DHCPv6.
State	Current state of the DHCPv6 client: · IDLE—The client is in idle state. · SOLICIT—The client is locating a DHCPv6 server. · REQUEST—The client is requesting an IPv6 address or prefix. · OPEN—The client has obtained an IPv6 address or prefix. · RENEW—The client is extending the lease (after T1 and before T2). · REBIND—The client is extending the lease (after T2 and before the lease expires). · RELEASE—The client is releasing an IPv6 address or prefix. · DECLINE—The client is declining an IPv6 address or prefix because of an address or prefix conflict. · INFO-REQUESTING—The client is requesting configuration parameters through stateless DHCPv6.
Client DUID	DUID of the DHCPv6 client.
Preferred server	Information about the DHCPv6 server selected by the DHCPv6 client.
Reachable via address	Reachable address for the DHCPv6 client. It is the link local address of the DHCPv6 server or DHCPv6 relay agent.
Server DUID	DUID of the DHCPv6 server.
IA_NA	IA_NA information.
IA_PD	IA_PD information.
IAID	IA identifier.
T1	T1 value in seconds.
T2	T2 value in seconds.
Address	IPv6 address obtained. This field is displayed only when the DHCPv6 client type is Stateful client requesting address.
Prefix	IPv6 prefix obtained. This field is displayed only when the DHCPv6 client type is Stateful client requesting prefix.
Preferred lifetime	Preferred lifetime in seconds.
valid lifetime	Valid lifetime in seconds.
Will expire on Feb 4 2014 at 15:37:20 (288 seconds left)	Time when the lease expires and the remaining time of the lease. If the lease expires after the year 2100, this field displays Will expire after 2100.
DNS server addresses	IPv6 address of the DNS server.
Domain name	Domain name suffix.
SIP server addresses	IPv6 address of the SIP server.
SIP server domain names	Domain name of the SIP server.
Options	Self-defined options.
Code	Code of the self-defined option.
Length	Self-defined option length in bytes.
Hex	Self-defined option content represented by a hexadecimal number.

Related commands

ipv6 address dhcp-alloc

ipv6 dhcp client duid

ipv6 dhcp client pd

display ipv6 dhcp client statistics

Use display ipv6 dhcp client statistics to display DHCPv6 client statistics.

Syntax

display ipv6 dhcp client statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for all DHCPv6 clients.

Examples

# Display DHCPv6 client statistics on VLAN-interface 2.

<Sysname> display ipv6 dhcp client statistics interface vlan-interface 2

Interface : Vlan-interface2

Packets received : 1

Reply : 1

Advertise : 0

Reconfigure : 0

Invalid : 0

Packets sent : 5

Solicit : 0

Request : 0

Renew : 0

Rebind : 0

Information-request : 5

Release : 0

Decline : 0

Table 2 Command output

Field	Description
Interface	Interface that acts as the DHCPv6 client.
Packets Received	Number of received packets.
Reply	Number of received reply packets.
Advertise	Number of received advertise packets.
Reconfigure	Number of received reconfigure packets.
Invalid	Number of invalid packets.
Packets sent	Number of sent packets.
Solicit	Number of sent solicit packets.
Request	Number of sent request packets.
Renew	Number of sent renew packets.
Rebind	Number of sent rebind packets.
Information-request	Number of sent information request packets.
Release	Number of sent release packets.
Decline	Number of sent decline packets.

Related commands

reset ipv6 dhcp client statistics

ipv6 address dhcp-alloc

Use ipv6 address dhcp-alloc to configure an interface to use DHCPv6 for IPv6 address acquisition.

Use undo ipv6 address dhcp-alloc to cancel an interface from using DHCPv6, and clear the obtained IPv6 address and other configuration parameters.

Syntax

ipv6 address dhcp-alloc [ option-group option-group-number | rapid-commit ] *

undo ipv6 address dhcp-alloc

Default

An interface does not use DHCPv6 to obtain IPv6 addresses and other network settings.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

option-group option-group-number: Enables the DHCPv6 client to create a dynamic DHCPv6 option group for saving the configuration parameters, and assigns an ID to the option group. The value range for the ID is 1 to 100. If you do not specify this option, the DHCPv6 client does not create any dynamic DHCPv6 option groups.

rapid-commit: Supports rapid address or prefix assignment.

Examples

# Configure VLAN-interface 10 to use DHCPv6 for IPv6 address acquisition. Configure the DHCPv6 client to support rapid address assignment and create dynamic DHCPv6 option group 1 for the configuration parameters obtained.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 address dhcp-alloc rapid-commit option-group 1

Related commands

display ipv6 dhcp client

ipv6 dhcp client dscp

Use ipv6 dhcp client dscp to set the DSCP value for DHCPv6 packets sent by the DHCPv6 client.

Use undo ipv6 dhcp client dscp to restore the default.

Syntax

ipv6 dhcp client dscp dscp-value

undo ipv6 dhcp client dscp

Default

The DSCP value in DHCPv6 packets is 56.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets the DSCP value for DHCP packets, in the range of 0 to 63.

Usage guidelines

The DSCP value is carried in the Traffic class field of a DHCPv6 packet. It specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for DHCPv6 packets sent by the DHCPv6 client.

<Sysname> system-view

[Sysname] ipv6 dhcp client dscp 30

ipv6 dhcp client duid

Use ipv6 dhcp client duid to configure the DHCPv6 client DUID for an interface.

Use undo ipv6 dhcp client duid to restore the default.

