Login

WelcomeuserNew H3C退出

Country / Region

Contact Sales Online Exhibition Center Resource Center Become a Partner
Back

12-Security Command Reference

HomeSupportRoutersCR16000-M SeriesReference GuidesCommand ReferencesH3C CR16000-M Routers Command Reference-R838x-6W10112-Security Command Reference
Table of Contents
Related Documents
15-ND attack defense commands
Title Size Download
15-ND attack defense commands 169.39 KB

Contents

ND attack defense commands· 1

Source MAC-based ND attack detection commands· 1

display ipv6 nd source-mac· 1

display ipv6 nd source-mac configuration· 3

display ipv6 nd source-mac statistics· 4

ipv6 nd source-mac· 4

ipv6 nd source-mac aging-time· 5

ipv6 nd source-mac check-interval 6

ipv6 nd source-mac exclude-mac· 7

ipv6 nd source-mac threshold· 7

reset ipv6 nd source-mac· 8

reset ipv6 nd source-mac statistics· 9

Interface-based ND attack suppression commands· 10

display ipv6 nd attack-suppression configuration· 10

display ipv6 nd attack-suppression per-interface· 10

display ipv6 nd attack-suppression per-interface interface· 12

ipv6 nd attack-suppression check-interval 13

ipv6 nd attack-suppression enable per-interface· 14

ipv6 nd attack-suppression suppression-time· 15

ipv6 nd attack-suppression threshold· 16

reset ipv6 nd attack-suppression per-interface· 16

reset ipv6 nd attack-suppression per-interface statistics· 17

Source MAC consistency check commands· 18

ipv6 nd check log enable· 18

ipv6 nd mac-check enable· 18

ND SNMP notification commands· 19

snmp-agent trap enable nd· 19

 

ND attack defense commands

Source MAC-based ND attack detection commands

display ipv6 nd source-mac

Use display ipv6 nd source-mac to display source MAC-based ND attack detection entries.

Syntax

display ipv6 nd source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ]

display ipv6 nd source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ]

display ipv6 nd source-mac slot slot-number [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Displays the ND attack detection entry for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Displays the source MAC-based ND attack detection entries for the specified VLAN. The VLAN ID is in the range of 1 to 4094.

slot slot-number: Specifies a card by its slot number. If you specify a card, this command displays entries detected by the physical interfaces that reside on the active MPUs and belong to the specified virtual interface. If you do not specify a card, this command displays entries detected by the physical interfaces that reside on the active MPUs and belong to the specified virtual interface.

slot slot-number: Specifies a card by its slot number.

verbose: Displays detailed information about source MAC-based ND attack detection entries. If you do not specify this keyword, this command displays brief information about the source MAC-based ND attack detection entries.

count: Displays the number of source MAC-based ND attack detection entries. If you do not specify this keyword, the command displays source MAC-based ND attack detection entries.

Usage guidelines

The slot slot-number option is supported only when the interface interface-type interface-number option specifies a virtual interface.

This command supports the following virtual interfaces: Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, and Layer 3 aggregate subinterfaces.

If you do not specify any parameters, this command displays all source MAC-based ND attack detection entries.

Examples

# Display source MAC-based ND attack detection entries on Ten-GigabitEthernet 3/0/1.

<Sysname> display ipv6 nd source-mac interface ten-gigabitethernet 3/0/1

Attack detection mode:Slot-based

Source MAC     VLAN ID Interface                Aging time (sec) Packets dropped

23f3-1122-3344 4094    XGE3/0/1                 10                  84467

# Displays the number of source MAC-based ND attack detection entries.

<Sysname> display ipv6 nd source-mac slot 10 count

Attack detection mode:Slot-based

Total source MAC-based ND attack detection entries: 1

# Display detailed information about source MAC-based ND attack detection entries on Ten-GigabitEthernet 3/0/1.

<Sysname> display ipv6 nd source-mac interface ten-gigabitethernet 3/0/1 verbose

Attack detection mode:Slot-based

Source MAC: 0001-0001-0001

VLAN ID: 4094

Hardware status: Succeeded

Aging time: 10 seconds

Interface: Ten-GigabitEthernet3/0/1

Attack time: 2018/06/04 15:53:34

Packets dropped: 84467

Table 1 Command output

Field

Description

Attack detection mode

Source MAC-based ND attack detection mode, which is fixed at slot-based mode. In this mode, the device performs source MAC-based ND attack detection on a per-slot basis.

