Contents

ND attack defense commands· 1

Source MAC-based ND attack detection commands· 1

display ipv6 nd source-mac· 1

display ipv6 nd source-mac configuration· 3

ipv6 nd source-mac· 4

ipv6 nd source-mac threshold· 5

reset ipv6 nd source-mac· 5

Interface-based ND attack suppression commands· 6

display ipv6 nd attack-suppression configuration· 6

display ipv6 nd attack-suppression per-interface· 7

display ipv6 nd attack-suppression per-interface interface· 9

ipv6 nd attack-suppression enable per-interface· 10

ipv6 nd attack-suppression threshold· 11

reset ipv6 nd attack-suppression per-interface· 11

reset ipv6 nd attack-suppression per-interface statistics· 12

Source MAC consistency check commands· 13

ipv6 nd check log enable· 13

ipv6 nd mac-check enable· 14

 

 

ND attack defense commands

Source MAC-based ND attack detection commands

display ipv6 nd source-mac

Use display ipv6 nd source-mac to display source MAC-based ND attack detection entries.

Syntax

In standalone mode:

display ipv6 nd source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ]

display ipv6 nd source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ]

display ipv6 nd source-mac slot slot-number [ count | verbose ]

In IRF mode:

display ipv6 nd source-mac interface interface-type interface-number [ chassis chassis-number slot slot-number ] [ verbose ]

display ipv6 nd source-mac { mac mac-address | vlan vlan-id } chassis chassis-number slot slot-number [ verbose ]

display ipv6 nd source-mac chassis chassis-number slot slot-number [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Displays the ND attack detection entry for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Displays the source MAC-based ND attack detection entries for the specified VLAN. The VLAN ID is in the range of 1 to 4094.

slot slot-number: Displays the ND attack entries detected by the physical interfaces that reside on the specified card and belong to the specified virtual interface. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the active MPUs and belong to the specified virtual interface. (In standalone mode.)

chassis chassis-number slot slot-number: Displays the ND attack entries detected by the physical interfaces that reside on the specified slot and belong to the virtual interface. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the global active MPU and belong to the virtual interface. (In IRF mode.)

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays source MAC-based ND attack detection entries for the active MPU. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays source MAC-based ND attack detection entries for the global active MPU. (In IRF mode.)

verbose: Displays detailed information about source MAC-based ND attack detection entries. If you do not specify this keyword, this command displays brief information about the source MAC-based ND attack detection entries.

count: Displays the number of source MAC-based ND attack detection entries. If you do not specify this keyword, the command displays source MAC-based ND attack detection entries.

Usage guidelines

(In standalone mode.) The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.

(In IRF mode.) The chassis chassis-number slot slot-number options are supported only when the interface interface-type interface-number option specifies a virtual interface.

This command supports the following virtual interfaces: Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, VXLAN VSI interfaces, EVB VSI interfaces, and EVB VSI aggregate interfaces.

If you do not specify any parameters, this command displays all source MAC-based ND attack detection entries.

Examples

# Display source MAC-based ND attack detection entries on GigabitEthernet 1/0/1.

<Sysname> display ipv6 nd source-mac interface gigabitethernet 1/0/1

Source MAC     VLAN ID Interface                Aging time (sec) Packets dropped

23f3-1122-3344 4094    GE1/0/1                  10                  84467

# Displays the number of source MAC-based ND attack detection entries.

<Sysname> display ipv6 nd source-mac count

Total source MAC-based ND attack detection entries: 1

# Display detailed information about source MAC-based ND attack detection entries on GigabitEthernet 1/0/1.

<Sysname> display ipv6 nd source-mac interface gigabitethernet 1/0/1 verbose

Source MAC: 0001-0001-0001

VLAN ID: 4094

Hardware status: Succeeded

Aging time: 10 seconds

Interface: GigabitEthernet1/0/1

Attack time: 2019/06/04 15:53:34

Packets dropped: 84467

Table 1 Command output

Field	Description
Source MAC	MAC address from which an ND attack is launched.
VLAN ID	ID of the VLAN where the source MAC-based ND attack is detected.
Interface	Interface where the source MAC-based ND attack is detected.
Aging time	Remaining aging time of the source MAC-based ND attack detection entry, in seconds.
Packets dropped	Total number of dropped packets. For Layer 2 Ethernet interfaces, this field is not supported and the field value is 0.
Total source MAC-based ND attack detection entries	Total number of source MAC-based ND attack detection entries.
Hardware status	Status of the source MAC-based ND attack entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not supported. ·     Not enough resources.
Attack time	Time when the source MAC-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS.