Syntax

ipv6 dhcp client duid { ascii ascii-string | hex hex-string | mac interface-type interface-number }

undo ipv6 dhcp client duid

Default

The interface uses the device bridge MAC address to generate its DHCPv6 client DUID.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

ascii ascii-string: Specifies a case-sensitive ASCII string of 1 to 130 characters as the DHCPv6 client DUID.

hex hex-string: Specifies a hexadecimal number of 2 to 260 characters as the DHCPv6 client DUID.

mac interface-type interface-number: Specifies the MAC address of the specified interface as the DHCPv6 client DUID. The interface-type interface-number arguments specify an interface by its type and number.

Usage guidelines

A DHCPv6 client pads its DUID into the Option 1 of the DHCPv6 packet that it sends to the DHCPv6 server. The DHCPv6 server can assign specific IPv6 addresses or prefixes to DHCPv6 clients with specific DUIDs.

The DUID of a DHCPv6 client is the globally unique identifier of the client, so make sure the DUID that you configure is unique.

Examples

# Specify the hexadecimal number FFFFFFFF as the DHCPv6 client DUID for VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp client duid hex ffffffff

Related commands

display ipv6 dhcp client

ipv6 dhcp client pd

Use ipv6 dhcp client pd to configure an interface to use DHCPv6 for IPv6 prefix acquisition.

Use undo ipv6 dhcp client pd to cancel an interface from using DHCPv6, and clear the obtained IPv6 prefix and other configuration parameters.

Syntax

ipv6 dhcp client pd prefix-number [ option-group option-group-number | rapid-commit ]*

undo ipv6 dhcp client pd

Default

An interface does not use DHCPv6 for IPv6 prefix acquisition.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

prefix-number: Specifies an IPv6 prefix ID in the range of 1 to 1024. After obtaining an IPv6 prefix, the client assigns the ID to the IPv6 prefix.

rapid-commit: Supports rapid address or prefix assignment.

Examples

# Configure VLAN-interface10 to use DHCPv6 for IPv6 prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid prefix assignment.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp client pd 1 rapid-commit option-group 1

Related commands

display ipv6 dhcp client

ipv6 dhcp client stateful

Use ipv6 dhcp client stateful to configure an interface to use DHCPv6 for IPv6 address and prefix acquisition.

Use undo ipv6 dhcp client stateful to cancel an interface from using DHCPv6, and clear the obtained IPv6 address, prefix, and other configuration parameters.

Syntax

ipv6 dhcp client stateful prefix prefix-number [ option-group option-group-number | rapid-commit ] *

undo ipv6 dhcp client stateful

Default

An interface does not use DHCPv6 for IPv6 address and prefix acquisition.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

prefix prefix-number: Specifies an IPv6 prefix ID in the range of 1 to 1024. After obtaining an IPv6 prefix, the client assigns the ID to the IPv6 prefix.

rapid-commit: Supports rapid address and prefix assignment.

Usage guidelines

The ipv6 dhcp client stateful command takes effect if it is configured with the ipv6 address dhcp-alloc and ipv6 dhcp client pd commands on an interface. You must execute the undo ipv6 dhcp client stateful command to have the ipv6 address dhcp-alloc and ipv6 dhcp client pd commands take effect.

Examples

# Configure VLAN-interface 10 to use DHCPv6 for IPv6 address and prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid address and prefix assignment.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 dhcp client stateful prefix 1 rapid-commit option-group 1

Related commands

ipv6 address dhcp-alloc

ipv6 dhcp client pd

ipv6 dhcp client stateless enable

Use ipv6 dhcp client stateless enable to enable stateless DHCPv6.

Use undo ipv6 dhcp client stateless enable to disable stateless DHCPv6.

Syntax

ipv6 dhcp client stateless enable

undo ipv6 dhcp client stateless enable

Default

Stateless DHCPv6 is disabled.

Views

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

Stateless DHCPv6 enables the interface to send an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents for configuration parameters.

Examples

# Enable stateless DHCPv6 on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 dhcp client stateless enable

reset ipv6 dhcp client statistics

Use reset ipv6 dhcp client statistics to clear DHCPv6 client statistics.

Syntax

reset ipv6 dhcp client statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears all DHCPv6 client statistics.

Examples

# Clear all DHCPv6 client statistics.

<Sysname> reset ipv6 dhcp client statistics

Related commands

display ipv6 dhcp client statistics

DHCPv6 snooping commands

DHCPv6 snooping works between the DHCPv6 client and the DHCPv6 server or between the DHCPv6 client and DHCPv6 the relay agent. DHCPv6 snooping does not work between the DHCPv6 server and the DHCPv6 relay agent.

display ipv6 dhcp snooping binding

Use display ipv6 dhcp snooping binding to display DHCPv6 snooping address entries.

Syntax

display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

address ipv6-address: Displays the DHCPv6 snooping entry for the specified IPv6 address.

vlan vlan-id: Specifies the ID of the VLAN where the IPv6 address resides.

Usage guidelines

If you do not specify any parameters, this command displays all DHCPv6 snooping address entries.

Examples

# Display all DHCPv6 snooping address entries.

<Sysname> display ipv6 dhcp snooping binding

1 DHCPv6 snooping entries found.

IPv6 address MAC address Lease VLAN SVLAN Interface

================ ============== =========== ==== ===== ========================

2::1 00e0-fc00-0006 54 2 N/A GigabitEthernet1/0/1

Table 3 Command output

Field	Description
IPv6 Address	IPv6 address assigned to the DHCPv6 client.
MAC Address	MAC address of the DHCPv6 client.
Lease	Remaining lease duration in seconds.
VLAN	When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCPv6 client resides.
SVLAN	When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A.
Interface	Port connecting to the DHCPv6 client.

