pps: Specifies the upper limit for ND packet receiving rate, in pps. The value range for this argument is 5 to 2000. If you do not specify the limit, the default value applies. By default, the rate limit is 2000 pps.

Usage guidelines

The rate limit limits the receiving rate of ND packets that are to be delivered to the CPU, preventing the CPU from being overwhelmed by ND packets. Packets that exceed the rate limit are dropped.

Examples

# Enable ND packet rate limit on Layer 2 Ethernet interface HundredGigE 1/0/1, and set the rate limit to 50 pps.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] ipv6 nd rate-limit 50

ipv6 nd rate-limit log enable

Use ipv6 nd rate-limit log enable to enable logging for ND packet rate limit.

Use undo ipv6 nd rate-limit log enable to disable logging for ND packet rate limit.

Syntax

ipv6 nd rate-limit log enable

undo ipv6 nd rate-limit log enable

Default

Logging for ND packet rate limit is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When logging for ND packet rate limit is enabled, the device sends the highest threshold-crossed ND packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for ND packet rate limit.

<Sysname> system-view

[Sysname] ipv6 nd rate-limit log enable

Related commands

ipv6 nd rate-limit log interval

Use ipv6 nd rate-limit log interval to set the log message sending interval for ND packet rate limit.

Use undo ipv6 nd rate-limit log interval to restore the default.

Syntax

ipv6 nd rate-limit log interval interval

undo ipv6 nd rate-limit log interval

Default

The device sends log messages every 60 seconds when the ND packet receiving rate on an interface exceeds the limit.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies an interval in the range of 1 to 86400 seconds.

Usage guidelines

To change the default interval and activate it, you must enable ND packet rate limit and enable sending log messages for ND packet rate limit.

Examples

# Configure the device to send log messages every 120 seconds when the ND packet receiving rate on an interface exceeds the limit.

<Sysname> system-view

[Sysname] ipv6 nd rate-limit log interval 120

Related commands

ipv6 nd rate-limit log enable

Source MAC consistency check commands

ipv6 nd check log enable

Use ipv6 nd check log enable to enable the ND logging feature.

Use undo ipv6 nd check log enable to restore the default.

Syntax

ipv6 nd check log enable

undo ipv6 nd check log enable

Default

The ND logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

As a best practice, disable the ND logging feature to avoid excessive ND logs.

Examples

# Enable the ND logging feature.

<Sysname> system-view

[Sysname] ipv6 nd check log enable

Related commands

ipv6 nd mac-check enable

Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.

Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.

Syntax

ipv6 nd mac-check enable

undo ipv6 nd mac-check enable

Default

Source MAC consistency check for ND messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.

Examples

# Enable source MAC consistency check for ND messages.

<Sysname> system-view

[Sysname] ipv6 nd mac-check enable

ND attack detection commands

display ipv6 nd detection statistics

Use display ipv6 nd detection statistics to display statistics for ND messages dropped by ND attack detection.

Syntax

display ipv6 nd detection statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for ND messages dropped by ND attack detection on all interfaces.

Examples

# Display statistics for all ND messages dropped by ND attack detection.

<Sysname> display ipv6 nd detection statistics

ND packets dropped by ND detection:

Interface/AC Packets dropped

HGE1/0/1 78

HGE1/0/2 0

HGE1/0/3 0

HGE1/0/4 0

Table 1 Command output

Field	Description
Interface/AC	Input interface of the ND messages.
Packets dropped	Number of ND messages dropped by ND attack detection.

ipv6 nd detection enable

Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.

Use undo ipv6 nd detection enable to disable ND attack detection.

Syntax

ipv6 nd detection enable

undo ipv6 nd detection enable

Default

ND attack detection is disabled.

Views

VLAN view

Predefined user roles

network-admin

You cannot enable ND attack detection on the interface that has been configured as an ND trusted interface.

Examples

# Enable ND attack detection for VLAN 10.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] ipv6 nd detection enable

ipv6 nd detection log enable

Use ipv6 nd detection log enable to enable ND attack detection logging.

Use undo ipv6 nd detection log enable to disable ND attack detection logging.

