Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-MAC authentication commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-TCP and ICMP attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-Crypto engine commands
- 18-DAE proxy commands
- 19-802.1X commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-ND attack defense commands | 103.99 KB |
Contents
Source MAC-based ND attack detection commands
display ipv6 nd source-mac configuration
display ipv6 nd source-mac statistics
ipv6 nd source-mac check-interval
ipv6 nd source-mac exclude-mac
reset ipv6 nd source-mac statistics
Interface-based ND attack suppression commands
display ipv6 nd attack-suppression configuration
display ipv6 nd attack-suppression per-interface
display ipv6 nd attack-suppression per-interface interface
ipv6 nd attack-suppression check-interval
ipv6 nd attack-suppression enable per-interface
ipv6 nd attack-suppression suppression-time
ipv6 nd attack-suppression threshold
reset ipv6 nd attack-suppression per-interface
reset ipv6 nd attack-suppression per-interface statistics
Source MAC consistency check commands
ND attack defense commands
Source MAC-based ND attack detection commands
display ipv6 nd source-mac
Use display ipv6 nd source-mac to display source MAC-based ND attack detection entries.
Syntax
In standalone mode:
display ipv6 nd source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ]
display ipv6 nd source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ]
display ipv6 nd source-mac slot slot-number [ count | verbose ]
In IRF mode:
display ipv6 nd source-mac interface interface-type interface-number [ chassis chassis-number slot slot-number ] [ verbose ]
display ipv6 nd source-mac { mac mac-address | vlan vlan-id } chassis chassis-number slot slot-number [ verbose ]
display ipv6 nd source-mac chassis chassis-number slot slot-number [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
mac mac-address: Displays the ND attack detection entry for the specified MAC address. The MAC address format is H-H-H.
vlan vlan-id: Displays the source MAC-based ND attack detection entries for the specified VLAN. The VLAN ID is in the range of 1 to 4094.
slot slot-number: Displays the ND attack entries detected by the physical interfaces that reside on the specified card and belong to the specified virtual interface. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the active MPUs and belong to the specified virtual interface. (In standalone mode.)
chassis chassis-number slot slot-number: Displays the ND attack entries detected by the physical interfaces that reside on the specified slot and belong to the virtual interface. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the global active MPU and belong to the virtual interface. (In IRF mode.)
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays source MAC-based ND attack detection entries on the active MPUs. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays source MAC-based ND attack detection entries on the global active MPU. (In IRF mode.)
verbose: Displays detailed information about source MAC-based ND attack detection entries. If you do not specify this keyword, this command displays brief information about the source MAC-based ND attack detection entries.
count: Displays the number of source MAC-based ND attack detection entries. If you do not specify this keyword, the command displays source MAC-based ND attack detection entries.
Usage guidelines
(In standalone mode.) The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.
(In IRF mode.) The chassis chassis-number slot slot-number options are supported only when the interface interface-type interface-number option specifies a virtual interface.
This command supports the following virtual interfaces: Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, and VXLAN VSI interfaces.
If you do not specify any parameters, this command displays all source MAC-based ND attack detection entries.