 

Related commands

reset ipv6 nd source-mac

display ipv6 nd source-mac configuration

Use display ipv6 nd source-mac configuration to display the configuration of source MAC-based ND attack detection.

Syntax

display ipv6 nd source-mac configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of source MAC-based ND attack detection.

<Sysname> display ipv6 nd source-mac configuration

IPv6 ND source-mac is enabled.

Mode: Filter        Threshold: 20

Table 2 Command output

Field	Description
IPv6 ND source-mac is enabled.	Source MAC-based ND attack detection is enabled.
IPv6 ND source-mac is disabled.	Source MAC-based ND attack detection is disabled.
Mode	Source MAC-based ND attack detection mode: ·     Filter. ·     Monitor.
Threshold	Threshold for source MAC-based ND attack detection.

 

Related commands

ipv6 nd source-mac

ipv6 nd source-mac threshold

ipv6 nd source-mac

Use ipv6 nd source-mac to enable source MAC-based ND attack detection and set the detection mode.

Use undo ipv6 nd source-mac to disable source MAC-based ND attack detection.

Syntax

ipv6 nd source-mac { filter | monitor }

undo ipv6 nd source-mac

Default

Source MAC-based ND attack detection is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filter: Specifies the filter mode.

monitor: Specifies the monitor mode.

Usage guidelines

As a best practice, configure this command on gateway devices.

Source MAC-based ND attack detection checks the number of ND messages delivered to the CPU on a per source MAC basis. If the number of messages from the same MAC address within 5 seconds exceeds the threshold, the device generates an ND attack entry for the MAC address. The processing of the ND messages matching this entry depends on the detection mode. With ND logging enabled (by using the ipv6 nd check log enable command), source MAC-based ND attack detection processes the messages as follows:

·     Filter mode—Filters out subsequent ND messages sent from the MAC address, and generates log messages.

·     Monitor mode—Only generates log messages.

The device uses the entry aging time (fixed at 300 seconds) and the threshold to calculate a value:

The calculated value = (threshold/5) × 300

The device monitors the number of dropped packets for an entry. When the entry aging time is reached, it compares the number with the calculated value and takes actions accordingly:

·     If the number of dropped packets is higher than or equal to the calculated value, the device resets the aging time for the entry.

·     If the number of dropped packets is lower than the calculated value, the system deletes the entry and marks MAC address in the entry as a common MAC address.

When you change the detection mode from monitor to filter, the filter mode takes effect immediately. When you change the detection mode from filter to monitor, the device continues filtering ND messages that match existing attack entries.

Examples

# Enable source MAC-based ND attack detection and set the detection mode to monitor.

<Sysname> system-view

[Sysname] ipv6 nd source-mac monitor

ipv6 nd source-mac threshold

Use ipv6 nd source-mac threshold to set the threshold for source MAC-based ND attack detection.

Use undo ipv6 nd source-mac threshold to restore the default.

Syntax

ipv6 nd source-mac threshold threshold-value

undo ipv6 nd source-mac threshold

Default

The threshold for source MAC-based ND attack detection is 30.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for source MAC-based ND attack detection. The value range is 1 to 5000.

Usage guidelines

If the number of packets from the same MAC address within 5 seconds exceeds the threshold, the device generates an ND attack entry for the MAC address.

Examples

# Set the threshold to 100 for source MAC-based ND attack detection

<Sysname> system-view

[Sysname] ipv6 nd source-mac threshold 100

reset ipv6 nd source-mac

Use reset ipv6 nd source-mac to delete source MAC-based ND attack detection entries.

Syntax

In standalone mode:

reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]

In IRF mode:

reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Deletes the source MAC-based ND attack entries detected on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

mac mac-address: Deletes the source MAC-based ND attack entry for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Deletes the source MAC-based ND attack entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command deletes all source MAC-based ND attack detection entries.

Examples

# Delete all source MAC-based ND attack detection entries.

<Sysname> reset ipv6 nd source-mac

Related commands

display ipv6 nd source-mac

Interface-based ND attack suppression commands

display ipv6 nd attack-suppression configuration

Use display ipv6 nd attack-suppression configuration to display the configuration of interface-based ND attack suppression.