Syntax

ipv6 nd detection log enable

undo ipv6 nd detection log enable

Default

ND attack detection logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command allows a device to generate logs when it detects ND attacks. The log information helps administrators locate and solve problems. The ND attack detection logging feature sends the log message to the information center. The information center can then output log messages from different source modules to different destinations. For more information about information center, see Network Management and Monitoring Configuration Guide.

The device performance is degraded when the device outputs a large number of ND attack detection logs. You can disable ND attack detection logging to ensure the device performance.

Examples

# Enable ND attack detection logging.

<Sysname> system-view

[Sysname] ipv6 nd detection log enable

ipv6 nd detection port-match-ignore

Use ipv6 nd detection port-match-ignore to ignore ingress ports of ND packets in ND attack detection.

Use undo ipv6 nd detection port-match-ignore to remove the configuration.

Syntax

ipv6 nd detection port-match-ignore

undo ipv6 nd detection port-match-ignore

Default

Ingress ports of ND packets are examined in ND attack detection.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command configures ND attack detection to ignore the ingress port information of ND packets when the packets are compared with the entries in ND attack detection.

Examples

# Ignore ingress ports of ND packets in ND attack detection.

<Sysname> system-view

[Sysname] ipv6 nd detection port-match-ignore

ipv6 nd detection trust

Use ipv6 nd detection trust to configure an interface as an ND trusted interface.

Use undo ipv6 nd detection trust to restore the default.

Syntax

ipv6 nd detection trust

undo ipv6 nd detection trust

Default

All interfaces are ND untrusted interfaces.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Examples

# Configure HundredGigE 1/0/1 as an ND trusted interface.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] ipv6 nd detection trust

# Configure Bridge-Aggregation 1 as an ND trusted interface.

<Sysname> system-view

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] ipv6 nd detection trust

reset ipv6 nd detection statistics

Use reset ipv6 nd detection statistics to clear ND attack detection statistics.

Syntax

reset ipv6 nd detection statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ND attack detection statistics for all interfaces.

Examples

# Clear all ND attack detection statistics.

<Sysname> reset ipv6 nd detection statistics

RA guard commands

display ipv6 nd raguard policy

Use display ipv6 nd raguard policy to display the RA guard policy configuration.

Syntax

display ipv6 nd raguard policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an RA guard policy by its name. The policy name is a case-sensitive string of 1 to 31 characters. If you do not specify a policy, this command displays the configuration of all RA guard policies.

Usage guidelines

When you specify an ACL, follow these restrictions and guidelines:

· If the ACL does not exist or does not contain a rule, this command displays the RA guard policy configuration for all ACL rules.

· If you specify the vpn-instance keyword for an ACL rule, the rule takes effect only on VPN packets. If you do not specify the vpn-instance keyword for an ACL rule, the rule takes effect only on public network packets.

Examples

# Display the configuration of all RA guard policies.

<Sysname> display ipv6 nd raguard policy

Total number of policies: 2

RA Guard policy: policy1

if-match ACL 2001

if-match autoconfig managed-address-flag on

if-match autoconfig other-flag off

if-match hop-limit maximum 128

if-match hop-limit minimum 100

if-match prefix ACL name aa

if-match router-preference medium

applied to VLAN 1-3 7

RA Guard policy: policy2

if-match ACL name zdd

if-match prefix ACL 2200

Table 2 Command output

Field	Description
RA Guard policy	Name of the RA guard policy.
if-match ACL	Number of the ACL in the ACL match criterion.
if-match ACL name	Name of the ACL in ACL match criterion.
if-match autoconfig managed-address-flag	Match criterion of the advertised M flag: · on—The value of the advertised M flag is 1. · off—The value of the advertised M flag is 0.
if-match autoconfig other-flag	Match criterion of the advertised O flag: · on—The value of the advertised O flag is 1. · off—The value of the advertised O flag is 0.
if-match hop-limit maximum	The maximum advertised hop limit match criterion.
if-match hop-limit minimum	The minimum advertised hop limit match criterion.
if-match prefix ACL	Number of the ACL used to identify the prefix match criterion.
if-match prefix ACL name	Name of the ACL used to identify the prefix match criterion.
applied to VLAN	ID of the VLAN to which the RA guard policy is applied.