Examples
# Display source MAC-based ND attack detection entries on GigabitEthernet 3/1/1.
<Sysname> display ipv6 nd source-mac interface gigabitethernet 3/1/1
Source MAC VLAN ID Interface Aging time (sec) Packets dropped
23f3-1122-3344 4094 GE3/1/1 10 18446744073709551615
# Displays the number of source MAC-based ND attack detection entries.
<Sysname> display ipv6 nd source-mac count
Total source MAC-based ND attack detection entries: 1
# Display detailed information about source MAC-based ND attack detection entries on GigabitEthernet 3/1/1.
<Sysname> display ipv6 nd source-mac interface gigabitethernet 3/1/1 verbose
Source MAC: 0001-0001-0001
VLAN ID: 4094
Hardware status: Succeeded
Aging time: 10 seconds
Interface: GigabitEthernet3/1/1
Attack time: 2018/06/04 15:53:34
Packets dropped: 18446744073709551615
Table 1 Command output
|
Field |
Description |
|
Source MAC |
Source MAC address from which ND attacks are launched. |
|
VLAN ID |
ID of the VLAN where the source MAC-based ND attack is detected. |
|
Interface |
Interface where the source MAC-based ND attack is detected. |
|
Aging time |
Remaining aging time of the source MAC-based ND attack detection entry, in seconds. |
|
Packets dropped |
Total number of dropped packets. This field is not supported on Layer 2 Ethernet interfaces. |
|
Total source MAC-based ND attack detection entries |
Total number of source MAC-based ND attack detection entries. |
|
Hardware status |
Status of the source MAC-based ND attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Attack time |
Time when the source MAC-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset ipv6 nd source-mac
reset ipv6 nd source-mac statistics
display ipv6 nd source-mac configuration
Use display ipv6 nd source-mac configuration to display the configuration of source MAC-based ND attack detection.
Syntax
display ipv6 nd source-mac configuration
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the configuration of source MAC-based ND attack detection.
<Sysname> display ipv6 nd source-mac configuration
IPv6 ND source-mac is enabled.
Mode: Filter Check interval: 5 seconds
Threshold: 20 Aging time: 300 seconds
Table 2 Command output
|
Field |
Description |
|
IPv6 ND source-mac is enabled. |
Source MAC-based ND attack detection is enabled. |
|
IPv6 ND source-mac is disabled. |
Source MAC-based ND attack detection is disabled. |
|
Mode |
Source MAC-based ND attack detection mode: · Filter. · Monitor. |
|
Check interval |
Check interval of the source MAC-based ND attack detection, in seconds. |
|
Threshold |
Threshold for source MAC-based ND attack detection. |
|
Aging time |
Aging time of the source MAC-based ND attack detection entry, in seconds. |
Related commands
ipv6 nd source-mac
ipv6 nd source-mac aging-time
ipv6 nd source-mac check-interval
ipv6 nd source-mac exclude-mac
ipv6 nd source-mac threshold
display ipv6 nd source-mac statistics
Use display ipv6 nd source-mac statistics to display statistics for ND messages dropped by source MAC-based ND attack detection.
Syntax
In standalone mode:
display ipv6 nd source-mac statistics slot slot-number
In IRF mode:
display ipv6 nd source-mac statistics chassis chassis-number slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
Examples
# Display statistics for ND messages dropped by source MAC-based ND attack detection.
<Sysname> display ipv6 nd source-mac statistics slot 3
Dropped ND messages: 100
Table 3 Command output
|
Field |
Description |
|
Dropped ND messages |
Number of ND messages dropped by source MAC-based ND attack detection. |
Related commands
reset ipv6 nd source-mac statistics
ipv6 nd source-mac
Use ipv6 nd source-mac to enable source MAC-based ND attack detection and set the detection mode.
Use undo ipv6 nd source-mac to disable source MAC-based ND attack detection.
Syntax
ipv6 nd source-mac { filter | monitor }
undo ipv6 nd source-mac
Default
Source MAC-based ND attack detection is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
filter: Specifies the filter mode.
monitor: Specifies the monitor mode.
Usage guidelines
As a best practice, configure this command on gateway devices.
Source MAC-based ND attack detection checks the number of ND messages delivered to the CPU. If the number of messages from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. The processing of the ND messages sent from the MAC address in this entry depends on the detection mode. With ND logging enabled (by using the ipv6 nd check log enable command), source MAC-based ND attack detection processes the messages as follows:
· Filter mode—Filters out subsequent ND messages sent from the MAC address, and generates log messages.
· Monitor mode—Only generates log messages.
During the ND attack defense period, the device monitors the number of dropped packets in an entry within the aging time:
· If the number of dropped packets is higher than or equal to a calculated value, the device resets the aging time for the entry when the entry ages out.
The calculated value = (aging time/check interval) × source MAC-based ND attack detection threshold
· If the number of dropped packets is lower than calculated value, the system deletes the entry when the entry ages out and marks MAC address in the entry as a common MAC address.