Source MAC

MAC address from which an ND attack is launched.

VLAN ID

ID of the VLAN where the source MAC-based ND attack is detected.

Interface

Interface where the source MAC-based ND attack is detected.

Aging time

Remaining aging time of the source MAC-based ND attack detection entry, in seconds.

Packets dropped

Total number of dropped packets. This field is not supported on Layer 2 Ethernet interfaces.

Total source MAC-based ND attack detection entries

Total number of source MAC-based ND attack detection entries.

Hardware status

Status of the source MAC-based ND attack entry setting to hardware:

·     Succeeded.

·     Failed.

·     Not supported.

·     Not enough resources.

Attack time

Time when the source MAC-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS.

 

Related commands

reset ipv6 nd source-mac

reset ipv6 nd source-mac statistics

display ipv6 nd source-mac configuration

Use display ipv6 nd source-mac configuration to display the configuration for source MAC-based ND attack detection.

Syntax

display ipv6 nd source-mac configuration [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the configuration on the active MPU for source MAC-based ND attack detection.

Examples

# Display the configuration of source MAC-based ND attack detection.

<Sysname> display ipv6 nd source-mac configuration slot 10

IPv6 ND source-mac is enabled.

Attack detection mode:Slot-based

Mode: Filter        Check interval: 5 seconds

Threshold: 20       Aging time: 300 seconds

Table 2 Command output

Field

Description

Attack detection mode

Source MAC-based ND attack detection mode, which is fixed at slot-based mode. In this mode, the device performs source MAC-based ND attack detection on a per-slot basis.

IPv6 ND source-mac is enabled.

Source MAC-based ND attack detection is enabled.

IPv6 ND source-mac is disabled.

Source MAC-based ND attack detection is disabled.

Mode

Source MAC-based ND attack detection mode:

·     Filter.

·     Monitor.

Check interval

Check interval of the source MAC-based ND attack detection, in seconds.

Threshold

Threshold for source MAC-based ND attack detection.

Aging time

Aging time of the source MAC-based ND attack detection entry, in seconds.

 

Related commands

ipv6 nd source-mac

ipv6 nd source-mac aging-time

ipv6 nd source-mac check-interval

ipv6 nd source-mac exclude-mac

ipv6 nd source-mac threshold

display ipv6 nd source-mac statistics

Use display ipv6 nd source-mac statistics to display statistics for ND messages dropped by source MAC-based ND attack detection.

Syntax

display ipv6 nd source-mac statistics slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)

Examples

# Display statistics for ND messages dropped by source MAC-based ND attack detection.

<Sysname> display ipv6 nd source-mac statistics slot 10

Dropped ND messages: 100

Table 3 Command output

Field

Description

Dropped ND messages

Number of ND messages dropped by source MAC-based ND attack detection.

 

Related commands

reset ipv6 nd source-mac statistics

ipv6 nd source-mac

Use ipv6 nd source-mac to enable source MAC-based ND attack detection and specify an attack handling method.

Use undo ipv6 nd source-mac to disable source MAC-based ND attack detection.

Syntax

ipv6 nd source-mac { filter | monitor }

undo ipv6 nd source-mac

Default

Source MAC-based ND attack detection is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

filter: Specifies the filter handling method.

monitor: Specifies the monitor handling method.

Usage guidelines

As a best practice, configure this command on gateway devices.

Source MAC-based ND attack detection checks the number of ND messages delivered to the CPU. If the number of messages from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. The processing of the ND messages sent from the MAC address in this entry depends on the attack handling method. With ND logging enabled (by using the ipv6 nd check log enable command), source MAC-based ND attack detection processes the messages as follows:

·     Filter—Filters out subsequent ND messages sent from the MAC address, and generates log messages.

·     Monitor—Only generates log messages.

During the ND attack defense period, the device monitors the number of dropped packets in an entry within the aging time:

·     If the number of dropped packets is higher than or equal to a calculated value, the device resets the aging time for the entry when the entry ages out.

The calculated value = (aging time/check interval) × source MAC-based ND attack detection threshold

·     If the number of dropped packets is lower than the calculated value, the system deletes the entry when the entry ages out and marks MAC address in the entry as a common MAC address.