Related commands

ipv6 nd raguard policy

display ipv6 nd raguard statistics

Use display ipv6 nd raguard statistics to display RA guard statistics.

Syntax

display ipv6 nd raguard statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays RA guard statistics for all interfaces.

Examples

# Display RA guard statistics.

<Sysname> display ipv6 nd raguard statistics

RA messages dropped by RA guard:

Interface Dropped

HGE1/0/1 78

HGE1/0/2 0

HGE1/0/3 32

HGE1/0/4 0

Table 3 Command output

Field	Description
Interface	Interface that received the dropped RA messages.
Dropped	Number of RA messages dropped on the interface.

Related commands

ipv6 nd raguard log enable

reset ipv6 nd raguard statistics

if-match acl

Use if-match acl to specify an ACL match criterion.

Use undo if-match acl to delete the ACL match criterion.

Syntax

if-match acl { ipv6-acl-number | name ipv6-acl-name }

undo if-match acl

Default

No ACL match criterion exists.

Views

RA guard policy view

Predefined user roles

network-admin

Parameters

ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999.

name ipv6-acl-name: Specifies an IPv6 basic ACL by its name, a case-insensitive string of 1 to 63 characters. The name must start with an English letter. To avoid confusion, the name cannot be all.

Usage guidelines

RA guard uses the ACL match criterion to match the IP address of the RA message sender. If the sender IP address matches a permit rule, the message passes the check.

When you specify an ACL, follow these restrictions and guidelines:

· If the ACL does not exist or does not contain a rule, the ACL match criterion does not take effect.

Examples

# Use IPv6 basic ACL 2001 as the ACL match criterion for the RA guard policy policy1.

<Sysname> system-view

[Sysname] ipv6 nd raguard policy policy1

[Sysname-raguard-policy-policy1] if-match acl 2001

if-match autoconfig managed-address-flag

Use if-match autoconfig managed-address-flag to specify an M flag match criterion.

Use undo if-match autoconfig managed-address-flag to delete the M flag match criterion.

Syntax

if-match autoconfig managed-address-flag { off | on }

undo if-match autoconfig managed-address-flag

Default

No M flag match criterion exists.

Views

RA guard policy view

Predefined user roles

network-admin

Parameters

off: Specifies the advertised M flag as 0

on: Specifies the advertised M flag as 1.

Usage guidelines

The M flag in an RA message determines whether a receiving host uses stateful autoconfiguration to obtain an IPv6 address.

· If the M flag is set to 1, the host uses stateful autoconfiguration, for example, uses a DHCPv6 server.

· If the M flag is set to 0, the host uses stateless autoconfiguration. In stateless autoconfiguration, the host generates an IPv6 address according to its link-layer address and the prefix information in the RA message.

Examples

# Specify on as the M flag match criterion for the RA guard policy policy1.

<Sysname> system-view

[Sysname] ipv6 nd raguard policy policy1

[Sysname-raguard-policy-policy1] if-match autoconfig managed-address-flag on

if-match autoconfig other-flag

Use if-match autoconfig other-flag to specify an O flag match criterion.

Use undo if-match autoconfig other-flag to delete the O flag match criterion.

Syntax

if-match autoconfig other-flag { off | on }

undo if-match autoconfig other-flag

Default

No O flag match criterion exists.

Views

RA guard policy view

Predefined user roles

network-admin

Parameters

off: Specifies the advertised O flag as 0.

on: Specifies the advertised O flag as 1.

Usage guidelines

The O flag in an RA message determines whether a receiving host uses stateful autoconfiguration to obtain configuration information other than IPv6 address.

· If the O flag is set to 1, the host uses stateful autoconfiguration, for example, uses a DHCPv6 server.

· If the O flag is set to 0, the host uses stateless autoconfiguration.

Examples

# Specify on as the O flag match criterion for the RA guard policy policy1.

<Sysname> system-view

[Sysname] ipv6 nd raguard policy policy1

[Sysname-raguard-policy-policy1] if-match autoconfig other-flag on

if-match hop-limit

Use if-match hop-limit to specify a maximum or minimum hop limit match criterion.

Use undo if-match hop-limit to delete the maximum or minimum hop limit match criterion.

Syntax

if-match hop-limit { maximum | minimum } limit

undo if-match hop-limit { maximum | minimum }

Default

No maximum or minimum hop limit match criterion exists.