When you change the detection mode from monitor to filter, the filter mode takes effect immediately. When you change the detection mode from filter to monitor, the device continues filtering ND messages that match existing attack entries.
Examples
# Enable source MAC-based ND attack detection and set the detection mode to monitor.
<Sysname> system-view
[Sysname] ipv6 nd source-mac monitor
ipv6 nd source-mac aging-time
Use ipv6 nd source-mac aging-time to set the aging time for source MAC-based ND attack detection entries.
Use undo ipv6 nd source-mac aging-time to restore the default.
Syntax
ipv6 nd source-mac aging-time time
undo ipv6 nd source-mac aging-time
Default
The aging time for source MAC-based ND attack detection entries is 300 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time: Specifies the aging time for source MAC-based ND attack detection entries, in the range of 60 to 6000 seconds.
Examples
# Set the aging time to 100 seconds for source MAC-based ND attack detection entries.
<Sysname> system-view
[Sysname] ipv6 nd source-mac aging-time 100
ipv6 nd source-mac check-interval
Use ipv6 nd source-mac check-interval to set the check interval for source MAC-based ND attack detection.
Use undo ipv6 nd source-mac check-interval to restore the default.
Syntax
ipv6 nd source-mac check-interval interval
undo ipv6 nd source-mac check-interval
Default
The check interval is 5 seconds for source MAC-based ND attack detection.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the check interval in seconds. The value range is 5 to 60.
Usage guidelines
The source MAC-based ND attack detection feature checks the number of ND packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. To set the threshold, use the ipv6 nd source-mac threshold command.
If attacks occur frequently in your network, set a short check interval so that source MAC-based ND attacks can be detected promptly. If attacks seldom occur, you can set a long check interval.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the check interval to 30 seconds for source MAC-based ND attack detection.
<Sysname> system-view
[Sysname] ipv6 nd source-mac check-interval 30
Related commands
ipv6 nd source-mac threshold
ipv6 nd source-mac exclude-mac
Use ipv6 nd source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ND attack detection.
Use undo ipv6 nd source-mac exclude-mac to remove the excluded MAC addresses.
Syntax
ipv6 nd source-mac exclude-mac mac-address&<1-10>
undo ipv6 nd source-mac exclude-mac [ mac-address&<1-10> ]
Default
No MAC addresses are excluded from source MAC-based ND attack detection.
Views
System view
Predefined user roles
network-admin
Parameters
mac-address&<1-10>: Specifies a space-separated list of up to 10 MAC addresses. The mac-address argument indicates an excluded MAC address in the format of H-H-H.
Usage guidelines
Source MAC-based ND attack detection does not drop ND messages sent from the excluded MAC addresses even if it detects attacks launched from these MAC addresses.
If you do not specify a MAC address, the undo ipv6 nd source-mac exclude-mac command removes all excluded MAC addresses.
Examples
# Exclude the MAC address 001e-1200-0213 from source MAC-based ND attack detection.
<Sysname> system-view
[Sysname> ipv6 nd source-mac exclude-mac 001e-1200-0213
ipv6 nd source-mac threshold
Use ipv6 nd source-mac threshold to set the threshold for source MAC-based ND attack detection.
Use undo ipv6 nd source-mac threshold to restore the default.
Syntax
ipv6 nd source-mac threshold threshold-value
undo ipv6 nd source-mac threshold
Default
The threshold for source MAC-based ND attack detection is 30.
Views
System view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold for source MAC-based ND attack detection. The value range is 1 to 5000.
Usage guidelines
If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. To set the check interval, use the ipv6 nd source-mac check-interval command.
Examples
# Set the threshold to 100 for source MAC-based ND attack detection
<Sysname> system-view
[Sysname] ipv6 nd source-mac threshold 100
Related commands
ipv6 nd source-mac check-interval
reset ipv6 nd source-mac
Use reset ipv6 nd source-mac to delete source MAC-based ND attack detection entries.