When you change the attack handling method from monitor to filter, the filter mode takes effect immediately. When you change the attack handling method from filter to monitor, the device continues filtering ND messages that match existing attack entries.

Source MAC-based ND attack detection checks the number of ND messages delivered to the CPU on a per-slot basis. If the number of ND messages received from the same MAC address within a check interval on a slot exceeds the threshold, the device determines that an attack has occurred.

Examples

# Enable source MAC-based ND attack detection and specify the monitor handling method.

<Sysname> system-view

[Sysname] ipv6 nd source-mac monitor

ipv6 nd source-mac aging-time

Use ipv6 nd source-mac aging-time to set the aging time for source MAC-based ND attack detection entries.

Use undo ipv6 nd source-mac aging-time to restore the default.

Syntax

ipv6 nd source-mac aging-time time

undo ipv6 nd source-mac aging-time

Default

The aging time for source MAC-based ND attack detection entries is 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Specifies the aging time for source MAC-based ND attack detection entries, in the range of 60 to 6000 seconds.

Examples

# Set the aging time to 100 seconds for source MAC-based ND attack detection entries.

<Sysname> system-view

[Sysname] ipv6 nd source-mac aging-time 100

ipv6 nd source-mac check-interval

Use ipv6 nd source-mac check-interval to set the check interval for source MAC-based ND attack detection.

Use undo ipv6 nd source-mac check-interval to restore the default.

Syntax

ipv6 nd source-mac check-interval interval

undo ipv6 nd source-mac check-interval

Default

The check interval is 5 seconds for source MAC-based ND attack detection.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval in seconds. The value range is 5 to 60.

Usage guidelines

The source MAC-based ND attack detection feature checks the number of ND packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. To set the threshold, use the ipv6 nd source-mac threshold command.

If attacks occur frequently in your network, set a short check interval so that source MAC-based ND attacks can be detected promptly. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for source MAC-based ND attack detection.

<Sysname> system-view

[Sysname] ipv6 nd source-mac check-interval 30

Related commands

ipv6 nd source-mac threshold

ipv6 nd source-mac exclude-mac

Use ipv6 nd source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ND attack detection.

Use undo ipv6 nd source-mac exclude-mac to remove the excluded MAC addresses.

Syntax

ipv6 nd source-mac exclude-mac mac-address&<1-10>

undo ipv6 nd source-mac exclude-mac [ mac-address&<1-10> ]

Default

No MAC addresses are excluded from source MAC-based ND attack detection.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address&<1-10>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-10> indicates the number of excluded MAC addresses that you can configure.

Usage guidelines

Source MAC-based ND attack detection does not drop ND messages sent from the excluded MAC addresses even if it detects attacks launched from these MAC addresses.

If you do not specify a MAC address, the undo ipv6 nd source-mac exclude-mac command removes all excluded MAC addresses.

Examples

# Exclude the MAC address 001e-1200-0213 from source MAC-based ND attack detection.

<Sysname> system-view

[Sysname] ipv6 nd source-mac exclude-mac 001e-1200-0213

ipv6 nd source-mac threshold

Use ipv6 nd source-mac threshold to set the threshold for source MAC-based ND attack detection.

Use undo ipv6 nd source-mac threshold to restore the default.

Syntax

ipv6 nd source-mac threshold threshold-value

undo ipv6 nd source-mac threshold

Default

The threshold for source MAC-based ND attack detection is 30.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for source MAC-based ND attack detection. The value range is 1 to 5000.

Usage guidelines

If the number of packets from the same MAC address within the check interval exceeds the threshold, the device generates an ND attack entry for the MAC address. To set the check interval, use the ipv6 nd source-mac check-interval command.

Examples

# Set the threshold to 100 for source MAC-based ND attack detection

<Sysname> system-view

[Sysname] ipv6 nd source-mac threshold 100

Related commands

ipv6 nd source-mac check-interval

reset ipv6 nd source-mac

Use reset ipv6 nd source-mac to delete source MAC-based ND attack detection entries.