Views

RA guard policy view

Predefined user roles

network-admin

Parameters

maximum: Specifies the maximum advertised hop limit. An RA message passes the check if its current hop limit is not higher than the maximum advertised hop limit.

minimum: Specifies the minimum advertised hop limit. An RA message passes the check if its current hop limit is not less than the minimum advertised hop limit.

limit: Specifies the advertised hop limit in the range of 1 to 255.

Usage guidelines

If a hop limit match criterion is set, and the RA message's current hop limit is 0, the message will be dropped.

Examples

# Set the maximum hop limit match criterion to 128 for the RA guard policy policy1.

<Sysname> system-view

[Sysname] ipv6 nd raguard policy policy1

[Sysname-raguard-policy-policy1] if-match hop-limit maximum 128

if-match prefix

Use if-match prefix to specify a prefix match criterion.

Use undo if-match prefix to delete the prefix match criterion.

Syntax

if-match prefix acl { ipv6-acl-number | name ipv6-acl-name }

undo if-match prefix acl

Default

No prefix match criterion exists.

Views

RA guard policy view

Predefined user roles

network-admin

Parameters

ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999.

name ipv6-acl-name: Specifies an IPv6 basic ACL by its name, a case-insensitive string of 1 to 63 characters. The name must start with an English letter. To avoid confusion, the name cannot be all.

Usage guidelines

An RA message passes the check if the advertised prefixes in the message match the prefixes set by the ACL.

When you specify an ACL, follow these restrictions and guidelines:

· If the ACL does not exist or does not contain a rule, the prefix match criterion does not take effect.

Examples

# Use IPv6 basic ACL 2000 as the prefix match criterion for the RA guard policy policy1.

<Sysname> system-view

[Sysname] acl ipv6 basic 2000

[Sysname-acl-ipv6-basic-2000] rule permit source 1001:: 64

[Sysname-acl-ipv6-basic-2000] rule permit source 3124:1123:: 64

[Sysname-acl-ipv6-basic-2000] rule deny source any

[Sysname-acl-ipv6-basic-2000] quit

[Sysname] ipv6 nd raguard policy policy1

[Sysname-raguard-policy-policy1] if-match prefix acl 2000

if-match router-preference

Use if-match router-preference maximum to specify a router preference match criterion.

Use undo if-match router-preference maximum to delete the router preference match criterion.

Syntax

if-match router-preference maximum { high | low | medium }

undo if-match router-preference maximum

Default

No router preference match criterion exists.

Views

RA guard policy view

Predefined user roles

network-admin

Parameters

high: Sets the maximum router preference to high. An RA message passes the check if its router preference is not higher than high.

low: Sets the maximum router preference to low. An RA message passes the check if its router preference is not higher than low.

medium: Sets the maximum router preference to medium. An RA message passes the check if its router preference is not higher than medium.

Usage guidelines

A host selects a router as the default gateway according to the router preference in received RA messages. If router preferences are the same, the host selects the default router from which the first RA message is received.

An RA message will not pass the router preference check if the message does not have a preference value. This RA message will be dropped.

Examples

# Specify medium as the router preference match criterion for the RA guard policy policy1.

<Sysname> system-view

[Sysname] ipv6 nd raguard policy policy1

[Sysname-raguard-policy-policy1] if-match router-preference maximum medium

ipv6 nd raguard apply policy

Use ipv6 nd raguard apply policy to apply an RA guard policy to a VLAN.

Use undo ipv6 nd raguard apply policy to remove the RA guard policy from a VLAN.

Syntax

ipv6 nd raguard apply policy [ policy-name ]

undo ipv6 nd raguard apply policy

Default

No RA guard policy is applied to a VLAN.

Views

VLAN view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an RA guard policy by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a policy, RA guard blocks RA messages on all interfaces in the VLAN except interfaces that are defined to be connected to routers.

Usage guidelines

If an RA message has multiple VLAN tags, RA guard uses the outermost VLAN tag to select the applied RA guard policy.

If the specified RA guard policy does not exist, the command does not take effect.