Syntax
In standalone mode:
reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]
In IRF mode:
reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Deletes the source MAC-based ND attack entries detected on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.
mac mac-address: Deletes the source MAC-based ND attack entry for the specified MAC address. The MAC address format is H-H-H.
vlan vlan-id: Deletes the source MAC-based ND attack entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
Usage guidelines
If you do not specify any parameters, this command deletes all source MAC-based ND attack detection entries.
Examples
# Delete all source MAC-based ND attack detection entries.
<Sysname> reset ipv6 nd source-mac
Related commands
display ipv6 nd source-mac
reset ipv6 nd source-mac statistics
Use reset ipv6 nd source-mac statistics to clear statistics for ND messages dropped by source MAC-based ND attack detection.
Syntax
In standalone mode:
reset ipv6 nd source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]
In IRF mode:
reset ipv6 nd source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Clears statistics for ND messages dropped by source MAC-based ND attack detection on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.
mac mac-address: Clears statistics for ND messages dropped by source MAC-based ND attack detection for the specified MAC address. The MAC address format is H-H-H.
vlan vlan-id: Clears statistics for ND messages dropped by source MAC-based ND attack detection for the specified VLAN. The value range for the VLAN ID is 1 to 4094.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
Usage guidelines
If you do not specify any parameters, this command clears all statistics for ND messages dropped by source MAC-based ND attack detection.
Examples
# Clear all statistics for ND messages dropped by source MAC-based ND attack detection.
<Sysname> reset ipv6 nd source-mac statistics slot 1
Related command
display ipv6 nd source-mac
display ipv6 nd source-mac statistics
Interface-based ND attack suppression commands
The interface-based ND attack suppression feature is available only on Layer 3 Ethernet interfaces and Layer 3 Ethernet subinterfaces of the CSPEX cards (except CSPEX-1104-E) and CEPC cards.
display ipv6 nd attack-suppression configuration
Use display ipv6 nd attack-suppression configuration to display the configuration of interface-based ND attack suppression.
Syntax
display ipv6 nd attack-suppression configuration
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the configuration of interface-based ND attack suppression.
<Sysname> display ipv6 nd attack-suppression configuration
IPv6 ND attack-suppression per-interface is enabled.
Check interval: 5 seconds Suppression time: 300 seconds
Threshold: 3000
Table 4 Command output
|
Field |
Description |
|
IPv6 ND attack-suppression per-interface is enabled. |
The interface-based ND attack suppression is enabled. |
|
IPv6 ND attack-suppression per-interface is disabled. |
The interface-based ND attack suppression is disabled. |
|
Check interval |
Check interval of the interface-based ND attack suppression, in seconds. |
|
Suppression time |
Interface-based ND attack suppression time in seconds. |
|
Threshold |
Threshold for triggering interface-based ND attack suppression. |
Related commands
ipv6 nd attack-suppression check-interval
ipv6 nd attack-suppression enable per-interface
ipv6 nd attack-suppression suppression-time
display ipv6 nd attack-suppression per-interface
Use display ipv6 nd attack-suppression per-interface to display interface-based ND attack suppression entries.
Syntax
In standalone mode:
display ipv6 nd attack-suppression per-interface slot slot-number [ count | verbose ]
In IRF mode:
display ipv6 nd attack-suppression per-interface chassis chassis-number slot slot-number [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
count: Displays the number of interface-based ND attack suppression entries. If you do not specify this keyword, this command displays interface-based ND attack suppression entries.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all interface-based ND attack suppression entries.
