- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Object group commands
- 10-Attack detection and prevention commands
- 11-TCP attack prevention commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-ND attack defense commands
- 15-uRPF commands
- 16-SAVI commands
- 17-SAVA commands
- 18-Crypto engine commands
- 19-FIPS commands
- Related Documents
-
Title | Size | Download |
---|---|---|
14-ND attack defense commands | 65.95 KB |
Contents
Source MAC consistency check commands
IPv6 destination guard commands
display ipv6 destination-guard
ipv6 destination-guard global enable
ND attack defense commands
Source MAC consistency check commands
ipv6 nd check log enable
Use ipv6 nd check log enable to enable the ND logging feature.
Use undo ipv6 nd check log enable to restore the default.
Syntax
ipv6 nd check log enable
undo ipv6 nd check log enable
Default
The ND logging feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Examples
# Enable the ND logging feature.
<Sysname> system-view
[Sysname] ipv6 nd check log enable
Related commands
ipv6 nd mac-check enable
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check for ND messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Examples
# Enable source MAC consistency check for ND messages.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
IPv6 destination guard commands
display ipv6 destination-guard
Use display ipv6 destination-guard to display IPv6 destination guard status.
Syntax
display ipv6 destination-guard [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays global and interface-specific IPv6 destination guard status.
Examples
# Display global and interface-specific IPv6 destination guard status.
<Sysname> display ipv6 destination-guard
Global IPv6 destination-guard status: Enabled (Stressed)
Interface Status
XGE1/0/1 Enabled (Stressed)
XGE1/0/2 Disabled
Table 1 Command output
Field |
Description |
Global IPv6 destination-guard status |
Enabling status of global IPv6 destination guard: · Disabled. · Enabled. If IPv6 destination guard is enabled in stressed mode, Stressed is also displayed. |
Interface |
Interface name. |
Status |
Interface-specific enabling status of IPv6 destination guard. · Disabled. · Enabled. If IPv6 destination guard is enabled in stressed mode on an interface, Stressed is also displayed. |
Related commands
ipv6 destination-guard
ipv6 destination-guard global enable
ipv6 destination-guard
Use ipv6 destination-guard enable to enable IPv6 destination guard on an interface.
Use ipv6 destination-guard disable to disable IPv6 destination guard on an interface.
Use undo ipv6 destination-guard to restore the status of IPv6 destination guard on an interface to be consistent with the status of the global IPv6 destination guard.
Syntax
ipv6 destination-guard { disable | enable [ stressed ] }
undo ipv6 destination-guard
Default
The interface-specific IPv6 destination guard status is consistent with the global IPv6 destination guard status.
Views
Layer 3 Ethernet interface view
VLAN interface view
Predefined user roles
network-admin
Parameters
stressed: Enables IPv6 destination guard on an interface when the device enters stressed mode. If you do not specify this keyword, the command enables IPv6 destination guard immediately on the interface.
Usage guidelines
For an interface, the interface-specific IPv6 destination guard status configuration has higher priority than the global IPv6 destination guard status.
If IPv6 destination guard is not enabled on an interface, the IPv6 destination guard status on the interface is determined by the global IPv6 destination guard status.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable IPv6 destination guard on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] ipv6 destination-guard enable
Related commands
display ipv6 destination-guard
ipv6 destination-guard global enable
ipv6 destination-guard global enable
Use ipv6 destination-guard global enable to enable IPv6 destination guard globally.
Use undo ipv6 destination-guard global enable to disable IPv6 destination guard globally.
Syntax
ipv6 destination-guard global enable [ stressed ]
undo ipv6 destination-guard global enable
Default
IPv6 destination guard is disabled globally.
Views
System view
Predefined user roles
network-admin
Parameters
stressed: Enables IPv6 destination guard globally when the device enters stressed mode. If you do not specify this keyword, the command immediately enables IPv6 destination guard globally.
Usage guidelines
For an interface, the interface-specific IPv6 destination guard status configuration has higher priority than the global IPv6 destination guard status.
If IPv6 destination guard is not enabled on an interface, the IPv6 destination guard status on the interface is determined by the global IPv6 destination guard status.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable IPv6 destination guard globally.
<Sysname> system-view
[Sysname] ipv6 destination-guard global enable
Related commands
display ipv6 destination-guard
ipv6 destination-guard
ND SNMP notification commands
snmp-agent trap enable nd
Use snmp-agent trap enable nd to enable SNMP notifications for ND.
Use undo snmp-agent trap enable nd to disable SNMP notifications for ND.
|
NOTE: This command is supported only in Release 2825 and later. |
Syntax
snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | rate-limit | user-ip-conflict ] *
undo snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | rate-limit | user-ip-conflict ] *
Default
SNMP notifications for ND are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
entry-limit: Specifies ND entry limit notifications.
local-conflict: Specifies endpoint and local device conflict notifications.
nd-miss: Specifies rate limit notifications for sending ND Miss messages or ND packets.
rate-limit: Specifies rate limit notifications for receiving ND packets.
user-ip-conflict: Specifies user IPv6 address conflict notifications.
Usage guidelines
Enable SNMP notifications for ND as required.
· If you enable ND entry limit notifications, the device sends the current ND entry information as a notification to the SNMP module when the number of ND entries exceeds the alarm threshold.
· If you enable endpoint and local device conflict notifications, the device sends a notification to the SNMP module when an endpoint and local device conflict occurs. The notification includes the source IPv6 address, source MAC address, destination IPv6 address, and destination MAC address in the conflicting ND packet.
· If you enable rate limit notifications for sending ND Miss messages or ND packets, the device sends the highest threshold-crossed rate as a notification to the SNMP module. When the device receives an IP packet in which the destination IP address is unresolvable, it sends a ND Miss message to the CPU.
· If you enable rate limit notifications for receiving ND packets, the device sends the highest threshold-crossed rate as a notification to the SNMP module.
· If you enable user IPv6 address conflict notifications, the device sends a notification to the SNMP module when a user IPv6 address conflict occurs. The notification includes the source IPv6 and MAC addresses in the conflicting ND packet, and MAC address in the corresponding local ND entry. For more information about enabling recording user IPv6 address conflicts, see IPv6 basics configuration in Layer 3—IP Services Configuration Guide.
If you do not specify any keywords, this command enables all SNMP notifications for ND.
For ND event notifications to be sent correctly, you must also configure SNMP on the device. For more information, see SNMP configuration in Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for endpoint and local device conflicts.
<Sysname> system-view
[Sysname] snmp-agent trap enable nd local-conflict