Examples

# Apply the RA guard policy policy1 to VLAN 100.

<Sysname> system-view

[Sysname] vlan 100

[Sysname-vlan100] ipv6 nd raguard apply policy policy1

Related commands

ipv6 nd raguard policy

ipv6 nd raguard log enable

Use ipv6 nd raguard log enable to enable the RA guard logging feature.

Use undo ipv6 nd raguard log enable to disable the RA guard logging feature.

Syntax

ipv6 nd raguard log enable

undo ipv6 nd raguard log enable

Default

The RA guard logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command allows a device to generate logs when it detects forged RA messages. The log information helps administrators locate and solve problems. Each log records the following information:

· Name of the interface that received the forged RA message.

· Source IP address of the forged RA message.

· Number of RA messages dropped on the interface.

The RA guard logging feature sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable the RA guard logging feature.

<Sysname> system-view

[Sysname] ipv6 nd raguard log enable

Related commands

display ipv6 nd raguard statistics

reset ipv6 nd raguard statistics

ipv6 nd raguard policy

Use ipv6 nd raguard policy to create an RA guard policy and enter its view, or enter the view of an existing RA guard policy.

Use undo ipv6 nd raguard policy to delete an RA guard policy.

Syntax

ipv6 nd raguard policy policy-name

undo ipv6 nd raguard policy policy-name

Default

No RA guard policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Assigns a name to the RA guard policy. The name is a case-sensitive string of 1 to 31 characters.

Examples

# Create RA guard policy policy1 and enter its view.

<Sysname> system-view

[Sysname] ipv6 nd raguard policy policy1

[Sysname-raguard-policy-policy1]

Related commands

display ipv6 nd raguard policy

ipv6 nd raguard apply policy

ipv6 nd raguard role

Use ipv6 nd raguard role to specify the role of the device attached to the interface.

Use undo ipv6 nd raguard role to remove the role of the device attached to the interface.

Syntax

ipv6 nd raguard role { host | router }

undo ipv6 nd raguard role

Default

No role is specified for the device attached to the interface.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

host: Specifies the host role. The interface attached to a host drops all received RA messages.

router: Specifies the router role. The interface attached to a router forwards all received RA messages.

Usage guidelines

Make sure your setting is consistent with the device type. If you are not aware of the attached device type, do not specify a role for the device.

Examples

# Specify host as the role for the device attached to HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] ipv6 nd raguard role host

reset ipv6 nd raguard statistics

Use reset ipv6 nd raguard statistics to clear RA guard statistics.

Syntax

reset ipv6 nd raguard statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears RA guard statistics for all interfaces.

Examples

# Clear RA guard statistics.

<Sysname> reset ipv6 nd raguard statistics

Related commands

display ipv6 nd raguard statistics

IPv6 destination guard commands

display ipv6 destination-guard

Use display ipv6 destination-guard to display IPv6 destination guard status.

Syntax

display ipv6 destination-guard [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays global and interface-specific IPv6 destination guard status.

Examples

# Display global and interface-specific IPv6 destination guard status.

<Sysname> display ipv6 destination-guard

Global IPv6 destination-guard status: Enabled (Stressed)

Interface Status

HGE1/0/1 Enabled (Stressed)

HGE1/0/2 Disabled

Table 4 Command output

Field	Description
Global IPv6 destination-guard status	Enabling status of global IPv6 destination guard: · Disabled. · Enabled. If IPv6 destination guard is enabled in stressed mode, Stressed is also displayed.
Interface	Interface name.
Status	Interface-specific enabling status of IPv6 destination guard. · Disabled. · Enabled. If IPv6 destination guard is enabled in stressed mode on an interface, Stressed is also displayed.

Related commands

ipv6 destination-guard

ipv6 destination-guard global enable

ipv6 destination-guard

Use ipv6 destination-guard enable to enable IPv6 destination guard on an interface.

Use ipv6 destination-guard disable to disable IPv6 destination guard on an interface.

Use undo ipv6 destination-guard to restore the status of IPv6 destination guard on an interface to be consistent with the status of the global IPv6 destination guard.

Syntax

ipv6 destination-guard { disable | enable [ stressed ] }

undo ipv6 destination-guard

Default

The interface-specific IPv6 destination guard status is consistent with the global IPv6 destination guard status.

