Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-MAC authentication commands
- 09-User identification commands
- 10-Password control commands
- 11-Public key management commands
- 12-PKI commands
- 13-SSH commands
- 14-SSL commands
- 15-ASPF commands
- 16-APR commands
- 17-Session management commands
- 18-Connection limit commands
- 19-Attack detection and prevention commands
- 20-DDoS protection commands
- 21-uRPF commands
- 22-ARP attack protection commands
- 23-ND attack defense commands
- 24-IP-MAC binding commands
- 25-IP reputation commands
- 26-Keychain commands
- 27-Crypto engine commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 23-ND attack defense commands | 87.50 KB |
Contents
Source MAC-based ND attack detection commands
Interface-based ND attack suppression commands
display ipv6 nd attack-suppression per-interface interface
ipv6 nd attack-suppression enable per-interface
Source MAC consistency check commands
ND attack defense commands
The following compatibility matrix shows the support of hardware platforms for ND attack defense:
|
Hardware platform |
Module type |
ND attack defense compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
Yes |
|
|
Application delivery engine (ADE) module |
Yes |
|
|
Anomaly flow cleaner (AFC) module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Application delivery engine (ADE) module |
Yes |
|
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
Anomaly flow cleaner (AFC) module |
No |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E8 |
Blade V firewall module |
Yes |
|
Application delivery engine (ADE) module |
Yes |
|
|
M9000-AI-E16 |
Blade V firewall module |
Yes |
Source MAC-based ND attack detection commands
display ipv6 nd source-mac
Use display ipv6 nd source-mac to display source MAC-based ND attack detection entries.
Syntax
In standalone mode:
display ipv6 nd source-mac interface interface-type interface-number [ slot slot-number [ cpu cpu-number ] ] [ verbose ]
display ipv6 nd source-mac { mac mac-address | vlan vlan-id } slot slot-number [ cpu cpu-number ] [ verbose ]
display ipv6 nd source-mac slot slot-number [ cpu cpu-number ] [ count | verbose ]
In IRF mode:
display ipv6 nd source-mac interface interface-type interface-number [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ verbose ]
display ipv6 nd source-mac { mac mac-address | vlan vlan-id } chassis chassis-number slot slot-number [ cpu cpu-number ] [ verbose ]
display ipv6 nd source-mac chassis chassis-number slot slot-number [ cpu cpu-number ] [ count | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
mac mac-address: Displays the ND attack detection entry for the specified MAC address. The MAC address format is H-H-H.
vlan vlan-id: Displays the source MAC-based ND attack detection entries for the specified VLAN. The VLAN ID is in the range of 1 to 4094.
slot slot-number: Specifies a card by its slot number. If you specify a card, this command displays entries detected by the physical interfaces that reside on the active MPUs and belong to the specified virtual interface. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the active MPUs and belong to the specified virtual interface. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you specify a card, this command displays the ND attack entries detected by the physical interfaces that reside on the specified slot and belong to the virtual interface. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the global active MPU and belong to the virtual interface. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
verbose: Displays detailed information about source MAC-based ND attack detection entries. If you do not specify this keyword, this command displays brief information about the source MAC-based ND attack detection entries.
count: Displays the number of source MAC-based ND attack detection entries. If you do not specify this keyword, the command displays source MAC-based ND attack detection entries.
Usage guidelines
(In standalone mode.) The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.
(In IRF mode.) The chassis chassis-number slot slot-number options are supported only when the interface interface-type interface-number option specifies a virtual interface.
This command supports the following virtual interfaces: Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, and Layer 3 aggregate subinterfaces.
If you do not specify any parameters, this command displays all source MAC-based ND attack detection entries.
