Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-53
*1 Gi0/1 0000.0000.0001 110
2 Gi0/2 0000.0000.2222 61
Total:2 host(s)
DES-7200# show nfpp dhcp-guard hosts vlan 1 interface g 0/1 0000.0000.0001
If column 1 shows '*', it means "hardware failed to isolate host".
VLAN interface MAC address remain-time(s)
---- -------- ----------- -------------
*1 Gi0/1 0000.0000.0001 110
Total:1 host(s)
12.7 DHCPv6-guard
12.7.1 DHCPv6-guard
Overview
The DHCPv6 protocol is widely used to dynamically allocate the IPv6 address in the LAN, and
plays an important role in the network security. Being similar to the DHCP attack, the DHCPv6
attack occurs in the way of broadcasting the DHCPv6 request packets through faking the MAC
address. If there are too many DHCPv6 request packets, the attacker may use up the
addresses provided in the DHCPv6 server. To this end, a legal host fails to request for an IPv6
address and access to the network. The workaround for the DHCPv6 attack: one one hand,
you may configure the DHCPv6 packet rate-limit; on the other hand, you may detect and
isolate the attack source.
The DHCPv6 attack detection could be host-based or port-based. Host-based ARP attack
detection adopts the combination of source IP address/VID/port-based. For each attack
detection, you can configure the rate-limit threshold and warning threshold. The DHCPv6
packet will be dropped when the packet rate exceeds the rate-limit threshold. When the
DHCPv6 packet rate exceeds the warning threshold, it will prompt the warning messages and
send the TRAP message. The host-based attack detection can isolate the attack source.
DHCPv6-guard configuration commands include:
Enabling dhcpv6-guard
Configuring the isolated time
Configuring the monitored time
Configuring the monitored host limit