Views

Layer 3 Ethernet interface view

VLAN interface view

Predefined user roles

network-admin

Parameters

stressed: Enables IPv6 destination guard on an interface when the device enters stressed mode. If you do not specify this keyword, the command enables IPv6 destination guard immediately on the interface.

Usage guidelines

For an interface, the interface-specific IPv6 destination guard status configuration has higher priority than the global IPv6 destination guard status.

If IPv6 destination guard is not enabled on an interface, the IPv6 destination guard status on the interface is determined by the global IPv6 destination guard status.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable IPv6 destination guard on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ipv6 destination-guard enable

Related commands

display ipv6 destination-guard

ipv6 destination-guard global enable

Use ipv6 destination-guard global enable to enable IPv6 destination guard globally.

Use undo ipv6 destination-guard global enable to disable IPv6 destination guard globally.

Syntax

ipv6 destination-guard global enable [ stressed ]

undo ipv6 destination-guard global enable

Default

IPv6 destination guard is disabled globally.

Views

System view

Predefined user roles

network-admin

Parameters

stressed: Enables IPv6 destination guard globally when the device enters stressed mode. If you do not specify this keyword, the command immediately enables IPv6 destination guard globally.

Usage guidelines

For an interface, the interface-specific IPv6 destination guard status configuration has higher priority than the global IPv6 destination guard status.

If IPv6 destination guard is not enabled on an interface, the IPv6 destination guard status on the interface is determined by the global IPv6 destination guard status.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable IPv6 destination guard globally.

<Sysname> system-view

[Sysname] ipv6 destination-guard global enable

Related commands

display ipv6 destination-guard

ipv6 destination-guard

ND keepalive entry scanning commands

display ipv6 nd scan keepalive entry

Use display ipv6 nd scan keepalive entry to display ND keepalive entries.

Syntax

display ipv6 nd scan keepalive entry [ interface interface-type interface-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ND keepalive entries for all interfaces.

count: Displays the total number of ND keepalive entries.

Examples

<Sysname> display ipv6 nd scan keepalive entry

Interface: HGE1/0/1

IPv6 address: 1::23 MAC address: 08-00-27-00-50-38

VLANID: 1 SECVLANID: 1

Port interface: -- VPN instance: --

Scan status: 1 Probe count: 10

Scan time: 08:01:01

Table 5 Command output

Field	Description
Interface	Layer 3 interface name.
IPv6 address	IPv6 address in the ND keepalive entry.
MAC address	MAC address in the ND keepalive entry.
VLANID	ID of the primary VLAN.
SECVLANID	ID of the secondary VLAN.
Port interface	Layer 2 input interface for ND packets.
VPN instance	VPN instance name.
Scan status	Status of the ND keepalive entry: · 0—Offline. · 1—Online.
Probe count	Number of scans on the ND keepalive entry.
Scan time	Time when the ND keepalive entry became offline, in hh:mm:ss format. · hh—Represents the hours. · mm—Represents the minutes. · ss—Represents the seconds.

‌

display ipv6 nd scan keepalive statistics

Use display ipv6 nd scan keepalive statistics to display statistics about ND keepalive entry scanning.

Syntax

display ipv6 nd scan keepalive statistics [ slot slot-number ] [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics about ND keepalive entry scanning for all interfaces.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays statistics about ND keepalive entry scanning on all member devices.

Usage guidelines

Interfaces enabled with ND keepalive entry scanning send NS packets to the IPv6 addresses in offline ND keepalive entries until the entries restore online state. This command displays the number of the NS packets sent the IPv6 addresses in the offline keepalive entries in the last five seconds, one minute, and five minutes.

A great many NS packets indicate that the number of offline keepalive entries is great or some offline entries remain in offline state for a long time. The reasons and solutions are as follows:

1. Use the display ipv6 nd scan keepalive entry command to identify the number of offline keepalive entries.

2. If the number of offline keepalive entries is large, check the aging time set for offline keepalive entries. Shorten the aging time if it is too long.

3. If the aging time is proper, the problem might be caused by too many abnormal user offline events. In this case, check the network configuration and condition.

4. If the number of offline keepalive entries is not large, the problem might be because some offline keepalive entries cannot restore online state through NS packets. In this case, troubleshoot according to the offline entries.