Syntax

display ipv6 nd attack-suppression configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of interface-based ND attack suppression.

<Sysname> display ipv6 nd attack-suppression configuration

IPv6 ND attack-suppression per-interface is enabled.

Threshold: 3000

Table 3 Command output

Field	Description
IPv6 ND attack-suppression per-interface is enabled.	The interface-based ND attack suppression is enabled.
IPv6 ND attack-suppression per-interface is disabled.	The interface-based ND attack suppression is disabled.
Threshold	Threshold for triggering interface-based ND attack suppression.

 

Related commands

ipv6 nd attack-suppression enable per-interface

display ipv6 nd attack-suppression per-interface

Use display ipv6 nd attack-suppression per-interface to display interface-based ND attack suppression entries.

Syntax

In standalone mode:

display ipv6 nd attack-suppression per-interface slot slot-number [ count | verbose ]

In IRF mode:

display ipv6 nd attack-suppression per-interface chassis chassis-number slot slot-number [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)

count: Specifies the number of interface-based ND attack suppression entries. If you do not specify this keyword, the command displays interface-based ND attack suppression entries.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all interface-based ND attack suppression entries.

Examples

# Display interface-based ND attack suppression entries on the specified slot.

<Sysname> display ipv6 nd attack-suppression per-interface slot 1

Interface                Suppression time (second) Packets dropped

GE1/0/1                  200                            84467

GE1/0/2                  140                            38293

# Display the total number of interface-based ND attack suppression entries on the specified slot.

<Sysname> display ipv6 nd attack-suppression per-interface slot 1 count

Total ND attack suppression entries: 2

# Display detailed information about the interface-based ND attack suppression entries on the specified slot.

<Sysname> display ipv6 nd attack-suppression per-interface slot 1 verbose

Interface: GigabitEthernet1/0/1

Suppression time: 200 seconds

Hardware status: Succeeded

Attack time: 2019/06/04 15:53:34

Packets dropped: 84467

 

Interface: GigabitEthernet1/0/2

Suppression time: 140 seconds

Hardware status: Succeeded

Attack time: 2019/06/04 14:53:34

Packets dropped: 38293

Figure 1 Command output

Field	Description
Interface	Interface in the ND attack suppression entry.
Suppression time (second)	Suppression time, in seconds.
Packets dropped	Total number of dropped packets.
Total ND attack suppression entries	Total number of ND attack suppression entries.
Hardware status	Status of the interface-based ND attack entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not supported. ·     Not enough resources.
Suppression time	Remaining suppression time, in seconds.
Attack time	Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS.

 

Related commands

reset ipv6 nd attack-suppression per-interface

reset ipv6 nd attack-suppression per-interface statistics

display ipv6 nd attack-suppression per-interface interface

Use display ipv6 nd attack-suppression per-interface interface to display interface-based ND attack suppression entries on an interface.

Syntax

display ipv6 nd attack-suppression per-interface interface interface-type interface-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.

Examples

# Display interface-based ND attack suppression entries on GigabitEthernet 1/0/1.

<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 1/0/1

Interface                Suppression time (second) Packets dropped

GE1/0/1                  200                            84467

# Display detailed information about the interface-based ND attack suppression entries on GigabitEthernet 1/0/1.

<Sysname> display ipv6 nd attack-suppression per-interface interface gigabitethernet 1/0/1 verbose

Interface: GigabitEthernet1/0/1

Suppression time: 200 seconds

Hardware status: Succeeded

Attack time: 2019/06/04 15:53:34

Packets dropped: 84467

Figure 2 Command output

Field	Description
Interface	Interface in the ND attack suppression entry.
Suppression time (second)	Suppression time, in seconds.
Packets dropped	Total number of dropped packets.
Hardware status	Status of the interface-based ND attack entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not supported. ·     Not enough resources.
Suppression time	Remaining suppression time, in seconds.
Attack time	Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS.

 

Related commands

reset ipv6 nd attack-suppression per-interface

reset ipv6 nd attack-suppression per-interface statistics

ipv6 nd attack-suppression enable per-interface

Use ipv6 nd attack-suppression enable per-interface to enable interface-based ND attack suppression.

Use undo ipv6 nd attack-suppression enable per-interface to disable interface-based ND attack suppression.