Examples
# Display source MAC-based ND attack detection entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd source-mac interface gigabitethernet 1/0/1
Source MAC VLAN ID Interface Aging time (sec) Packets dropped
23f3-1122-3344 -- GE1/0/1 10 84467
# Displays the number of source MAC-based ND attack detection entries.
<Sysname> display ipv6 nd source-mac count
Total source MAC-based ND attack detection entries: 1
# Display detailed information about source MAC-based ND attack detection entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd source-mac interface gigabitethernet 1/0/1 verbose
Source MAC: 0001-0001-0001
VLAN ID: --
Hardware status: Succeeded
Aging time: 10 seconds
Interface: GigabitEthernet1/0/1
Attack time: 2018/06/04 15:53:34
Packets dropped: 84467
Table 1 Command output
|
Field |
Description |
|
Source MAC |
MAC address from which an ND attack is launched. |
|
VLAN ID |
ID of the VLAN where the source MAC-based ND attack is detected. |
|
Interface |
Interface where the source MAC-based ND attack is detected. |
|
Aging time |
Remaining aging time of the source MAC-based ND attack detection entry, in seconds. |
|
Packets dropped |
Total number of dropped packets. This field is not supported on Layer 2 Ethernet interfaces. |
|
Total source MAC-based ND attack detection entries |
Total number of source MAC-based ND attack detection entries. |
|
Hardware status |
Status of the source MAC-based ND attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Attack time |
Time when the source MAC-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset ipv6 nd source-mac
ipv6 nd source-mac
Use ipv6 nd source-mac to enable source MAC-based ND attack detection and set the detection mode.
Use undo ipv6 nd source-mac to disable source MAC-based ND attack detection.
Syntax
ipv6 nd source-mac { filter | monitor }
undo ipv6 nd source-mac
Default
Source MAC-based ND attack detection is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
filter: Specifies the filter mode.
monitor: Specifies the monitor mode.
Usage guidelines
As a best practice, configure this command on gateway devices.
Source MAC-based ND attack detection checks the number of ND messages delivered to the CPU. If the number of messages from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. The processing of the ND messages sent from the MAC address in this entry depends on the detection mode. With ND logging enabled (by using the ipv6 nd check log enable command), source MAC-based ND attack detection processes the messages as follows:
· Filter mode—Filters out subsequent ND messages sent from the MAC address, and generates log messages.
· Monitor mode—Only generates log messages.
During the ND attack defense period, the device monitors the number of dropped packets in an entry within the aging time:
· If the number of dropped packets is higher than or equal to a calculated value, the device resets the aging time for the entry when the entry ages out.
The calculated value = (aging time/check interval) × source MAC-based ND attack detection threshold
· If the number of dropped packets is lower than the calculated value, the system deletes the entry when the entry ages out and marks MAC address in the entry as a common MAC address.
When you change the detection mode from monitor to filter, the filter mode takes effect immediately. When you change the detection mode from filter to monitor, the device continues filtering ND messages that match existing attack entries.
Examples
# Enable source MAC-based ND attack detection and set the detection mode to monitor.
<Sysname> system-view
[Sysname] ipv6 nd source-mac monitor
ipv6 nd source-mac threshold
Use ipv6 nd source-mac threshold to set the threshold for source MAC-based ND attack detection.
Use undo ipv6 nd source-mac threshold to restore the default.
Syntax
ipv6 nd source-mac threshold threshold-value
undo ipv6 nd source-mac threshold
Default
The threshold for source MAC-based ND attack detection is 30.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the threshold for source MAC-based ND attack detection. The value range is 1 to 5000.
Usage guidelines
If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address.
Examples
# Set the threshold to 100 for source MAC-based ND attack detection
<Sysname> system-view
[Sysname] ipv6 nd source-mac threshold 100
reset ipv6 nd source-mac
Use reset ipv6 nd source-mac to delete source MAC-based ND attack detection entries.