Examples

# Display statistics about NS packets sent the IPv6 addresses in offline keepalive entries on slot 1.

<Sysname> display ipv6 nd scan keepalive statistics slot 1

Scanning statistics for slot 1:

Total NS packets: 1000 packets

Start time for statistics: 12:20:30

Interface 5 secs 1 min 5 mins

HundredGigE1/0/1 123 200 230

HundredGigE1/0/2 0 0 0

HundredGigE1/0/3 0 0 0

HundredGigE1/0/4 0 0 0

HundredGigE1/0/5 0 0 0

HundredGigE1/0/6 0 0 0

Table 6 Command output

Field	Description
Total NS packets	Total number of NS packets sent the IPv6 addresses in offline keepalive entries.
Start time for statistics	Time when the device started counting the number of NS packets sent the IPv6 addresses in offline keepalive entries.
Interface	Name of an interface that sends NS packets the IPv6 addresses in offline keepalive entries.
5 secs	Number of the NS packets sent in the last five seconds.
1 min	Number of the NS packets sent in the last one minute.
5 mins	Number of the NS packets sent in the last five minutes.

Related commands

reset ipv6 nd scan keepalive statistics

ipv6 nd scan keepalive aging-time

Use ipv6 nd scan keepalive aging-time to set the aging time for ND keepalive entries.

Use undo ipv6 nd scan keepalive aging-time to restore the default.

Syntax

ipv6 nd scan keepalive aging-time time

undo ipv6 nd scan keepalive aging-time

Default

The aging time for ND keepalive entries is 60 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

time: Specifies the aging time for ND keepalive entries in minutes. The value range for this argument is 1 to 1440.

Usage guidelines

With ND keepalive entry scanning enabled, the device generates a keepalive entry in online state for a user that comes online. If the user goes offline abnormally, the device will perform the following tasks:

· Set the state of the keepalive entry for that user to offline state.

· Delete the keepalive entry if its state does not restore to online after the aging time elapses.

To enable ND keepalive entry scanning, use the ipv6 nd scan keepalive enable command.

Examples

# Set the aging time for ND keepalive entries to 10 minutes.

<Sysname> system-view

[Sysname] ipv6 nd scan keepalive aging-time 10

Related commands

ipv6 nd scan keepalive enable

Use ipv6 nd scan keepalive enable to enable ND keepalive entry scanning.

Use undo ipv6 nd scan keepalive enable to disable ND keepalive entry scanning.

Syntax

ipv6 nd scan keepalive enable

undo ipv6 nd scan keepalive enable

Default

ND keepalive entry scanning is disabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VLAN interface view

Predefined user roles

network-admin

Usage guidelines

In a large-scale network, it takes a long time for ND scanning to identify the hosts that go offline abnormally if you specify a large scanning range. After you enable ND keepalive entry scanning, the system can quickly locate those hosts and monitor the host status within the aging time.

When users come online, the system generates ND entries and IPSG binding entries. Enabled with ND keepalive entry scanning, the system also creates online keepalive entries when users come online. If users go offline, the corresponding ND entries are deleted and the status of the keepalive entries is set to offline. The device sends NS packets at intervals to the IPv6 addresses in the offline keepalive entries until the keepalive entries become online again.

The interval varies with the number of NS packets that have been sent to the IPv6 address in an offline keepalive entry:

· If the number is not greater than 50, the device sends an NS packet every 30 seconds.

· If the number is greater than 50 but not greater than 100, the device sends an NS packet every 45 seconds.

· If the number is greater than 100, the device sends an NS packet every 60 seconds.

To view the keepalive entries, use the display ipv6 nd scan keepalive entry command.

For more information about IP source guard configuration, see Security Configuration Guide.

By default, the aging time for ND keepalive entries is 60 minutes. The offline keepalive entries are deleted when the aging time expires.

Examples

# Enable ND keepalive entry scanning on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 nd scan keepalive enable

Related commands

display ipv6 nd scan keepalive entry

ipv6 nd scan keepalive send-rate

Use ipv6 nd scan keepalive send-rate to set the NS packet sending rate for keepalive entry scanning.

Use undo ipv6 nd scan keepalive send-rate to restore the default.

