- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Object group commands
- 10-Attack detection and prevention commands
- 11-TCP attack prevention commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-ND attack defense commands
- 15-uRPF commands
- 16-SAVA commands
- 17-Crypto engine commands
- 18-FIPS commands
- 19-MACsec commands
- 20-SAVI commands
- Related Documents
-
Title | Size | Download |
---|---|---|
14-ND attack defense commands | 67.97 KB |
Contents
ipv6 nd rate-limit log interval
Source MAC consistency check commands
IPv6 destination guard commands
display ipv6 destination-guard
ipv6 destination-guard global enable
ND attack defense commands
ND packet rate limit commands
ipv6 nd rate-limit
Use ipv6 nd rate-limit to enable ND packet rate limit.
Use undo ipv6 nd rate-limit to disable ND packet rate limit.
Syntax
ipv6 nd rate-limit [ pps ]
undo ipv6 nd rate-limit
Default
ND packet rate limit is enabled.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Layer 3 Ethernet interface view
Layer 3 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
pps: Specifies the upper limit for ND packet receiving rate, in pps. The value range varies by device model. If you do not specify the limit, the default value applies. The default value varies by device model.
Examples
# Enable ND packet rate limit on Layer 2 Ethernet interface FortyGigE 1/0/1, and set the rate limit to 50 pps.
<Sysname> system-view
[Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] ipv6 nd rate-limit 50
ipv6 nd rate-limit log enable
Use ipv6 nd rate-limit log enable to enable logging for ND packet rate limit.
Use undo ipv6 nd rate-limit log enable to disable logging for ND packet rate limit.
Syntax
ipv6 nd rate-limit log enable
undo ipv6 nd rate-limit log enable
Default
Logging for ND packet rate limit is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
When logging for ND packet rate limit is enabled, the device sends the highest threshold-crossed ND packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for ND packet rate limit.
<Sysname> system-view
[Sysname] ipv6 nd rate-limit log enable
Related commands
ipv6 nd rate-limit log interval
ipv6 nd rate-limit log interval
Use ipv6 nd rate-limit log interval to set the log message sending interval for ND packet rate limit.
Use undo ipv6 nd rate-limit log interval to restore the default.
Syntax
ipv6 nd rate-limit log interval interval
undo ipv6 nd rate-limit log interval
Default
The device sends log messages every 60 seconds when the ND packet receiving rate on an interface exceeds the limit.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Specifies an interval in the range of 1 to 86400 seconds.
Usage guidelines
To change the default interval and activate it, you must enable ND packet rate limit and enable sending log messages for ND packet rate limit.
Examples
# Configure the device to send log messages every 120 seconds when the ND packet receiving rate on an interface exceeds the limit.
<Sysname> system-view
[Sysname] ipv6 nd rate-limit log interval 120
Related commands
ipv6 nd rate-limit log enable
Source MAC consistency check commands
ipv6 nd check log enable
Use ipv6 nd check log enable to enable the ND logging feature.
Use undo ipv6 nd check log enable to restore the default.
Syntax
ipv6 nd check log enable
undo ipv6 nd check log enable
Default
The ND logging feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Examples
# Enable the ND logging feature.
<Sysname> system-view
[Sysname] ipv6 nd check log enable
Related commands
ipv6 nd mac-check enable
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check for ND messages is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Examples
# Enable source MAC consistency check for ND messages.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
IPv6 destination guard commands
display ipv6 destination-guard
Use display ipv6 destination-guard to display IPv6 destination guard status.
Syntax
display ipv6 destination-guard [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays global and interface-specific IPv6 destination guard status.
Examples
# Display global and interface-specific IPv6 destination guard status.
<Sysname> display ipv6 destination-guard
Global IPv6 destination-guard status: Enabled (Stressed)
Interface Status
FGE1/0/1 Enabled (Stressed)
FGE1/0/2 Disabled
Table 1 Command output
Field |
Description |
Global IPv6 destination-guard status |
Enabling status of global IPv6 destination guard: · Disabled. · Enabled. If IPv6 destination guard is enabled in stressed mode, Stressed is also displayed. |
Interface |
Interface name. |
Status |
Interface-specific enabling status of IPv6 destination guard. · Disabled. · Enabled. If IPv6 destination guard is enabled in stressed mode on an interface, Stressed is also displayed. |
Related commands
ipv6 destination-guard
ipv6 destination-guard global enable
ipv6 destination-guard
Use ipv6 destination-guard enable to enable IPv6 destination guard on an interface.
Use ipv6 destination-guard disable to disable IPv6 destination guard on an interface.
Use undo ipv6 destination-guard to restore the status of IPv6 destination guard on an interface to be consistent with the status of the global IPv6 destination guard.
Syntax
ipv6 destination-guard { disable | enable [ stressed ] }
undo ipv6 destination-guard
Default
The interface-specific IPv6 destination guard status is consistent with the global IPv6 destination guard status.
Views
Layer 3 Ethernet interface view
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
stressed: Enables IPv6 destination guard on an interface when the device enters stressed mode. If you do not specify this keyword, the command enables IPv6 destination guard immediately on the interface.
Usage guidelines
For an interface, the interface-specific IPv6 destination guard status configuration has higher priority than the global IPv6 destination guard status.
If IPv6 destination guard is not enabled on an interface, the IPv6 destination guard status on the interface is determined by the global IPv6 destination guard status.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable IPv6 destination guard on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] ipv6 destination-guard enable
Related commands
display ipv6 destination-guard
ipv6 destination-guard global enable
ipv6 destination-guard global enable
Use ipv6 destination-guard global enable to enable IPv6 destination guard globally.
Use undo ipv6 destination-guard global enable to disable IPv6 destination guard globally.
Syntax
ipv6 destination-guard global enable [ stressed ]
undo ipv6 destination-guard global enable
Default
IPv6 destination guard is disabled globally.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
stressed: Enables IPv6 destination guard globally when the device enters stressed mode. If you do not specify this keyword, the command immediately enables IPv6 destination guard globally.
Usage guidelines
For an interface, the interface-specific IPv6 destination guard status configuration has higher priority than the global IPv6 destination guard status.
If IPv6 destination guard is not enabled on an interface, the IPv6 destination guard status on the interface is determined by the global IPv6 destination guard status.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable IPv6 destination guard globally.
<Sysname> system-view
[Sysname] ipv6 destination-guard global enable
Related commands
display ipv6 destination-guard
ipv6 destination-guard