Login
- Table of Contents
-
- 14-Security Command Reference
- 00-Preface
- 01-Keychain commands
- 02-Public key management commands
- 03-PKI commands
- 04-SSH commands
- 05-SSL commands
- 06-Packet filter commands
- 07-DHCP snooping commands
- 08-DHCPv6 snooping commands
- 09-ARP attack protection commands
- 10-ND attack defense commands
- 11-Attack detection and prevention commands
- 12-uRPF commands
- 13-IP source guard commands
- 14-Crypto engine commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-DHCPv6 snooping commands | 124.55 KB |
Contents
display ipv6 dhcp snooping binding
display ipv6 dhcp snooping binding database
display ipv6 dhcp snooping packet statistics
display ipv6 dhcp snooping pd binding
display ipv6 dhcp snooping trust
ipv6 dhcp snooping binding database filename
ipv6 dhcp snooping binding database update interval
ipv6 dhcp snooping binding database update now
ipv6 dhcp snooping binding record
ipv6 dhcp snooping check request-message
ipv6 dhcp snooping max-learning-num
ipv6 dhcp snooping option interface-id enable
ipv6 dhcp snooping option interface-id string
ipv6 dhcp snooping option remote-id enable
ipv6 dhcp snooping option remote-id string
ipv6 dhcp snooping pd binding record
reset ipv6 dhcp snooping binding
reset ipv6 dhcp snooping packet statistics
reset ipv6 dhcp snooping pd binding
DHCPv6 snooping commands
DHCPv6 snooping works between the DHCPv6 client and the DHCPv6 server or between the DHCPv6 client and DHCPv6 the relay agent. DHCPv6 snooping does not work between the DHCPv6 server and the DHCPv6 relay agent.
display ipv6 dhcp snooping binding
Use display ipv6 dhcp snooping binding to display DHCPv6 snooping address entries.
Syntax
display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
address ipv6-address: Displays the DHCPv6 snooping entry for the specified IPv6 address.
vlan vlan-id: Specifies the ID of the VLAN where the IPv6 address resides.
Usage guidelines
If you do not specify any parameters, this command displays all DHCPv6 snooping address entries.
Examples
# Display all DHCPv6 snooping address entries.
<Sysname> display ipv6 dhcp snooping binding
1 DHCPv6 snooping entries found.
IPv6 address MAC address Lease VLAN SVLAN Interface
================ ============== =========== ==== ===== ========================
2::1 00e0-fc00-0006 54 2 N/A HundredGigE1/0/1
Table 1 Command output
|
Field |
Description |
|
IPv6 Address |
IPv6 address assigned to the DHCPv6 client. |
|
MAC Address |
MAC address of the DHCPv6 client. |
|
Lease |
Remaining lease duration in seconds. |
|
VLAN |
When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCPv6 client resides. |
|
SVLAN |
When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A. |
|
Interface |
Port connecting to the DHCPv6 client. |
Related commands
ipv6 dhcp snooping binding record
reset ipv6 dhcp snooping binding
display ipv6 dhcp snooping binding database
Use display ipv6 dhcp snooping binding database to display information about DHCPv6 snooping entry auto backup.
Syntax
display ipv6 dhcp snooping binding database
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about DHCPv6 snooping entry auto backup.
<Sysname> display ipv6 dhcp snooping binding database
File name : database.dhcp
Username :
Password :
Update interval : 600 seconds
Latest write time : Feb 27 18:48:04 2012
Status : Last write succeeded.
Table 2 Command output
|
Field |
Description |
|
File name |
Name of the DHCPv6 snooping entry backup file. |
|
Username |
Username for accessing the URL of the remote backup file. |
|
Password |
Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured. |
|
Update interval |
Waiting time in seconds after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file. |
|
Latest write time |
Time of the latest update. |
|
Status |
Status of the update: · Writing—The backup file is being updated. · Last write succeeded—The backup file was successfully updated. · Last write failed—The backup file failed to be updated. |
display ipv6 dhcp snooping packet statistics
Use display ipv6 dhcp snooping packet statistics to display DHCPv6 packet statistics for DHCPv6 snooping.
Syntax
display ipv6 dhcp snooping packet statistics [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays DHCPv6 packet statistics for the active MPU.
Examples
# Display DHCPv6 packet statistics for DHCPv6 snooping.
<Sysname> display ipv6 dhcp snooping packet statistics
DHCPv6 packets received : 100
DHCPv6 packets sent : 200
Invalid DHCPv6 packets dropped : 0
Related commands
reset ipv6 dhcp snooping packet statistics
display ipv6 dhcp snooping pd binding
Use display ipv6 dhcp snooping pd binding to display DHCPv6 snooping prefix entries.