Syntax

reset ipv6 nd source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Deletes the source MAC-based ND attack entries detected on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

mac mac-address: Deletes the source MAC-based ND attack entry for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Deletes the source MAC-based ND attack entries for the specified VLAN. The value range for the vlan-id argument is 1 to 4094.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes source MAC-based ND attack detection entries on the active MPU.

Usage guidelines

If you do not specify any parameters, this command deletes all source MAC-based ND attack detection entries.

Examples

# Delete all source MAC-based ND attack detection entries.

<Sysname> reset ipv6 nd source-mac

Related commands

display ipv6 nd source-mac

reset ipv6 nd source-mac statistics

Use reset ipv6 nd source-mac statistics to clear statistics for ND messages dropped by source MAC-based ND attack detection.

Syntax

reset ipv6 nd source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Clears statistics for ND messages dropped by source MAC-based ND attack detection on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

mac mac-address: Clears statistics for ND messages dropped by source MAC-based ND attack detection for the specified MAC address. The MAC address format is H-H-H.

vlan vlan-id: Clears statistics for ND messages dropped by source MAC-based ND attack detection for the specified VLAN. The value range for the VLAN ID is 1 to 4094.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears related statistics on the active MPU.

Usage guidelines

If you do not specify any parameters, this command clears all statistics for ND messages dropped by source MAC-based ND attack detection.

Examples

# Clear all statistics for ND messages dropped by source MAC-based ND attack detection.

<Sysname> reset ipv6 nd source-mac statistics

Related commands

display ipv6 nd source-mac

display ipv6 nd source-mac statistics

Interface-based ND attack suppression commands

display ipv6 nd attack-suppression configuration

Use display ipv6 nd attack-suppression configuration to display the configuration of interface-based ND attack suppression.

Syntax

display ipv6 nd attack-suppression configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of interface-based ND attack suppression.

<Sysname> display ipv6 nd attack-suppression configuration

IPv6 ND attack-suppression per-interface is enabled.

Check interval: 5 seconds      Suppression time: 300 seconds

Threshold: 3000

Table 4 Command output

Field

Description

IPv6 ND attack-suppression per-interface is enabled.

The interface-based ND attack suppression is enabled.

IPv6 ND attack-suppression per-interface is disabled.

The interface-based ND attack suppression is disabled.

Check interval

Check interval of the interface-based ND attack suppression, in seconds.

Suppression time

Interface-based ND attack suppression time in seconds.

Threshold

Threshold for triggering interface-based ND attack suppression.

 

Related commands

ipv6 nd attack-suppression check-interval

ipv6 nd attack-suppression enable per-interface

ipv6 nd attack-suppression suppression-time

display ipv6 nd attack-suppression per-interface

Use display ipv6 nd attack-suppression per-interface to display interface-based ND attack suppression entries.

Syntax

display ipv6 nd attack-suppression per-interface slot slot-number [ count | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.

slot slot-number: Specifies a card by its slot number.

count: Specifies the number of interface-based ND attack suppression entries. If you do not specify this keyword, the command displays interface-based ND attack suppression entries.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all interface-based ND attack suppression entries.

Examples

# Display interface-based ND attack suppression entries on the specified slot.

<Sysname> display ipv6 nd attack-suppression per-interface slot 10

Interface                Suppression time (second) Packets dropped

XGE3/0/1                 200                            84467

XGE3/0/2                 140                            38293

# Display the total number of interface-based ND attack suppression entries on the specified slot.

<Sysname> display ipv6 nd attack-suppression per-interface slot 10 count

Total ND attack suppression entries: 2

# Display detailed information about the interface-based ND attack suppression entries on the specified slot.

<Sysname> display ipv6 nd attack-suppression per-interface slot 10 verbose

Interface: Ten-GigabitEthernet3/0/1

Suppression time: 200 seconds

Hardware status: Succeeded

Attack time: 2018/06/04 15:53:34

Packets dropped: 84467

 

Interface: Ten-GigabitEthernet3/0/2

Suppression time: 140 seconds

Hardware status: Succeeded

Attack time: 2018/06/04 14:53:34

Packets dropped: 38293

Figure 1 Command output

Field

Description

Interface

Interface in the ND attack suppression entry.

Suppression time (second)

Suppression time, in seconds.

Packets dropped

Total number of dropped packets.

Total ND attack suppression entries

Total number of ND attack suppression entries.