Related commands

ipv6 dhcp snooping binding record

reset ipv6 dhcp snooping binding

display ipv6 dhcp snooping binding database

Use display ipv6 dhcp snooping binding database to display information about DHCPv6 snooping entry auto backup.

Syntax

display ipv6 dhcp snooping binding database

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about DHCPv6 snooping entry auto backup.

<Sysname> display ipv6 dhcp snooping binding database

File name : database.dhcp

Username :

Password :

Update interval : 600 seconds

Latest write time : Feb 27 18:48:04 2012

Status : Last write succeeded.

Table 4 Command output

Field	Description
File name	Name of the DHCPv6 snooping entry backup file.
Username	Username for accessing the URL of the remote backup file.
Password	Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured.
Update interval	Waiting time in seconds after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file.
Latest write time	Time of the latest update.
Status	Status of the update: · Writing—The backup file is being updated. · Last write succeeded—The backup file was successfully updated. · Last write failed—The backup file failed to be updated.

display ipv6 dhcp snooping packet statistics

Use display ipv6 dhcp snooping packet statistics to display DHCPv6 packet statistics for DHCPv6 snooping.

Syntax

display ipv6 dhcp snooping packet statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays DHCPv6 packet statistics for the master device.

Examples

# Display DHCPv6 packet statistics for DHCPv6 snooping.

<Sysname> display ipv6 dhcp snooping packet statistics

DHCPv6 packets received : 100

DHCPv6 packets sent : 200

Invalid DHCPv6 packets dropped : 0

Related commands

reset ipv6 dhcp snooping packet statistics

display ipv6 dhcp snooping pd binding

Use display ipv6 dhcp snooping pd binding to display DHCPv6 snooping prefix entries.

Syntax

display ipv6 dhcp snooping pd binding [ prefix prefix/prefix-length [ vlan vlan-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

prefix prefix/prefix-length: Specifies an IPv6 prefix with its length. The value range for the prefix-length argument is 1 to 128.

vlan vlan-id: Specifies the ID of the VLAN where the IPv6 prefix resides. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

This command takes effect only after you execute the ipv6 dhcp snooping pd binding record command on the port directly connecting to the clients.

If you do not specify any parameters, this command displays all DHCPv6 snooping prefix entries.

Examples

# Display all DHCPv6 snooping prefix entries.

<Sysname> display ipv6 dhcp snooping pd binding

1 DHCPv6 snooping PD entries found.

IPv6 prefix Lease VLAN SVLAN Interface

================ =========== ==== ===== ========================

1:2::/64 54 2 N/A GigabitEthernet1/0/1

Table 5 Command output

Field	Description
n DHCPv6 snooping PD entries found.	Total number of DHCPv6 snooping prefix entries.
IPv6 prefix	IPv6 prefix assigned to the DHCPv6 client.
Lease	Remaining lease duration in seconds.
VLAN	When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCPv6 client resides.
SVLAN	When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A.
Interface	Port connecting to the DHCPv6 client.

Related commands

ipv6 dhcp snooping pd binding record

reset ipv6 dhcp snooping pd binding

display ipv6 dhcp snooping trust

Use display ipv6 dhcp snooping trust to display information about trusted ports.

Syntax

display ipv6 dhcp snooping trust

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about trusted ports.

<Sysname> display ipv6 dhcp snooping trust

DHCPv6 snooping is enabled.

Interface Trusted VLAN

============================ ============ =======

GE1/0/1 - 100

GE1/0/2 Trusted -

VSI name Tunnel trusted

============================ ============

a Trusted

AC Trusted

============================ ============

Table 6 Command output

Field	Description
Interface	Interface name.
Trusted	Trusted port specified in global DHCPv6 snooping configuration. If the trusted port is specified in VLAN-based DHCPv6 snooping configuration, this field displays a hyphen (-).
VLAN	VLAN to which the trusted port belongs. If the trusted port is specified in global DHCPv6 snooping configuration, this field displays a hyphen (-).
VSI name	This field is not supported in the current software version. VSI name of the VXLAN tunnel interface. This field is available when you configure the tunnel interface assigned to the VSI as a DHCP snooping trusted interface by using the ipv6 dhcp snooping trust tunnel command.
Tunnel trusted	This field is not supported in the current software version. Trusted tunnel interface specified in VXLAN-based DHCPv6 snooping configuration.
AC	This field is not supported in the current software version. AC name, which is indicated by the interface name and Ethernet service instance name. This field is available when you configure the AC as the DHCPv6 snooping trusted interface by using the ipv6 dhcp snooping trust command in Ethernet service instance view.
Trusted	This field is not supported in the current software version. Trusted AC specified in VXLAN-based DHCPv6 snooping configuration.

‌

Related commands

ipv6 dhcp snooping trust

ipv6 dhcp snooping binding database filename

Use ipv6 dhcp snooping binding database filename to configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file.

Use undo ipv6 dhcp snooping binding database filename to disable the auto backup and remove the backup file.

Syntax

ipv6 dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

undo ipv6 dhcp snooping binding database filename

Default

The DHCPv6 snooping device does not back up DHCPv6 snooping entries.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.

url url: Specifies the URL of a remote backup file. The URL is a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. The supported path format type varies by server.

username username: Specifies the username for accessing the URL of the remote backup file. The username is a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.

Usage guidelines

This command automatically creates the file if you specify a nonexistent file.

With this command executed, the DHCPv6 snooping device backs up its snooping entries immediately and runs auto backup. The snooping device, by default, waits 300 seconds after a DHCPv6 snooping entry change to update the backup file. You can use the ipv6 dhcp snooping binding database update interval command to change the waiting time. If no DHCPv6 snooping entry changes, the backup file is not updated.