Syntax
display ipv6 dhcp snooping pd binding [ prefix prefix/prefix-length [ vlan vlan-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
prefix prefix/prefix-length: Specifies an IPv6 prefix with its length. The value range for the prefix-length argument is 1 to 128.
vlan vlan-id: Specifies the ID of the VLAN where the IPv6 prefix resides. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
This command takes effect only after you execute the ipv6 dhcp snooping pd binding record command on the port directly connecting to the clients.
If you do not specify any parameters, this command displays all DHCPv6 snooping prefix entries.
Examples
# Display all DHCPv6 snooping prefix entries.
<Sysname> display ipv6 dhcp snooping pd binding
1 DHCPv6 snooping PD entries found.
IPv6 prefix Lease VLAN SVLAN Interface
================ =========== ==== ===== ========================
1:2::/64 54 2 N/A HundredGigE1/0/1
Table 3 Command output
|
Field |
Description |
|
n DHCPv6 snooping PD entries found. |
Total number of DHCPv6 snooping prefix entries. |
|
IPv6 prefix |
IPv6 prefix assigned to the DHCPv6 client. |
|
Lease |
Remaining lease duration in seconds. |
|
VLAN |
When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCPv6 client resides. |
|
SVLAN |
When both DHCPv6 snooping and QinQ are enabled or the DHCPv6 packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A. |
|
Interface |
Port connecting to the DHCPv6 client. |
Related commands
ipv6 dhcp snooping pd binding record
reset ipv6 dhcp snooping pd binding
display ipv6 dhcp snooping trust
Use display ipv6 dhcp snooping trust to display information about trusted ports.
Syntax
display ipv6 dhcp snooping trust
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about trusted ports.
<Sysname> display ipv6 dhcp snooping trust
DHCPv6 snooping is enabled.
Interface Trusted
========================= ============
HundredGigE1/0/1 Trusted
VSI(Trust tunnel) Trusted
========================= ============
Interface SrvID Trusted
=================================== ============
HGE1/0/1 1 Trusted
Table 4 Command output
|
Field |
Description |
|
Interface |
Interface name. |
|
VSI(Trust tunnel) |
VSI name. This field is not supported in the current software version. |
|
SrvID |
This field is not supported in the current software version. ID of the Ethernet service instance on which the mapped AC is configured as a DHCP snooping trusted interface. |
|
Trusted |
DHCP snooping trusted interface. This field displays Trusted if the interface is configured as trusted after the DHCPv6 snooping is enabled. |
Related commands
ipv6 dhcp snooping trust
ipv6 dhcp snooping binding database filename
Use ipv6 dhcp snooping binding database filename to configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file.
Use undo ipv6 dhcp snooping binding database filename to disable the auto backup and remove the backup file.
Syntax
ipv6 dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
undo ipv6 dhcp snooping binding database filename
Default
The DHCPv6 snooping device does not back up DHCPv6 snooping entries.
Views
System view
Predefined user roles
network-admin
Parameters
filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.
url url: Specifies the URL of a remote backup file. The URL is a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. The supported path format type varies by server.
username username: Specifies the username for accessing the URL of the remote backup file. The username is a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.
Usage guidelines
This command automatically creates the file if you specify a nonexistent file.
With this command executed, the DHCPv6 snooping device backs up its snooping entries immediately and runs auto backup. The snooping device, by default, waits 300 seconds after a DHCPv6 snooping entry change to update the backup file. You can use the ipv6 dhcp snooping binding database update interval command to change the waiting time. If no DHCPv6 snooping entry changes, the backup file is not updated.
As a best practice, back up the DHCPv6 snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCPv6 snooping device malfunction.
When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:
· If the file is on an FTP server, enter URL in the format of ftp://server address:port/file path, where the port number is optional.
· If the file is on a TFTP server, enter URL in the format of tftp://server address:port/file path, where the port number is optional.
· The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.
· If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.
· You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.
Examples
# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database filename database.dhcp
# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the FTP server at 1::1.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database filename url ftp://[1::1]/database.dhcp username 1 password simple 1
# Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to the file database.dhcp in the working directory of the TFTP server at 2::1.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database filename url tftp://[2::1]/database.dhcp
Related commands
ipv6 dhcp snooping binding database update interval
ipv6 dhcp snooping binding database update interval
Use ipv6 dhcp snooping binding database update interval to set the waiting time for the DHCPv6 snooping device to update the backup file after a DHCPv6 snooping entry change.
