Contents

ND attack defense commands· 1

Source MAC consistency check commands· 1

ipv6 nd check log enable· 1

ipv6 nd mac-check enable· 1

ND attack detection commands· 2

display ipv6 nd detection statistics· 2

ipv6 nd detection enable· 3

ipv6 nd detection log enable· 3

ipv6 nd detection trust 4

reset ipv6 nd detection statistics· 4

 

ND attack defense commands

Source MAC consistency check commands

ipv6 nd check log enable

Use ipv6 nd check log enable to enable the ND logging feature.

Use undo ipv6 nd check log enable to restore the default.

Syntax

ipv6 nd check log enable

undo ipv6 nd check log enable

Default

The ND logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see System Management Configuration Guide.

As a best practice, disable the ND logging feature to avoid excessive ND logs.

Examples

# Enable the ND logging feature.

<Sysname> system-view

[Sysname] ipv6 nd check log enable

Related commands

ipv6 nd mac-check enable

ipv6 nd mac-check enable

Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.

Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.

Syntax

ipv6 nd mac-check enable

undo ipv6 nd mac-check enable

Default

Source MAC consistency check for ND messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.

Examples

# Enable source MAC consistency check for ND messages.

<Sysname> system-view

[Sysname] ipv6 nd mac-check enable

ND attack detection commands

display ipv6 nd detection statistics

Use display ipv6 nd detection statistics to display statistics for ND messages dropped by ND attack detection.

Syntax

display ipv6 nd detection statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for ND messages dropped by ND attack detection on all interfaces.

Examples

# Display statistics for all ND messages dropped by ND attack detection.

<Sysname> display ipv6 nd detection statistics

ND packets dropped by ND detection:

Interface/AC         Packets dropped

GE1/0/1               78

GE1/0/2               0

GE1/0/3               0

GE1/0/4               0

Table 1 Command output

 

ipv6 nd detection enable

Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.

Use undo ipv6 nd detection enable to disable ND attack detection.

Syntax

ipv6 nd detection enable

undo ipv6 nd detection enable

Default

ND attack detection is disabled.

Views

VLAN view

Predefined user roles

network-admin

Examples

# Enable ND attack detection for VLAN 10.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] ipv6 nd detection enable

ipv6 nd detection log enable

Use ipv6 nd detection log enable to enable ND attack detection logging.

Use undo ipv6 nd detection log enable to disable ND attack detection logging.

Syntax

ipv6 nd detection log enable

undo ipv6 nd detection log enable

Default

ND attack detection logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command allows a device to generate logs when it detects ND attacks. The log information helps administrators locate and solve problems. The ND attack detection logging feature sends the log message to the information center. The information center can then output log messages from different source modules to different destinations. For more information about information center, see System Management Configuration Guide.

The device performance is degraded when the device outputs a large number of ND attack detection logs. You can disable ND attack detection logging to ensure the device performance.

Examples

# Enable ND attack detection logging.

<Sysname> system-view

[Sysname] ipv6 nd detection log enable

ipv6 nd detection trust

Use ipv6 nd detection trust to configure an interface as an ND trusted interface.

Use undo ipv6 nd detection trust to restore the default.

Syntax

ipv6 nd detection trust

undo ipv6 nd detection trust

Default

All interfaces are ND untrusted interfaces. All ACs are ND untrusted ACs.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Examples

# Configure GigabitEthernet 1/0/1 as an ND trusted interface.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 nd detection trust

# Configure Bridge-Aggregation 1 as an ND trusted interface.

<Sysname> system-view

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] ipv6 nd detection trust

reset ipv6 nd detection statistics

Use reset ipv6 nd detection statistics to clear ND attack detection statistics.

Syntax

reset ipv6 nd detection statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ND attack detection statistics for all interfaces.

Examples

# Clear all ND attack detection statistics.

<Sysname> reset ipv6 nd detection statistics