As a best practice, back up the DHCPv6 snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCPv6 snooping device malfunction.

When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:

· If the file is on an FTP server, enter URL in the format of ftp://server address:port/file path, where the port number is optional.

· If the file is on a TFTP server, enter URL in the format of tftp://server address:port/file path, where the port number is optional.

· The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.

· If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.

· You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.

Examples

# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database filename database.dhcp

# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the FTP server at 1::1.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database filename url ftp://[1::1]/database.dhcp username 1 password simple 1

# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the TFTP server at 2::1.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database filename url tftp://[2::1]/database.dhcp

Related commands

ipv6 dhcp snooping binding database update interval

Use ipv6 dhcp snooping binding database update interval to set the waiting time for the DHCPv6 snooping device to update the backup file after a DHCPv6 snooping entry change.

Use undo ipv6 dhcp snooping binding database update interval to restore the default.

Syntax

ipv6 dhcp snooping binding database update interval interval

undo ipv6 dhcp snooping binding database update interval

Default

The DHCPv6 snooping device waits 300 seconds to update the backup file after a DHCPv6 snooping entry change. If no DHCPv6 snooping entry changes, the backup file is not updated.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Sets the waiting time in seconds, in the range of 60 to 864000.

Usage guidelines

When a DHCPv6 snooping entry is learned, updated, or removed, the waiting period starts. The DHCPv6 snooping device updates the backup file when the waiting period is reached. All snooping entries changed during the period will be saved to the backup file.

The waiting time takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.

Examples

# Set the waiting time to 600 seconds for the DHCPv6 snooping device to update the backup file.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database update interval 600

Related commands

ipv6 dhcp snooping binding database filename

ipv6 dhcp snooping binding database update now

Use ipv6 dhcp snooping binding database update now to manually save DHCPv6 snooping entries to the backup file.

Syntax

ipv6 dhcp snooping binding database update now

Views

System view

Predefined user roles

network-admin

Usage guidelines

Each time this command is executed, the DHCPv6 snooping entries are saved to the backup file.

This command takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.

Examples

# Manually save DHCPv6 snooping entries to the backup file.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping binding database update now

Related commands

ipv6 dhcp snooping binding database filename

ipv6 dhcp snooping binding record

Use ipv6 dhcp snooping binding record to enable recording DHCPv6 snooping address entries.

Use undo ipv6 dhcp snooping binding record to disable recording DHCPv6 snooping address entries.

Syntax

ipv6 dhcp snooping binding record

undo ipv6 dhcp snooping binding record

Default

Recording of DHCPv6 snooping address entries is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

VLAN view

Predefined user roles

network-admin

Usage guidelines

You can configure this command on the ports that are directly connected to the DHCPv6 clients.

This command enables DHCPv6 snooping to record IP-to-MAC information of the DHCPv6 clients (called DHCPv6 snooping address entries).

Examples

# Enable recording DHCPv6 snooping address entries on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping binding record

ipv6 dhcp snooping check request-message

Use ipv6 dhcp snooping check request-message to enable the DHCPv6-REQUEST check feature.

Use undo ipv6 dhcp snooping check request-message to disable the DHCPv6-REQUEST check feature.

Syntax

ipv6 dhcp snooping check request-message

undo ipv6 dhcp snooping check request-message

Default

The DHCPv6-REQUEST check feature is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. The feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.

· If any criterion in an entry is matched, the device compares the entry with the message information.

¡ If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.

¡ If they are different, the device considers the message forged and discards it.

· If no matching entry is found, the device forwards the message to the DHCPv6 server.

Examples

# Enable DHCPv6-REQUEST check.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping check request-message

ipv6 dhcp snooping deny

Use ipv6 dhcp snooping deny to configure a port as DHCPv6 packet blocking port.

Use undo ipv6 dhcp snooping deny to restore the default.

Syntax

ipv6 dhcp snooping deny

undo ipv6 dhcp snooping deny

Default

A port does not block DHCPv6 requests.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION:

To avoid IPv6 address and prefix acquisition failure, configure a port to block DHCPv6 packets only if no DHCPv6 clients are connected to it.

To enable a port on the snooping device to drop all incoming DHCPv6 requests, configure that port as a DHCPv6 packet blocking port.

Examples

# Configure GigabitEthernet 1/0/1 as a DHCPv6 packet blocking port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping deny

ipv6 dhcp snooping disable

Use ipv6 dhcp snooping disable to disable DHCP snooping.

Use undo ipv6 dhcp snooping disable to restore the default.

Syntax

ipv6 dhcp snooping disable

undo ipv6 dhcp snooping disable

Default

If you enable DHCPv6 snooping globally or for a VLAN, DHCP snooping is enabled on all interfaces on the device or on all interfaces in the VLAN.

If you do not enable DHCPv6 snooping globally or for a VLAN, DHCP snooping is disabled on all interfaces on the device or on all interfaces in the VLAN.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command allows you to narrow down the interface range where DHCPv6 snooping takes effect. For example, to enable DHCPv6 snooping globally except for a specific interface, you can enable DHCPv6 snooping globally and execute this command on the target interface.

Examples

# Disable DHCPv6 snooping on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping disable

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping enable vlan

ipv6 dhcp snooping enable

Use ipv6 dhcp snooping enable to enable DHCPv6 snooping.

Use undo ipv6 dhcp snooping enable to disable DHCPv6 snooping.