Examples
# Display interface-based ND attack suppression entries on the specified slot.
<Sysname> display ipv6 nd attack-suppression per-interface interface slot 1
Interface Suppression time (second) Packets dropped
GE3/1/1 200 18446744073709551615
GE3/1/2 140 13829384728123487362
# Display the total number of interface-based ND attack suppression entries on the specified slot.
<Sysname> display ipv6 nd attack-suppression per-interface slot 1 count
Total ND attack suppression entries: 2
# Display detailed information about the interface-based ND attack suppression entries on the specified slot.
<Sysname> display ipv6 nd attack-suppression per-interface interface slot 1 verbose
Interface: GigabitEthernet3/1/1
Suppression time: 200 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 15:53:34
Packets dropped: 18446744073709551615
Interface: GigabitEthernet3/1/2
Suppression time: 140 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 14:53:34
Packets dropped: 13829384728123487362
Table 5 Command output
|
Field |
Description |
|
Interface |
Interface in the ND attack suppression entry. |
|
Suppression time (second) |
Suppression time, in seconds. |
|
Packets dropped |
Total number of dropped packets. |
|
Total ND attack suppression entries |
Total number of ND attack suppression entries. |
|
Hardware status |
Status of the interface-based ND attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Suppression time |
Remaining suppression time, in seconds. |
|
Attack time |
Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset ipv6 nd attack-suppression per-interface
reset ipv6 nd attack-suppression per-interface statistics
display ipv6 nd attack-suppression per-interface interface
Use display ipv6 nd attack-suppression per-interface interface to display interface-based ND attack suppression entries on an interface.
Syntax
display ipv6 nd attack-suppression per-interface interface interface-type interface-number [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.
Examples
# Display interface-based ND attack suppression entries on GigabitEthernet 3/1/1.
<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 3/1/1
Interface Suppression time (second) Packets dropped
GE3/1/1 200 18446744073709551615
# Display detailed information about the interface-based ND attack suppression entries on GigabitEthernet 3/1/1.
<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 3/1/1 verbose
Interface: GigabitEthernet3/1/1
Suppression time: 200 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 15:53:34
Packets dropped: 18446744073709551615
Figure 1 Command output
|
Field |
Description |
|
Interface |
Interface in the ND attack suppression entry. |
|
Suppression time (second) |
Suppression time, in seconds. |
|
Packets dropped |
Total number of dropped packets. |
|
Hardware status |
Status of the interface-based ND attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Suppression time |
Remaining suppression time, in seconds. |
|
Attack time |
Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset ipv6 nd attack-suppression per-interface
reset ipv6 nd attack-suppression per-interface statistics
ipv6 nd attack-suppression check-interval
Use ipv6 nd attack-suppression check-interval to set the check interval for interface-based ND attack suppression.
Use undo ipv6 nd attack-suppression check-interval to restore the default.
Syntax
ipv6 nd attack-suppression check-interval interval
undo ipv6 nd attack-suppression check-interval
Default
The check interval is 5 seconds for interface-based ND attack suppression.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies a check interval in seconds. The value range is 5 to 60.
Usage guidelines
The interface-based ND attack suppression feature monitors the number of ND requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the ND attack suppression threshold, the device creates an ND attack suppression entry for the interface.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the check interval to 30 seconds for interface-based ND attack suppression.
<Sysname> system-view
[Sysname] ipv6 nd attack-suppression check-interval 30
Related commands
display ipv6 nd attack-suppression configuration
ipv6 nd attack-suppression enable per-interface
ipv6 nd attack-suppression enable per-interface
Use ipv6 nd attack-suppression enable per-interface to enable interface-based ND attack suppression.
Use undo ipv6 nd attack-suppression enable per-interface to disable interface-based ND attack suppression.
Syntax
ipv6 nd attack-suppression enable per-interface
undo ipv6 nd attack-suppression enable per-interface
Default
Interface-based ND attack suppression is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this feature to rate limit ND requests on each Layer 3 interface to prevent ND spoofing attacks. This feature monitors the number of ND requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the threshold, the device creates an ND attack suppression entry for the interface. To set the check interval, use the ipv6 nd attack-suppression check-interval command.
During the suppression period, the maximum receiving rate for ND requests is 12800 bytes per second on the interface.
When the suppression time expires, the system examines the number of received ND messages on the interface within the suppression time:
· If the number of the received ND messages is higher than or equal to a calculated value, the device resets the suppression time for the entry and continues the ND suppression on the interface.
The calculated value = (suppression time/check interval) × suppression threshold
· If the number of the received ND messages is lower than the calculated value, the device deletes the suppression entry.
As a best practice, enable this feature on the gateway.
