Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-ASPF commands
- 04-Session management commands
- 05-Object group commands
- 06-Object policy commands
- 07-IP source guard commands
- 08-AAA commands
- 09-User identification commands
- 10-Password control commands
- 11-Portal commands
- 12-MAC authentication commands
- 13-IPoE commands
- 14-Public key management commands
- 15-PKI commands
- 16-SSH commands
- 17-SSL commands
- 18-Connection limit commands
- 19-Attack detection and prevention commands
- 20-Server connection detection commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-uRPF commands
- 24-IP-MAC binding commands
- 25-APR commands
- 26-Keychain commands
- 27-Crypto engine commands
- 28-MAC learning through a Layer 3 device commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 22-ND attack defense commands | 78.06 KB |
Contents
Source MAC-based ND attack detection commands
Interface-based ND attack suppression commands
display ipv6 nd attack-suppression per-interface interface
ipv6 nd attack-suppression enable per-interface
Source MAC consistency check commands
ND attack defense commands
Source MAC-based ND attack detection commands
display ipv6 nd source-mac
Use display ipv6 nd source-mac to display source MAC-based ND attack detection entries.
Syntax
display ipv6 nd source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ]
display ipv6 nd source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ]
display ipv6 nd source-mac slot slot-number [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
mac mac-address: Displays the ND attack detection entry for the specified MAC address. The MAC address format is H-H-H.
vlan vlan-id: Displays the source MAC-based ND attack detection entries for the specified VLAN. The VLAN ID is in the range of 1 to 4094.
slot slot-number: Specifies an IRF member device by its ID. If you specify a member device, this command displays the ND attack entries detected by the physical interfaces that reside on the specified member device and belong to the virtual interface. If you do not specify a member device, this command displays entries detected by the physical interfaces that reside on the master device and belong to the specified virtual interface.
slot slot-number: Specifies an IRF member device by its member ID.
verbose: Displays detailed information about source MAC-based ND attack detection entries. If you do not specify this keyword, this command displays brief information about the source MAC-based ND attack detection entries.
count: Displays the number of source MAC-based ND attack detection entries. If you do not specify this keyword, the command displays source MAC-based ND attack detection entries.
Usage guidelines
The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.
This command supports the following virtual interfaces: Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, VXLAN VSI interfaces, EVB VSI interfaces, and EVB VSI aggregate interfaces.
If you do not specify any parameters, this command displays all source MAC-based ND attack detection entries.
Examples
# Display source MAC-based ND attack detection entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd source-mac interface gigabitethernet 1/0/1
Source MAC VLAN ID Interface Aging time (sec) Packets dropped
23f3-1122-3344 4094 GE1/0/1 10 84467
# Displays the number of source MAC-based ND attack detection entries.
<Sysname> display ipv6 nd source-mac count
Total source MAC-based ND attack detection entries: 1
# Display detailed information about source MAC-based ND attack detection entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd source-mac interface gigabitethernet 1/0/1 verbose
Source MAC: 0001-0001-0001
VLAN ID: 4094
Hardware status: Succeeded
Aging time: 10 seconds
Interface: GigabitEthernet1/0/1
Attack time: 2018/06/04 15:53:34
Packets dropped: 84467
Table 1 Command output
|
Field |
Description |
|
Source MAC |
MAC address from which an ND attack is launched. |
|
VLAN ID |
ID of the VLAN where the source MAC-based ND attack is detected. |
|
Interface |
Interface where the source MAC-based ND attack is detected. |
|
Aging time |
Remaining aging time of the source MAC-based ND attack detection entry, in seconds. |
|
Packets dropped |
Total number of dropped packets. This field is not supported on Layer 2 Ethernet interfaces. |
|
Total source MAC-based ND attack detection entries |
Total number of source MAC-based ND attack detection entries. |
|
Hardware status |
Status of the source MAC-based ND attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Attack time |
Time when the source MAC-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset ipv6 nd source-mac
ipv6 nd source-mac
Use ipv6 nd source-mac to enable source MAC-based ND attack detection and set the detection mode.
Use undo ipv6 nd source-mac to disable source MAC-based ND attack detection.
Syntax
ipv6 nd source-mac { filter | monitor }
undo ipv6 nd source-mac
Default
Source MAC-based ND attack detection is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
filter: Specifies the filter mode.
monitor: Specifies the monitor mode.
Usage guidelines
As a best practice, configure this command on gateway devices.
Source MAC-based ND attack detection checks the number of ND messages delivered to the CPU. If the number of messages from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. The processing of the ND messages sent from the MAC address in this entry depends on the detection mode. With ND logging enabled (by using the ipv6 nd check log enable command), source MAC-based ND attack detection processes the messages as follows:
· Filter mode—Filters out subsequent ND messages sent from the MAC address, and generates log messages.
· Monitor mode—Only generates log messages.
During the ND attack defense period, the device monitors the number of dropped packets in an entry within the aging time:
· If the number of dropped packets is higher than or equal to a calculated value, the device resets the aging time for the entry when the entry ages out.