Use undo ipv6 dhcp snooping binding database update interval to restore the default.
Syntax
ipv6 dhcp snooping binding database update interval interval
undo ipv6 dhcp snooping binding database update interval
Default
The DHCPv6 snooping device waits 300 seconds to update the backup file after a DHCPv6 snooping entry change. If no DHCPv6 snooping entry changes, the backup file is not updated.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Sets the waiting time in seconds, in the range of 60 to 864000.
Usage guidelines
When a DHCPv6 snooping entry is learned, updated, or removed, the waiting period starts. The DHCPv6 snooping device updates the backup file when the waiting period is reached. All snooping entries changed during the period will be saved to the backup file.
The waiting time takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.
Examples
# Set the waiting time to 600 seconds for the DHCPv6 snooping device to update the backup file.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database update interval 600
Related commands
ipv6 dhcp snooping binding database filename
ipv6 dhcp snooping binding database update now
Use ipv6 dhcp snooping binding database update now to manually save DHCPv6 snooping entries to the backup file.
Syntax
ipv6 dhcp snooping binding database update now
Views
System view
Predefined user roles
network-admin
Usage guidelines
Each time this command is executed, the DHCPv6 snooping entries are saved to the backup file.
This command takes effect only after you configure the DHCPv6 snooping entry auto backup by using the ipv6 dhcp snooping binding database filename command.
Examples
# Manually save DHCPv6 snooping entries to the backup file.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping binding database update now
Related commands
ipv6 dhcp snooping binding database filename
ipv6 dhcp snooping binding record
Use ipv6 dhcp snooping binding record to enable recording DHCPv6 snooping address entries.
Use undo ipv6 dhcp snooping binding record to disable recording DHCPv6 snooping address entries.
Syntax
ipv6 dhcp snooping binding record
undo ipv6 dhcp snooping binding record
Default
Recording of DHCPv6 snooping address entries is disabled.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
You can configure this command on the ports that are directly connected to the DHCPv6 clients.
This command enables DHCPv6 snooping to record IP-to-MAC information of the DHCPv6 clients (called DHCPv6 snooping address entries).
Examples
# Enable recording DHCPv6 snooping address entries on HundredGigE 1/0/1.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping binding record
ipv6 dhcp snooping check request-message
Use ipv6 dhcp snooping check request-message to enable the DHCPv6-REQUEST check feature.
Use undo ipv6 dhcp snooping check request-message to disable the DHCPv6-REQUEST check feature.
Syntax
ipv6 dhcp snooping check request-message
undo ipv6 dhcp snooping check request-message
Default
The DHCPv6-REQUEST check feature is disabled.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
Use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. The feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.
· If any criterion in an entry is matched, the device compares the entry with the message information.
¡ If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.
¡ If they are different, the device considers the message forged and discards it.
· If no matching entry is found, the device forwards the message to the DHCPv6 server.
Examples
# Enable DHCPv6-REQUEST check.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping check request-message
ipv6 dhcp snooping deny
Use ipv6 dhcp snooping deny to configure a port as DHCPv6 packet blocking port.
Use undo ipv6 dhcp snooping deny to restore the default.
Syntax
ipv6 dhcp snooping deny
undo ipv6 dhcp snooping deny
Default
A port does not block DHCPv6 requests.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: To avoid IPv6 address and prefix acquisition failure, configure a port to block DHCPv6 packets only if no DHCPv6 clients are connected to it. |
To enable a port on the snooping device to drop all incoming DHCPv6 requests, configure that port as a DHCPv6 packet blocking port.
Examples
# Configure HundredGigE 1/0/1 as a DHCPv6 packet blocking port.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping deny
ipv6 dhcp snooping enable
Use ipv6 dhcp snooping enable to enable DHCPv6 snooping.
Use undo ipv6 dhcp snooping enable to disable DHCPv6 snooping.
Syntax
ipv6 dhcp snooping enable
undo ipv6 dhcp snooping enable
Default
DHCPv6 snooping is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use the DHCPv6 snooping feature together with trusted port configuration. Trusted ports forward responses from DHCPv6 servers and untrusted ports discard responses from DHCPv6 servers. This mechanism ensures that DHCPv6 clients obtain IPv6 addresses or prefixes from authorized DHCPv6 servers.
When DHCPv6 snooping is disabled, all ports on the device forward responses from DHCPv6 servers.
Examples
# Enable DHCPv6 snooping.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
ipv6 dhcp snooping log enable
Use ipv6 dhcp snooping log enable to enable DHCPv6 snooping logging.