Syntax

ipv6 dhcp snooping enable

undo ipv6 dhcp snooping enable

Default

DHCPv6 snooping is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use the DHCPv6 snooping feature together with trusted port configuration. Trusted ports forward responses from DHCPv6 servers and untrusted ports discard responses from DHCPv6 servers. This mechanism ensures that DHCPv6 clients obtain IPv6 addresses or prefixes from authorized DHCPv6 servers.

When DHCPv6 snooping is disabled, all ports on the device forward responses from DHCPv6 servers.

Examples

# Enable DHCPv6 snooping.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

Related commands

ipv6 dhcp snooping disable

ipv6 dhcp snooping enable vlan

Use ipv6 dhcp snooping enable vlan to enable DHCPv6 snooping for VLANs.

Use undo ipv6 dhcp snooping enable vlan to disable DHCPv6 snooping for VLANs.

Syntax

ipv6 dhcp snooping enable vlan vlan-id-list

undo ipv6 dhcp snooping enable vlan vlan-id-list

Default

DHCPv6 snooping is disabled for all VLANs.

Views

System view

Predefined user roles

network-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.

Usage guidelines

After you enable DHCPv6 snooping for a VLAN, DHCPv6 snooping untrusted ports in the VLAN discard incoming DHCP responses. This mechanism ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

After you disable DHCPv6 snooping for a VLAN, all interfaces in the VLAN can forward DHCPv6 responses.

After you enable DHCPv6 snooping globally, all VLANs on the device are also enabled with DHCPv6 snooping. To disable DHCPv6 snooping in a VLAN, disable DHCPv6 snooping globally and in the VLAN.

Examples

# Enable DHCPv6 snooping for VLANs 5,10, 20, and 32.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable vlan 5 10 to 20 32

Related commands

ipv6 dhcp snooping disable

ipv6 dhcp snooping trust interface

ipv6 dhcp snooping log enable

Use ipv6 dhcp snooping log enable to enable DHCPv6 snooping logging.

Use undo ipv6 dhcp snooping log enable to disable DHCPv6 snooping logging.

Syntax

ipv6 dhcp snooping log enable

undo ipv6 dhcp snooping log enable

Default

DHCPv6 snooping logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCPv6 snooping device to generate DHCPv6 snooping logs and send them to the information center. The log information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

As a best practice, disable this feature if the log generation affects the device performance.

Examples

# Enable DHCPv6 snooping logging.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping log enable

ipv6 dhcp snooping option interface-id enable

Use ipv6 dhcp snooping option interface-id enable to enable support for the interface-ID option (also called Option 18).

Use undo ipv6 dhcp snooping option interface-id enable to disable support for the interface-ID option.

Syntax

ipv6 dhcp snooping option interface-id enable

undo ipv6 dhcp snooping option interface-id enable

Default

Option 18 is not supported.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only when DHCPv6 snooping is globally enabled.

Examples

# Enable support for Option 18.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id enable

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option interface-id string

Use ipv6 dhcp snooping option interface-id string to specify the content as the interface ID for Option 18.

Use undo ipv6 dhcp snooping option interface-id string to restore the default.

Syntax

ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string interface-id

undo ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string

Default

The DHCPv6 snooping device uses its DUID as the content for Option 18.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the interface ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the interface ID for packets received from the default VLAN.

interface-id: Specifies a string of 1 to 128 characters as the interface ID.

Examples

# Specify company001 as the interface ID.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id enable

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option interface-id string company001

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option interface-id enable

ipv6 dhcp snooping option remote-id enable

Use ipv6 dhcp snooping option remote-id enable to enable support for the remote-ID option (also called Option 37).

Use undo ipv6 dhcp snooping option remote-id enable to disable support for the remote-ID option.

Syntax

ipv6 dhcp snooping option remote-id enable

undo ipv6 dhcp snooping option remote-id enable

Default

Option 37 is not supported.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only when DHCPv6 snooping is globally enabled.

Examples

# Enable support for Option 37.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id enable

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option remote-id string

Use ipv6 dhcp snooping option remote-id string to specify the content as the remote ID for Option 37.

Use undo ipv6 dhcp snooping option remote-id string to restore the default.

Syntax

ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id

undo ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string

Default

The DHCPv6 snooping device uses its DUID as the content for Option 37.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the remote ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the remote ID for packets received from the default VLAN.

remote-id: Specifies a string of 1 to 128 characters as the remote ID.

Examples

# Specify device001 as the remote ID.

<Sysname> system-view

[Sysname] ipv6 dhcp snooping enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id enable

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping option remote-id string device001

Related commands

ipv6 dhcp snooping enable

ipv6 dhcp snooping option remote-id enable

ipv6 dhcp snooping pd binding record

Use ipv6 dhcp snooping pd binding record to enable recording DHCPv6 snooping prefix entries.

Use undo ipv6 dhcp snooping pd binding record to disable recording DHCPv6 snooping prefix entries.

Syntax

ipv6 dhcp snooping pd binding record

undo ipv6 dhcp snooping pd binding record

Default

Recording of DHCPv6 snooping prefix entries is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

VLAN view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCPv6 snooping to record IPv6 prefix-to-port information of the DHCPv6 clients (called DHCPv6 snooping prefix entries). When IP source guard (IPSG) is configured on the DHCP snooping device, IPSG can generate dynamic bindings based on the DHCP snooping prefix entries to filter out illegitimate packets.

Examples

# Enable DHCPv6 snooping prefix entries on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname]interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping pd binding record

Related commands

display ipv6 dhcp snooping pd binding

ipv6 dhcp snooping rate-limit

Use ipv6 dhcp snooping rate-limit to enable DHCPv6 snooping packet rate limit on an interface and set the limit value.