Syntax

ipv6 nd scan keepalive send-rate pps

undo ipv6 nd scan keepalive send-rate

Default

The device sends NS packets at a rate of 48 pps during keepalive entry scanning.

Views

System view

Predefined user roles

network-admin

Parameters

pps: Specifies the NS packet sending rate, in packets per second (pps). The value range for this argument is 10 to 1000, and the value must be a multiple of 10.

Usage guidelines

Enabled with keepalive entry scanning, the interface sends NS packets to the IPv6 addresses in the offline keepalive entries. To avoid any impact on the device performance, use this command to set the NS packet sending rate for keepalive entry scanning.

If the status of a keepalive entry is set to offline and does not become online within an interval, the keepalive entry is to be scanned. The interface sends an NS packet per second to the IPv6 address in each keepalive entry to be scanned.

The NS packet sending rate is the maximum number of scanned keepalive entries per second.

· If the number of keepalive entries to be scanned per second is lower than the sending rate, the device scans all these keepalive entries within a second.

· If the number of keepalive entries to be scanned per second is greater than the sending rate, the device scans the keepalive entries at the sending rate.

When you set the sending rate to a large value, the device might use a rate lower than the specified rate to ensure the device performance.

Examples

# Set the NS packet sending rate to 10 pps during keepalive entry scanning.

<Sysname> system-view

[Sysname] ipv6 nd scan keepalive send-rate 10

Related commands

ipv6 nd scan keepalive enable

reset ipv6 nd scan keepalive statistics

Use reset ipv6 nd scan keepalive statistics to clear statistics about ND keepalive entry scanning.

Syntax

reset ipv6 nd scan keepalive statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears statistics about ND keepalive entry scanning on the master device.

Usage guidelines

This command clears statistics about the NS packets sent to the IPv6 addresses in offline keepalive entries and resets the start time of NS packet statistics collection.

The NS packet count and the statistics start time displayed by the display ipv6 nd scan keepalive statistics command are the data collected since the most recent execution of the reset ipv6 nd scan keepalive statistics command.

Examples

# Clear statistics about NS packets sent the IPv6 addresses in offline keepalive entries.

<Sysname> reset ipv6 nd scan keepalive statistics

Related commands

display ipv6 nd scan keepalive statistics

ND SNMP notification commands

snmp-agent trap enable nd

Use snmp-agent trap enable nd to enable SNMP notifications for ND.

Use undo snmp-agent trap enable nd to disable SNMP notifications for ND.

Syntax

snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | rate-limit ] *

undo snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | rate-limit ] *

Default

SNMP notifications for ND are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

entry-limit: Specifies ND entry limit notifications.

local-conflict: Specifies endpoints and local device conflict notifications.

nd-miss: Specifies sending rate limit notifications for ND Miss messages and ND packets.

rate-limit: Specifies receiving rate limit notifications for ND packets.

Usage guidelines

Enable SNMP notifications for ND as required.

· If you enable ND entry limit notifications, the device sends the current ND entry information as a notification to the SNMP module when the number of ND entries exceeds the alarm threshold.

· If you enable endpoints and local device conflict notifications, the device sends a notification to the SNMP module when an endpoint and local device conflict occurs. The notification includes the source IPv6 address, source MAC address, destination IPv6 address, and destination MAC address in the conflicting ND packet.

· If you enable sending rate limit notifications for ND Miss messages and ND packets, the device sends the highest threshold-crossed rate as a notification to the SNMP module. When the device receives an IP packet in which the destination IP address is unresolvable, it sends a ND Miss message to the CPU.

· If you enable receiving rate limit notifications for ND packets, the device sends the highest threshold-crossed rate as a notification to the SNMP module. For more information about ND packet rate limit, see "ND packet rate limit commands."

If you do not specify any keywords, this command enables all SNMP notifications for ND.

For ND event notifications to be sent correctly, you must also configure SNMP on the device. For more information, see SNMP configuration in Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for endpoints and local device conflicts.

<Sysname> system-view

[Sysname] snmp-agent trap enable nd local-conflict

09-Security Command Reference

ND packet rate limit commands

IPv6 destination guard commands

ipv6 nd scan keepalive enable

snmp-agent trap enable nd

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us