Use undo ipv6 dhcp snooping log enable to disable DHCPv6 snooping logging.
Syntax
ipv6 dhcp snooping log enable
undo ipv6 dhcp snooping log enable
Default
DHCPv6 snooping logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the DHCPv6 snooping device to generate DHCPv6 snooping logs and send them to the information center. The log information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see System Management Configuration Guide.
As a best practice, disable this feature if the log generation affects the device performance.
Examples
# Enable DHCPv6 snooping logging.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping log enable
ipv6 dhcp snooping max-learning-num
Use ipv6 dhcp snooping max-learning-num to set the maximum number of DHCPv6 snooping entries for an interface to learn.
Use undo ipv6 dhcp snooping max-learning-num to restore the default.
Syntax
ipv6 dhcp snooping max-learning-num max-number
undo ipv6 dhcp snooping max-learning-num
Default
The number of DHCPv6 snooping entries for an interface to learn is not limited.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
max-number: Sets the maximum number of DHCPv6 snooping entries for an interface to learn. The value range for this argument is 1 to 4294967695.
Usage guidelines
When an interface learns the maximum number of DHCPv6 snooping entries, the interface stops learning DHCPv6 snooping entries. This does not affect the operation of the DHCPv6 snooping feature.
Examples
# Configure the Layer 2 Ethernet interface HundredGigE 1/0/1 to learn a maximum of 10 DHCPv6 snooping entries.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping max-learning-num 10
ipv6 dhcp snooping option interface-id enable
Use ipv6 dhcp snooping option interface-id enable to enable support for the interface-ID option (also called Option 18).
Use undo ipv6 dhcp snooping option interface-id enable to disable support for the interface-ID option.
Syntax
ipv6 dhcp snooping option interface-id enable
undo ipv6 dhcp snooping option interface-id enable
Default
Option 18 is not supported.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command takes effect only when DHCPv6 snooping is globally enabled.
Examples
# Enable support for Option 18.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping option interface-id enable
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option interface-id string
ipv6 dhcp snooping option interface-id string
Use ipv6 dhcp snooping option interface-id string to specify the content as the interface ID for Option 18.
Use undo ipv6 dhcp snooping option interface-id string to restore the default.
Syntax
ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string interface-id
undo ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string
Default
The DHCPv6 snooping device uses its DUID as the content for Option 18.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
vlan vlan-id: Pads the interface ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the interface ID for packets received from the default VLAN.
interface-id: Specifies a string of 1 to 128 characters as the interface ID.
Examples
# Specify company001 as the interface ID.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping option interface-id enable
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping option interface-id string company001
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option interface-id enable
ipv6 dhcp snooping option remote-id enable
Use ipv6 dhcp snooping option remote-id enable to enable support for the remote-ID option (also called Option 37).
Use undo ipv6 dhcp snooping option remote-id enable to disable support for the remote-ID option.
Syntax
ipv6 dhcp snooping option remote-id enable
undo ipv6 dhcp snooping option remote-id enable
Default
Option 37 is not supported.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command takes effect only when DHCPv6 snooping is globally enabled.
Examples
# Enable support for Option 37.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping option remote-id enable
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option remote-id string
ipv6 dhcp snooping option remote-id string
Use ipv6 dhcp snooping option remote-id string to specify the content as the remote ID for Option 37.
Use undo ipv6 dhcp snooping option remote-id string to restore the default.
Syntax
ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id
undo ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string
Default
The DHCPv6 snooping device uses its DUID as the content for Option 37.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
vlan vlan-id: Pads the remote ID for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the remote ID for packets received from the default VLAN.
remote-id: Specifies a string of 1 to 128 characters as the remote ID.
Examples
# Specify device001 as the remote ID.
<Sysname> system-view
[Sysname] ipv6 dhcp snooping enable
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping option remote-id enable
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping option remote-id string device001
Related commands
ipv6 dhcp snooping enable
ipv6 dhcp snooping option remote-id enable
ipv6 dhcp snooping pd binding record
Use ipv6 dhcp snooping pd binding record to enable recording DHCPv6 snooping prefix entries.
Use undo ipv6 dhcp snooping pd binding record to disable recording DHCPv6 snooping prefix entries.
Syntax
ipv6 dhcp snooping pd binding record
undo ipv6 dhcp snooping pd binding record
Default
Recording of DHCPv6 snooping prefix entries is disabled.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
This command enables DHCPv6 snooping to record IPv6 prefix-to-port information of the DHCPv6 clients (called DHCPv6 snooping prefix entries). When IP source guard (IPSG) is configured on the DHCP snooping device, IPSG can generate dynamic bindings based on the DHCP snooping prefix entries to filter out illegitimate packets.