Examples
# Enable interface-based ND attack suppression.
<Sysname> system-view
[Sysname] ipv6 nd attack-suppression enable per-interface
Related commands
display ipv6 nd attack-suppression per-interface
ipv6 nd attack-suppression check-interval
ipv6 nd attack-suppression threshold
ipv6 nd attack-suppression suppression-time
Use ipv6 nd attack-suppression suppression-time to set the interface-based ND attack suppression time.
Use undo ipv6 nd attack-suppression suppression-time to restore the default.
Syntax
ipv6 nd attack-suppression suppression-time time
undo ipv6 nd attack-suppression suppression-time
Default
The interface-based ND attack suppression time is 300 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time: Specifies the suppression time in seconds. The value range is 60 to 6000.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the suppression time to 60 seconds for interface-based ND attack suppression.
<Sysname> system-view
[Sysname] ipv6 nd attack-suppression suppression-time 60
Related commands
display ipv6 nd attack-suppression configuration
ipv6 nd attack-suppression enable per-interface
ipv6 nd attack-suppression threshold
Use ipv6 nd attack-suppression threshold to set the threshold for triggering interface-based ND attack suppression.
Use undo ipv6 nd attack-suppression threshold to restore the default.
Syntax
ipv6 nd attack-suppression threshold threshold-value
undo ipv6 nd attack-suppression threshold
Default
The threshold for triggering interface-based ND attack suppression is 1000.
Views
System view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold for triggering interface-based ND attack suppression, in the range of 1 to 5000. The threshold defines the maximum number of ND requests that an interface can receive in each check interval.
Usage guidelines
When the number of ND requests that an interface received within the check interval exceeds the threshold, the device determines that the interface is being attacked. To set the check interval, use the ipv6 nd attack-suppression check-interval command.
Examples
# Set the threshold to 500 for triggering interface-based ND attack suppression.
<Sysname> system-view
[Sysname] ipv6 nd attack-suppression threshold 500
Related commands
display ipv6 nd attack-suppression per-interface
ipv6 nd attack-suppression check-interval
ipv6 nd attack-suppression enable per-interface
reset ipv6 nd attack-suppression per-interface
Use reset ipv6 nd attack-suppression per-interface to delete interface-based ND attack suppression entries.
Syntax
In standalone mode:
reset ipv6 nd attack-suppression per-interface [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
reset ipv6 nd attack-suppression per-interface [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Deletes interface-based ND attack suppression entries for the specified interface. The interface-type interface-number arguments specify an interface by its type and number.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
Usage guidelines
If you do not specify any parameters, this command deletes all interface-based ND attack suppression entries.
Examples
# Delete all interface-based ND attack suppression entries.
<Sysname> reset ipv6 nd attack-interface per-interface
Related commands
display ipv6 nd attack-suppression per-interface
reset ipv6 nd attack-suppression per-interface statistics
Use reset ipv6 nd attack-suppression per-interface statistics to clear statistics for ND messages dropped by interface-based ND attack suppression.
Syntax
In standalone mode:
reset ipv6 nd attack-suppression per-interface statistics [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
reset ipv6 nd attack-suppression per-interface statistics [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Clears statistics for ND messages dropped by interface-based ND attack suppression on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
Usage guidelines
After you execute this command, the value for the Packets dropped field from the output of the display ipv6 nd attack-suppression per-interface command will be cleared.
If you do not specify any parameters, this command clears all statistics for ND messages dropped by interface-based ND attack suppression.
Examples
# Clear statistics for ND messages dropped by interface-based ND attack suppression.
<Sysname> reset ipv6 nd attack-interface per-interface statistics
Related commands
display ipv6 nd attack-suppression per-interface
Source MAC consistency check commands
ipv6 nd check log enable
Use ipv6 nd check log enable to enable the ND logging feature.
Use undo ipv6 nd check log enable to restore the default.
Syntax
ipv6 nd check log enable
undo ipv6 nd check log enable
Default
The ND logging feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Examples
# Enable the ND logging feature.
<Sysname> system-view
[Sysname] ipv6 nd check log enable
Related commands
ipv6 nd mac-check enable
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check for ND messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Examples
# Enable source MAC consistency check for ND messages.
<Sysname> system-view