Use undo ipv6 dhcp snooping rate-limit to disable DHCPv6 snooping packet rate limit.

Syntax

ipv6 dhcp snooping rate-limit rate

undo ipv6 dhcp snooping rate-limit

Default

The DHCPv6 snooping packet rate limit is disabled on an interface.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum rate in Kbps. The value range is 64 to 512.

Usage guidelines

This command takes effect only when DHCPv6 snooping is enabled.

The DHCPv6 packet rate limit feature enables the interface to discard DHCPv6 packets that exceed the maximum rate.

The rate configured on a Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate configured in its Ethernet interface view.

The chip-supported maximum rate is an integer multiple of eight. If you set the maximum rate to 67, the value 64 or 72 takes effect.

Examples

# Configure GigabitEthernet 1/0/1 to receive DHCPv6 packets at a maximum rate of 64 Kbps.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping rate-limit 64

ipv6 dhcp snooping trust

Use ipv6 dhcp snooping trust to configure a port as a trusted port.

Use undo ipv6 dhcp snooping trust to restore the default state of a port.

Syntax

ipv6 dhcp snooping trust

undo ipv6 dhcp snooping trust

Default

After you enable DHCPv6 snooping, all ports are untrusted.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Specify the port facing the DHCP server as trusted and specify the other ports as untrusted so DHCP clients can obtain valid IP addresses.

Examples

# Specify GigabitEthernet 1/0/1 as a trusted port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp snooping trust

Related commands

display ipv6 dhcp snooping trust

ipv6 dhcp snooping trust interface

Use ipv6 dhcp snooping trust interface to configure a port in a VLAN as a DHCPv6 snooping trusted port.

Use undo ipv6 dhcp snooping trust interface to restore the default state of a port in a VLAN.

Syntax

ipv6 dhcp snooping trust interface interface-type interface-number

undo ipv6 dhcp snooping trust interface interface-type interface-number

Default

After you enable DHCPv6 snooping for a VLAN, all ports in the VLAN are DHCP snooping untrusted ports.

Views

VLAN view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

In a VLAN, specify the port facing the DHCP server as trusted and specify the other ports as untrusted so DHCP clients can obtain valid IP addresses.

You can execute this command multiple times in a VLAN to configure multiple trusted ports in the VLAN.

Make sure the specified port is in the VLAN for which the ipv6 dhcp snooping enable vlan command is configured.

Examples

# In VLAN 1, configure GigabitEthernet 1/0/1 as a trusted port.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-vlan1] ipv6 dhcp snooping trust interface gigabitethernet 1/0/1

Related commands

ipv6 dhcp snooping enable vlan

reset ipv6 dhcp snooping binding

Use reset ipv6 dhcp snooping binding to clear DHCPv6 snooping address entries.

Syntax

reset ipv6 dhcp snooping binding { all | address ipv6-address [ vlan vlan-id ] }

Views

User view

Predefined user roles

network-admin

Parameters

address ipv6-address: Clears the DHCPv6 snooping entry for the specified IPv6 address.

vlan vlan-id: Clears DHCPv6 snooping address entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCPv6 snooping address entries for the default VLAN.

all: Clears all DHCPv6 snooping address entries.

Examples

# Clear all DHCPv6 snooping address entries.

<Sysname> reset ipv6 dhcp snooping binding all

Related commands

display ipv6 dhcp snooping binding

reset ipv6 dhcp snooping packet statistics

Use reset ipv6 dhcp snooping packet statistics to clear DHCPv6 packet statistics for DHCPv6 snooping.

Syntax

reset ipv6 dhcp snooping packet statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears DHCPv6 packet statistics for the master device.

Examples

# Clear DHCPv6 packet statistics for DHCPv6 snooping.

<Sysname> reset ipv6 dhcp snooping packet statistics

Related commands

display ipv6 dhcp snooping packet statistics

reset ipv6 dhcp snooping pd binding

Use reset ipv6 dhcp snooping pd binding to clear DHCPv6 snooping prefix entries.

Syntax

reset ipv6 dhcp snooping pd binding { all | prefix prefix/prefix-length [ vlan vlan-id ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all DHCPv6 snooping prefix entries.

prefix prefix/prefix-length: Clears DHCPv6 snooping entries for the specified IPv6 prefix. The value range for the prefix-length argument is 1 to 128.

vlan vlan-id: Clears DHCPv6 snooping prefix entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command clears all DHCPv6 snooping prefix entries.

Examples

# Clear DHCPv6 snooping prefix entries for 1:2::/64.

<Sysname> reset ipv6 dhcp snooping pd binding prefix 1:2::/64

Related commands

display ipv6 dhcp snooping pd binding

DHCPv6 guard commands

The DHCPv6 guard feature operates correctly only when the device is located between the DHCPv6 client and the DHCPv6 server or between the DHCPv6 client and the DHCPv6 relay agent. If the device is located between the DHCPv6 server and the DHCPv6 relay agent, the DHCPv6 guard feature cannot operate correctly.

When the DHCPv6 guard feature is configured on a DHCPv6 snooping device, both features can take effect. The device forwards DHCPv6 reply packets received on a DHCP snooping trusted port only if they pass the DHCPv6 guard check. These packets are dropped if they fail the DHCPv6 guard check.

device-role

Use device-role to set the role of the device attached to the target interface or VLAN.

Use undo device-role to restore the default.

Syntax

device-role { client | server }

undo device-role

Default

The role is DHCPv6 client for the device attached to the target interface or VLAN.

Views

DHCPv6 guard policy view

Predefined user roles

network-admin

Parameters

client: Sets the device role to DHCPv6 client.

server: Sets the device role to DHCPv6 server.