The calculated value = (aging time/check interval) × source MAC-based ND attack detection threshold
· If the number of dropped packets is lower than the calculated value, the system deletes the entry when the entry ages out and marks MAC address in the entry as a common MAC address.
When you change the detection mode from monitor to filter, the filter mode takes effect immediately. When you change the detection mode from filter to monitor, the device continues filtering ND messages that match existing attack entries.
Examples
# Enable source MAC-based ND attack detection and set the detection mode to monitor.
<Sysname> system-view
[Sysname] ipv6 nd source-mac monitor
ipv6 nd source-mac threshold
Use ipv6 nd source-mac threshold to set the threshold for source MAC-based ND attack detection.
Use undo ipv6 nd source-mac threshold to restore the default.
Syntax
ipv6 nd source-mac threshold threshold-value
undo ipv6 nd source-mac threshold
Default
The threshold for source MAC-based ND attack detection is 30.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the threshold for source MAC-based ND attack detection. The value range is 1 to 5000.
Usage guidelines
If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address.
Examples
# Set the threshold to 100 for source MAC-based ND attack detection
<Sysname> system-view
[Sysname] ipv6 nd source-mac threshold 100
reset ipv6 nd source-mac
Use reset ipv6 nd source-mac to delete source MAC-based ND attack detection entries.
Syntax
reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
interface interface-type interface-number: Deletes the source MAC-based ND attack entries detected on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.
mac mac-address: Deletes the source MAC-based ND attack entry for the specified MAC address. The MAC address format is H-H-H.
vlan vlan-id: Deletes the source MAC-based ND attack entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command deletes source MAC-based ND attack detection entries on the master device.
Usage guidelines
If you do not specify any parameters, this command deletes all source MAC-based ND attack detection entries.
Examples
# Delete all source MAC-based ND attack detection entries.
<Sysname> reset ipv6 nd source-mac
Related commands
display ipv6 nd source-mac
Interface-based ND attack suppression commands
display ipv6 nd attack-suppression per-interface interface
Use display ipv6 nd attack-suppression per-interface interface to display interface-based ND attack suppression entries on an interface.
Syntax
display ipv6 nd attack-suppression per-interface interface interface-type interface-number [ slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays interface-based ND attack suppression entries on the member device where the interface resides.
verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.
Examples
# Display interface-based ND attack suppression entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 1/0/1
Interface Suppression time (second) Packets dropped
GE1/0/1 200 84467
# Display detailed information about the interface-based ND attack suppression entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 1/0/1 verbose
Interface: GigabitEthernet1/0/1
Suppression time: 200 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 15:53:34
Packets dropped: 84467
Figure 1 Command output
|
Field |
Description |
|
Interface |
Interface in the ND attack suppression entry. |
|
Suppression time (second) |
Suppression time, in seconds. |
|
Packets dropped |
Total number of dropped packets. |
|
Hardware status |
Status of the interface-based ND attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Suppression time |
Remaining suppression time, in seconds. |
|
Attack time |
Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset ipv6 nd attack-suppression per-interface
ipv6 nd attack-suppression enable per-interface
Use ipv6 nd attack-suppression enable per-interface to enable interface-based ND attack suppression.
Use undo ipv6 nd attack-suppression enable per-interface to disable interface-based ND attack suppression.
Syntax
ipv6 nd attack-suppression enable per-interface
undo ipv6 nd attack-suppression enable per-interface
Default
Interface-based ND attack suppression is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this feature to rate limit ND requests on each Layer 3 interface to prevent ND spoofing attacks. This feature monitors the number of ND requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the threshold, the device creates an ND attack suppression entry for the interface.
During the suppression period, the maximum receiving rate for ND requests is 12800 bytes per second on the interface.
When the suppression time expires, the system examines the number of received ND messages on the interface within the suppression time:
· If the number of the received ND messages is higher than or equal to a calculated value, the device resets the suppression time for the entry and continues the ND suppression on the interface.
The calculated value = (suppression time/check interval) × suppression threshold
· If the number of the received ND messages is lower than the calculated value, the device deletes the suppression entry.
As a best practice, enable this feature on the gateway.
Examples
# Enable interface-based ND attack suppression.
<Sysname> system-view
[Sysname] ipv6 nd attack-suppression enable per-interface
Related commands
display ipv6 nd attack-suppression per-interface
ipv6 nd attack-suppression threshold
Source MAC consistency check commands
ipv6 nd check log enable
Use ipv6 nd check log enable to enable the ND logging feature.
Use undo ipv6 nd check log enable to restore the default.
Syntax
ipv6 nd check log enable
undo ipv6 nd check log enable
Default
The ND logging feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Examples
# Enable the ND logging feature.
<Sysname> system-view
[Sysname] ipv6 nd check log enable
Related commands
ipv6 nd mac-check enable
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check for ND messages is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Examples
# Enable source MAC consistency check for ND messages.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