Syntax
In standalone mode:
reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
interface interface-type interface-number: Deletes the source MAC-based ND attack entries detected on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.
mac mac-address: Deletes the source MAC-based ND attack entry for the specified MAC address. The MAC address format is H-H-H.
vlan vlan-id: Deletes the source MAC-based ND attack entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes source MAC-based ND attack detection entries on the active MPU. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays deletes source MAC-based ND attack detection entries on the global active MPU. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
If you do not specify any parameters, this command deletes all source MAC-based ND attack detection entries.
Examples
# Delete all source MAC-based ND attack detection entries.
<Sysname> reset ipv6 nd source-mac
Related commands
display ipv6 nd source-mac
Interface-based ND attack suppression commands
display ipv6 nd attack-suppression per-interface interface
Use display ipv6 nd attack-suppression per-interface interface to display interface-based ND attack suppression entries on an interface.
Syntax
In standalone mode:
display ipv6 nd attack-suppression per-interface interface interface-type interface-number [ slot slot-number [ cpu cpu-number ] ] [ verbose ]
In IRF mode:
display ipv6 nd attack-suppression per-interface interface interface-type interface-number [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays interface-based ND attack suppression entries on the card where the interface resides. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays interface-based ND attack suppression entries on the card where the interface resides. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.
Examples
# Display interface-based ND attack suppression entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 1/0/1
Interface Suppression time (second) Packets dropped
GE1/0/1 200 84467
# Display detailed information about the interface-based ND attack suppression entries on GigabitEthernet 1/0/1.
<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 1/0/1 verbose
Interface: GigabitEthernet1/0/1
Suppression time: 200 seconds
Hardware status: Succeeded
Attack time: 2018/06/04 15:53:34
Packets dropped: 84467
Figure 1 Command output
|
Field |
Description |
|
Interface |
Interface in the ND attack suppression entry. |
|
Suppression time (second) |
Suppression time, in seconds. |
|
Packets dropped |
Total number of dropped packets. |
|
Hardware status |
Status of the interface-based ND attack entry setting to hardware: · Succeeded. · Failed. · Not supported. · Not enough resources. |
|
Suppression time |
Remaining suppression time, in seconds. |
|
Attack time |
Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS. |
Related commands
reset ipv6 nd attack-suppression per-interface
ipv6 nd attack-suppression enable per-interface
Use ipv6 nd attack-suppression enable per-interface to enable interface-based ND attack suppression.
Use undo ipv6 nd attack-suppression enable per-interface to disable interface-based ND attack suppression.
Syntax
ipv6 nd attack-suppression enable per-interface
undo ipv6 nd attack-suppression enable per-interface
Default
Interface-based ND attack suppression is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this feature to rate limit ND requests on each Layer 3 interface to prevent ND spoofing attacks. This feature monitors the number of ND requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the threshold, the device creates an ND attack suppression entry for the interface.
During the suppression period, the maximum receiving rate for ND requests is 12800 bytes per second on the interface.
When the suppression time expires, the system examines the number of received ND messages on the interface within the suppression time:
· If the number of the received ND messages is higher than or equal to a calculated value, the device resets the suppression time for the entry and continues the ND suppression on the interface.
The calculated value = (suppression time/check interval) × suppression threshold
· If the number of the received ND messages is lower than the calculated value, the device deletes the suppression entry.
As a best practice, enable this feature on the gateway.
Examples
# Enable interface-based ND attack suppression.
<Sysname> system-view
[Sysname] ipv6 nd attack-suppression enable per-interface
Related commands
display ipv6 nd attack-suppression per-interface
ipv6 nd attack-suppression threshold
Source MAC consistency check commands
ipv6 nd check log enable
Use ipv6 nd check log enable to enable the ND logging feature.
Use undo ipv6 nd check log enable to restore the default.
Syntax
ipv6 nd check log enable
undo ipv6 nd check log enable
Default
The ND logging feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Examples
# Enable the ND logging feature.
<Sysname> system-view
[Sysname] ipv6 nd check log enable
Related commands
ipv6 nd mac-check enable
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check for ND messages is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Examples
# Enable source MAC consistency check for ND messages.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