Examples
# Enable DHCPv6 snooping prefix entries on HundredGigE 1/0/1.
<Sysname> system-view
[Sysname]interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping pd binding record
Related commands
display ipv6 dhcp snooping pd binding
ipv6 dhcp snooping rate-limit
Use ipv6 dhcp snooping rate-limit to enable DHCPv6 snooping packet rate limit on an interface and set the limit value.
Use undo ipv6 dhcp snooping rate-limit to disable DHCPv6 snooping packet rate limit.
Syntax
ipv6 dhcp snooping rate-limit rate
undo ipv6 dhcp snooping rate-limit
Default
The DHCPv6 snooping packet rate limit is disabled on an interface.
Views
Layer 2 Ethernet interface/Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
rate: Specifies the maximum rate in Kbps. The value range for this argument is 64 to 512.
Usage guidelines
This command takes effect only when DHCPv6 snooping is enabled.
The DHCPv6 packet rate limit feature enables the interface to discard DHCPv6 packets that exceed the maximum rate.
The rate configured on a Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate configured in its Ethernet interface view.
The maximum rate that takes effect can only be an integer multiple of a certain value because of the chip capability. Here is an example. The chip-supported maximum rate is an integer multiple of eight. If you set the maximum rate to 67, the value 64 or 72 takes effect.
Examples
# Configure HundredGigE 1/0/1 to receive DHCPv6 packets at a maximum rate of 64 Kbps.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping rate-limit 64
ipv6 dhcp snooping trust
Use ipv6 dhcp snooping trust to configure a port as a trusted port.
Use undo ipv6 dhcp snooping trust to restore the default state of a port.
Syntax
ipv6 dhcp snooping trust
undo ipv6 dhcp snooping trust
Default
After you enable DHCPv6 snooping, all ports are untrusted.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
Specify the port facing the DHCP server as trusted and specify the other ports as untrusted so DHCP clients can obtain valid IP addresses.
Examples
# Specify HundredGigE 1/0/1 as a trusted port.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 dhcp snooping trust
Related commands
display ipv6 dhcp snooping trust
reset ipv6 dhcp snooping binding
Use reset ipv6 dhcp snooping binding to clear DHCPv6 snooping address entries.
Syntax
reset ipv6 dhcp snooping binding { all | address ipv6-address [ vlan vlan-id ] }
Views
User view
Predefined user roles
network-admin
Parameters
address ipv6-address: Clears the DHCPv6 snooping entry for the specified IPv6 address.
vlan vlan-id: Clears DHCPv6 snooping address entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCPv6 snooping address entries for the default VLAN.
all: Clears all DHCPv6 snooping address entries.
Usage guidelines
This command applies to all slots on a distributed device.
Examples
# Clear all DHCPv6 snooping address entries.
<Sysname> reset ipv6 dhcp snooping binding all
Related commands
display ipv6 dhcp snooping binding
reset ipv6 dhcp snooping packet statistics
Use reset ipv6 dhcp snooping packet statistics to clear DHCPv6 packet statistics for DHCPv6 snooping.
Syntax
reset ipv6 dhcp snooping packet statistics [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears DHCPv6 packet statistics for the active MPU.
Examples
# Clear DHCPv6 packet statistics for DHCPv6 snooping.
<Sysname> reset ipv6 dhcp snooping packet statistics
Related commands
display ipv6 dhcp snooping packet statistics
reset ipv6 dhcp snooping pd binding
Use reset ipv6 dhcp snooping pd binding to clear DHCPv6 snooping prefix entries.
Syntax
reset ipv6 dhcp snooping pd binding { all | prefix prefix/prefix-length [ vlan vlan-id ] }
Views
User view
Predefined user roles
network-admin
Parameters
all: Clears all DHCPv6 snooping prefix entries.
prefix prefix/prefix-length: Clears DHCPv6 snooping entries for the specified IPv6 prefix. The value range for the prefix-length argument is 1 to 128.
vlan vlan-id: Clears DHCPv6 snooping prefix entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
This command applies to all slots on a distributed device.
If you do not specify any parameters, this command clears all DHCPv6 snooping prefix entries.
Examples
# Clear DHCPv6 snooping prefix entries for 1:2::/64.
<Sysname> reset ipv6 dhcp snooping pd binding prefix 1:2::/64
Related commands
display ipv6 dhcp snooping pd binding
