Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X_Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-ND Attack Defense Commands | 81.46 KB |
ND attack defense configuration commands
Source MAC consistency check commands
ND detection configuration commands
display ipv6 nd detection statistics
reset ipv6 nd detection statistics
Source MAC consistency check commands
ipv6 nd mac-check enable
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the ipv6 nd mac-check enable command to enable source MAC consistency check for ND packets.
Use the undo ipv6 nd mac-check enable command to disable source MAC consistency check for ND packets.
By default, source MAC consistency check for ND packets is disabled.
In a typical forged ND packet, the source MAC address in the Ethernet frame header and that carried in the source link layer address option are different. To filter out these illegal ND packets, you can use the source MAC consistency check function to check ND packets for MAC address inconsistency.
|
|
NOTE: Disable source MAC consistency check for ND packets if VRRP is used. This is to prevent incorrect packet dropping, because with VRRP, the source MAC address of an NA message is always different from that in the source link layer address option. |
Examples
# Enable source MAC consistency check for ND packets.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
ND detection configuration commands
|
|
NOTE: The swith supports ND detection only when you configure the acl ipv6 enable command. For more information about this command, see ACL and QoS Command Reference. |
display ipv6 nd detection
Syntax
display ipv6 nd detection [ | { begin | exclude | include } regular-expression ]
View
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display ipv6 nd detection command to display ND detection configuration.
Related commands: ipv6 nd detection enable and ipv6 nd detection trust.
Examples
# Display ND detection configuration.
<Sysname> display ipv6 nd detection
ND detection is enabled on the following VLANs:
1, 2, 4-5
ND detection trust is configured on the following interfaces:
GigabitEthernet3/0/1
GigabitEthernet3/0/2
Table 1 Output description
|
Field |
Description |
|
ND detection is enabled on the following VLANs |
List of VLANs enabled with ND detection. |
|
ND detection trust is configured on the following interfaces |
List of ND-trusted ports. On an ND-trusted port, ND packets are not checked. By default, all ports are ND-untrusted ports on which ND packets in an ND detection-enabled VLAN will be checked. |
display ipv6 nd detection statistics
Syntax
display ipv6 nd detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
interface interface-type interface-number: Displays ND detection statistics for the interface identified by interface-type interface-number. The interface-type interface-number arguments represent the interface type and number.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display ipv6 nd detection statistics command to display ND detection statistics. At present, the statistics cover only discarded ND packets.
If an interface is specified, only the statistic for the interface is displayed. If no interface is specified, the statistics for all interfaces are displayed.
Examples
# Display the statistics for discarded ND packets on all interfaces.
<Sysname> display ipv6 nd detection statistics
ND packets dropped by ND detection:
Interface Packets Dropped
GE3/0/1 78
GE3/0/2 0
GE3/0/3 0
GE3/0/4 0
ipv6 nd detection enable
Syntax
ipv6 nd detection enable
undo ipv6 nd detection enable
View
VLAN view
Default level
2: System level
Parameters
None
Description
Use the ipv6 nd detection enable command to enable ND detection in a VLAN to check ND packets for source spoofing.
Use the undo ipv6 nd detection enable command to disable ND detection.
By default, ND detection is disabled.
Examples
# Enable ND detection in VLAN 3.
<Sysname> system-view
[Sysname] vlan 3
[Sysname-vlan3] ipv6 nd detection enable
ipv6 nd detection trust
Syntax
ipv6 nd detection trust
undo ipv6 nd detection trust
View
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Default level
2: System level
Parameters
None
Description
Use the ipv6 nd detection trust command to configure a port as an ND-trusted port.
Use the undo ipv6 nd detection trust command to configure a port as an ND-untrusted port.
By default, a port is ND-untrusted. In an ND detection-enabled VLAN, ports are assigned two roles: ND-trusted and ND-untrusted.
· On an ND-trusted port, the ND detection function does not check ND packets for address spoofing.
· On an ND-untrusted port, RA and RR messages are considered illegal and discarded directly; all other ND packets in the VLAN are checked for source spoofing.
Examples
# Configure Layer 2 interface GigabitEthernet 3/0/1 as an ND-trusted port.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/0/1
[Sysname-GigabitEthernet3/0/1] ipv6 nd detection trust
# Configure interface Bridge-Aggregation 1 as an ND-trusted port.
<Sysname> system-view
[Sysname] interface bridge-Aggregation 1
[Sysname-Bridge-Aggregation1] ipv6 nd detection trust
reset ipv6 nd detection statistics
Syntax
reset ipv6 nd detection statistics [ interface interface-type interface-number ]
View
Default level
1: Monitor level
Parameters
interface interface-type interface-number: Clears the statistics of the interface identified by interface-type interface-number. The interface-type interface-number arguments represent the interface type and number.
Description
Use the reset ipv6 nd detection statistics command to clear the ND detection statistics of an interface. If no interface is specified, the ND detection statistics of all interfaces are cleared.
Examples
# Clear the ND detection statistics of all interfaces.
<Sysname> reset ipv6 nd detection statistics