Syntax

ipv6 nd attack-suppression enable per-interface

undo ipv6 nd attack-suppression enable per-interface

Default

Interface-based ND attack suppression is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature to rate limit ND requests on each Layer 3 interface to prevent ND spoofing attacks. This feature monitors the number of ND requests that each Layer 3 interface received within 5 seconds. If the number on an interface exceeds the threshold, the device creates an ND attack suppression entry for the interface. During the suppression period (fixed at 300 seconds), the device drops ND messages received on this interface.

When the suppression time expires, the system examines the number of dropped ND messages on the interface within the suppression time:

·     If the number is higher than or equal to a calculated value, the device resets the suppression time for the entry and continues the ND suppression on the interface.

The calculated value = (threshold/5) × 300

·     If the number is lower than the calculated value, the device deletes the suppression entry.

As a best practice, enable this feature on the gateway.

Examples

# Enable interface-based ND attack suppression.

<Sysname> system-view

[Sysname] ipv6 nd attack-suppression enable per-interface

Related commands

display ipv6 nd attack-suppression per-interface

ipv6 nd attack-suppression threshold

ipv6 nd attack-suppression threshold

Use ipv6 nd attack-suppression threshold to set the threshold for triggering interface-based ND attack suppression.

Use undo ipv6 nd attack-suppression threshold to restore the default.

Syntax

ipv6 nd attack-suppression threshold threshold-value

undo ipv6 nd attack-suppression threshold

Default

The threshold for triggering interface-based ND attack suppression is 1000.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for triggering interface-based ND attack suppression, in the range of 1 to 5000. The threshold defines the maximum number of ND requests that an interface can receive within 5 seconds.

Usage guidelines

When the number of ND requests that an interface received within 5 seconds exceeds the threshold, the device determines that the interface is being attacked.

Examples

# Set the threshold to 500 for triggering interface-based ND attack suppression.

<Sysname> system-view

[Sysname] ipv6 nd attack-suppression threshold 500

Related commands

display ipv6 nd attack-suppression per-interface

ipv6 nd attack-suppression enable per-interface

reset ipv6 nd attack-suppression per-interface

Use reset ipv6 nd attack-suppression per-interface to delete interface-based ND attack suppression entries.

Syntax

In standalone mode:

reset ipv6 nd attack-suppression per-interface [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

reset ipv6 nd attack-suppression per-interface [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Deletes interface-based ND attack suppression entries for the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command deletes all interface-based ND attack suppression entries.

Examples

# Delete all interface-based ND attack suppression entries.

<Sysname> reset ipv6 nd attack-interface per-interface

Related commands

display ipv6 nd attack-suppression per-interface

reset ipv6 nd attack-suppression per-interface statistics

Use reset ipv6 nd attack-suppression per-interface statistics to clear statistics for ND messages dropped by interface-based ND attack suppression.

Syntax

In standalone mode:

reset ipv6 nd attack-suppression per-interface statistics [ interface interface-type interface-number ] [ slot slot-number ]

In IRF mode:

reset ipv6 nd attack-suppression per-interface statistics [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Clears statistics for ND messages dropped by interface-based ND attack suppression on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)

Usage guidelines

After you execute this command, the value for the Packets dropped field from the output of the display ipv6 nd attack-suppression per-interface command will be cleared.

If you do not specify any parameters, this command clears all statistics for ND messages dropped by interface-based ND attack suppression.

Examples

# Clear statistics for ND messages dropped by interface-based ND attack suppression.

<Sysname> reset ipv6 nd attack-interface per-interface statistics

Related commands

display ipv6 nd attack-suppression per-interface

Source MAC consistency check commands

ipv6 nd check log enable

Use ipv6 nd check log enable to enable the ND logging feature.

Use undo ipv6 nd check log enable to restore the default.

Syntax

ipv6 nd check log enable

undo ipv6 nd check log enable

Default

The ND logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

As a best practice, disable the ND logging feature to avoid excessive ND logs.

Examples

# Enable the ND logging feature.

<Sysname> system-view

[Sysname] ipv6 nd check log enable

Related commands

ipv6 nd mac-check enable

ipv6 nd mac-check enable

Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.

Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.

Syntax

ipv6 nd mac-check enable

undo ipv6 nd mac-check enable

Default

Source MAC consistency check for ND messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.

Examples

# Enable source MAC consistency check for ND messages.

<Sysname> system-view

[Sysname] ipv6 nd mac-check enable