Usage guidelines

The target interface or VLAN refers to the interface or VLAN to which a DHCPv6 guard policy is applied. The device makes forwarding decisions based on the device role as follows:

· Drops DHCPv6 replies received from the device with the device role of DHCPv6 client.

· Forwards DHCP replies received from the device with the device role of DHCPv6 server only if the packets pass the DHCPv6 guard check.

If the target interface or VLAN is attached to an authorized DHCPv6 server, set the device role to DHCPv6 server for the authorized DHCPv6 server. If no authorized DHCP servers are attached to the target interface or VLAN, set the device role to DHCPv6 client for devices attached to the target interface or VLAN.

The trust port command has a higher priority than the device-role command. If you configure both commands for a DHCPv6 guard policy, the trust port command takes effect.

Examples

# Set the role to DHCPv6 server for the device attached to the target interface or VLAN.

<Sysname> system-view

[Sysname] ipv6 dhcp guard policy p1

[Sysname-dhcp6-guard-policy-p1] device-role server

display ipv6 dhcp guard policy

Use display ipv6 dhcp guard policy to display information about DHCPv6 guard policies.

Syntax

display ipv6 dhcp guard policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Displays detailed information about a DHCPv6 guard policy. This argument specifies the name of a DHCPv6 guard policy, a case-insensitive string of 1 to 63 characters. If you do not specify this argument, the command displays brief information about all DHCPv6 guard policies.

Examples

# Display detailed information about DHCPv6 guard policy p1.

<Sysname> display ipv6 dhcp guard policy p1

Guard policy: p1

Device-role: Server

Trusted port: No

Server preference min value: 23

Server preference max value: 45

Server rule: ACL sed

Reply rule: ACL 3434

Applied to interfaces: GE1/0/1, GE1/0/2

Applied to VLANs: 100

# Display brief information about all DHCPv6 guard policies.

<Sysname> display ipv6 dhcp guard policy

Guard policy: p1

Device-role: server

Trusted port: No

Server preference min value: 23

Server preference max value: 45

Server rule: ACL sed

Reply rule: ACL 3434

Guard policy: p2

Device-role: Server

Trusted port: Yes

Server preference min value: 12

Server preference max value: 34

Table 7 Command output

Field	Description
Guard policy	DHCPv6 guard policy name.
Device-role	Device role: · Client—DHCPv6 client role. · Server—DHCPv6 server role.
Trusted port	Whether the trusted port is configured for the guard policy.
Server preference min value	Minimum preference value of the DHCPv6 server. This field is displayed only when the preference min command is configured.
Server preference max value	Maximum preference value of the DHCPv6 server. This field is displayed only when the preference max command is configured.
Server rule	DHCP server address match criterion. This field is displayed only when the if-match server acl command is configured.
Reply rule	Match criterion for the assigned IPv6 addresses/prefixes. This field is displayed only when the if-match reply acl command is configured.
Applied to interfaces	Interfaces to which the DHCPv6 guard policy is applied. Interfaces are separated by commas (,). This field is not displayed when the command displays brief information about DHCPv6 guard policies.
Applied to VLANs	VLANs to which the DHCPv6 guard policy is applied. VLANs are separated by commas (,). This field is not displayed when the command displays brief information about DHCPv6 guard policies.

Related commands

ipv6 dhcp guard policy

if-match reply acl

Use if-match reply acl to configure a match criterion for IPv6 addresses/prefixes assigned by a DHCPv6 server.

Use undo if-match server acl to restore the default.

Syntax

if-match reply acl { acl-number | name acl-name }

undo if-match reply acl

Default

No match criterion is configured for the assigned IPv6 addresses/prefixes, and all assigned IPv6 addresses/prefixes can pass the address/prefix check.

Views

DHCPv6 guard policy view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL number. The value range for this argument is as follows:

· 2000 to 2999 for a basic ACL.

· 3000 to 3999 for an advanced ACL.

name acl-name: Specifies a basic or advanced ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

The device uses the source IPv6 address attributes in the specified ACL to match the assigned IPv6 address/prefix in the received DHCPv6 Reply message.

· If the assigned IPv6 address/prefix matches a permit statement in the ACL, the device forwards the Reply message. If the assigned IPv6 address/prefix does not match the ACL, the device drops the Reply message.

· If the ACL does not have any source IPv6 address attributes, all DHCPv6 Reply messages fail the address/prefix check and are dropped.

· If the ACL does not exist or does not have any rules, all DHCPv6 Reply messages can pass the check.

If you execute this command multiple times for a DHCPv6 guard policy, the most recent configuration takes effect.

Examples

# Specify ACL 2233 to match IPv6 addresses/prefixes assigned by a DHCPv6 server.

<Sysname> system-view

[Sysname] ipv6 dhcp guard policy p1

[Sysname-dhcp6-guard-policy-p1] if-match reply acl 2233

Related commands

acl (ACL and QoS Command Reference)

rule (IPv6 advanced ACL view) (ACL and QoS Command Reference)

rule (IPv6 basic ACL view) (ACL and QoS Command Reference)

if-match server acl

Use if-match server acl to configure a DHCPv6 server match criterion

Use undo if-match server acl to restore the default.

Syntax

if-match server acl { acl-number | name acl-name }

undo if-match server acl

Default

No DHCP server match criterion is configured, and all DHCPv6 servers are authorized.

Views

DHCPv6 guard policy view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL number. The value range for this argument is as follows:

· 2000 to 2999 for a basic ACL.

· 3000 to 3999 for an advanced ACL.

name acl-name: Specifies a basic or advanced ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

The device uses the source IPv6 address attributes in the specified ACL to match the source IPv6 address in the received DHCPv6 Advertise message.

· If the source IPv6 address matches a permit statement in the ACL, the device continues to use other criterion to verify the message. If the source IPv6 address does not match the ACL, the device drops the Advertise message.

· If the ACL does not have any source IPv6 address attributes, all DHCPv6 Advertise messages fail the address check and are dropped.

· If the ACL does not exist or does not have any rules, all DHCPv6 Advertise messages can pass the check.

If you execute this command multiple times for a DHCPv6 guard policy, the most recent configuration takes effect.

Examples

# Specify ACL 2323 to match DHCPv6 servers.

<Sysname> system-view

[Sysname] ipv6 dhcp guard policy p1

[Sysname-dhcp6-guard-policy-p1] if-match server acl 2323

Related commands

acl (ACL and QoS Command Reference)

rule (IPv6 advanced ACL view) (ACL and QoS Command Reference)

rule (IPv6 basic ACL view) (ACL and QoS Command Reference)

ipv6 dhcp guard apply policy

Use ipv6 dhcp guard apply policy to apply a DHCPv6 guard policy to an interface or a VLAN.

Use undo ipv6 dhcp guard apply policy to restore the default.

Syntax

ipv6 dhcp guard apply policy policy-name

undo ipv6 dhcp guard apply policy

Default

No DHCPv6 guard policy is applied to an interface or VLAN.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a DHCPv6 guard policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The DHCPv6 guard policy applied to an interface checks all incoming DHCP replies if the interface is not configured as a trusted port for the DHCPv6 guard policy.

If you apply a nonexistent DHCPv6 guard policy to an interface, the device forwards received DHCPv6 replies without check.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply DHCPv6 guard policy p1 to GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 dhcp guard apply policy p1

Related commands

ipv6 dhcp guard policy

Use ipv6 dhcp guard policy to create a DHCPv6 guard policy and enter its view, or enter the view of an existing DHCPv6 guard policy.

Use undo ipv6 dhcp guard policy to delete a DHCPv6 guard policy.

Syntax

ipv6 dhcp guard policy policy-name

undo ipv6 dhcp guard policy policy-name

Default

No DHCPv6 guard policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a DHCPv6 guard policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

To provide finer level of filtering granularity, you can specify the following parameters for a DHCPv6 guard policy:

· Device role of the device that attached to the target interface or VLAN.

· DHCPv6 server match criterion.

· Match criterion for IPv6 addresses/prefixes assigned by DHCPv6 servers.

· Allowed DHCPv6 server preference range.

The DHCPv6 guard feature runs correctly after you create a DHCPv6 guard policy and apply it to a VLAN or an interface. The DHCPv6 guard feature determines whether to forward DHCP replies based on the match criteria. Only packets that match all criteria are forwarded.

Examples

# Create DHCPv6 guard policy p1 and enter its view.

<Sysname> system-view

[Sysname] ipv6 dhcp guard policy p1

[Sysname-dhcp6-guard-policy-p1]

Related commands

display ipv6 dhcp guard policy

ipv6 dhcp guard apply policy

preference

Use preference to specify an allowed DHCPv6 server preference range.

Use undo preference to restore the maximum or minimum preference to the default value.

Syntax

preference { max max-value | min min-value } *

undo preference [ max | min ]

Default

No DHCPv6 server preference range is configured, and DHCPv6 servers with preferences 1 to 255 can pass the preference check.

Views

DHCPv6 guard policy view

Predefined user roles

network-admin

Parameters

max max-value: Specifies the maximum value of the DHCPv6 server preference, in the range of 1 to 255. The default is 255.

min min-value: : Specifies the minimum value of the DHCPv6 server preference, in the range of 1 to 255. The default is 1. The minimum value cannot be higher than the maximum value.

Usage guidelines

The device uses the specified range to match the DHCPv6 server preference in the received DHCPv6 Advertise message.

· If the DHCPv6 server preference is in the allowed range, the device continues to use other criterion to further match the message.

· If the DHCPv6 server preference in the Advertise message is beyond the allowed range or the message does not carry the preference, the device drops the message.

If you execute this command multiple times for a DHCPv6 guard policy, the most recent configuration takes effect.

Examples

# Set the allowed range to 1 to 100 for the DHCPv6 server preference.

<Sysname> system-view

[Sysname] ipv6 dhcp guard policy p1

[Sysname-dhcp6-guard-policy-p1] preference max 100 min 1

trust port

Use trust port to configure the port to which the DHCPv6 guard policy applies as a trusted port for the policy.

Use undo trust port to restore the default.

Syntax

trust port

undo trust port

Default

No trusted port is configured for a DHCPv6 guard policy.

Views

DHCPv6 guard policy view

Predefined user roles

network-admin

Usage guidelines

After you configure this command for a DHCPv6 guard policy, the interface and all interfaces in the VLAN to which the DHCPv6 guard policy is applied are trusted ports. The device forwards received DHCP replies on the trusted ports without check.

The trust port command has a higher priority than the device-role command. If you configure both commands for a DHCPv6 guard policy, the trust port command takes effect.

Examples

# Configure the port as a trusted port for the DHCPv6 guard policy.

<Sysname> system-view

[Sysname] ipv6 dhcp guard policy p1

[Sysname-dhcp6-guard-policy-p1] trust port

03-Layer 3—IP Services Command Reference

DHCPv6 commands

DHCPv6 client commands

display ipv6 dhcp client

DHCPv6 snooping commands

DHCPv6 guard commands

device-role

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us