Hardware status

Status of the interface-based ND attack entry setting to hardware:

·     Succeeded.

·     Failed.

·     Not supported.

·     Not enough resources.

Suppression time

Remaining suppression time, in seconds.

Attack time

Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS.

 

Related commands

reset ipv6 nd attack-suppression per-interface

reset ipv6 nd attack-suppression per-interface statistics

display ipv6 nd attack-suppression per-interface interface

Use display ipv6 nd attack-suppression per-interface interface to display interface-based ND attack suppression entries on an interface.

Syntax

display ipv6 nd attack-suppression per-interface interface interface-type interface-number [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays interface-based ND attack suppression entries on the card where the interface resides.

verbose: Displays detailed information about interface-based ND attack suppression entries. If you do not specify this keyword, the command displays brief information about ND attack suppression entries.

Examples

# Display interface-based ND attack suppression entries on Ten-GigabitEthernet 3/0/1.

<Sysname> display ipv6 nd attack-suppression per-interface interface ten-gigabitethernet 3/0/1

Interface                Suppression time (second) Packets dropped

XGE3/0/1                 200                            84467

# Display detailed information about the interface-based ND attack suppression entries on Ten-GigabitEthernet 3/0/1.

<Sysname> display ipv6 nd attack-suppression per-interface interface ten-gigabitethernet 3/0/1 verbose

Interface: Ten-GigabitEthernet3/0/1

Suppression time: 200 seconds

Hardware status: Succeeded

Attack time: 2018/06/04 15:53:34

Packets dropped: 84467

Figure 2 Command output

Field

Description

Interface

Interface in the ND attack suppression entry.

Suppression time (second)

Suppression time, in seconds.

Packets dropped

Total number of dropped packets.

Hardware status

Status of the interface-based ND attack entry setting to hardware:

·     Succeeded.

·     Failed.

·     Not supported.

·     Not enough resources.

Suppression time

Remaining suppression time, in seconds.

Attack time

Time when the interface-based ND attack was detected. The time format is YYYY/MM/DD HH:MM:SS.

 

Related commands

reset ipv6 nd attack-suppression per-interface

reset ipv6 nd attack-suppression per-interface statistics

ipv6 nd attack-suppression check-interval

Use ipv6 nd attack-suppression check-interval to set the check interval for interface-based ND attack suppression.

Use undo ipv6 nd attack-suppression check-interval to restore the default.

Syntax

ipv6 nd attack-suppression check-interval interval

undo ipv6 nd attack-suppression check-interval

Default

The check interval is 5 seconds for interface-based ND attack suppression.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies a check interval in seconds. The value range is 5 to 60.

Usage guidelines

The interface-based ND attack suppression feature monitors the number of ND requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the ND attack suppression threshold, the device creates an ND attack suppression entry for the interface.

This feature does not take effect on VLAN and VSI interfaces.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for interface-based ND attack suppression.

<Sysname> system-view

[Sysname] ipv6 nd attack-suppression check-interval 30

Related commands

display ipv6 nd attack-suppression configuration

ipv6 nd attack-suppression enable per-interface

ipv6 nd attack-suppression enable per-interface

Use ipv6 nd attack-suppression enable per-interface to enable interface-based ND attack suppression.

Use undo ipv6 nd attack-suppression enable per-interface to disable interface-based ND attack suppression.

Syntax

ipv6 nd attack-suppression enable per-interface

undo ipv6 nd attack-suppression enable per-interface

Default

Interface-based ND attack suppression is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature to rate limit ND requests on each Layer 3 interface to prevent ND spoofing attacks. This feature monitors the number of ND requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the threshold, the device creates an ND attack suppression entry for the interface. To set the check interval, use the ipv6 nd attack-suppression check-interval command.

During the suppression period, the maximum receiving rate for ND requests is 12800 bytes per second on the interface.

When the suppression time expires, the system examines the number of received ND messages on the interface within the suppression time:

·     If the number of the received ND messages is higher than or equal to a calculated value, the device resets the suppression time for the entry and continues the ND suppression on the interface.

The calculated value = (suppression time/check interval) × suppression threshold

·     If the number of the received ND messages is lower than the calculated value, the device deletes the suppression entry.

This feature does not take effect on VLAN and VSI interfaces.

As a best practice, enable this feature on the gateway.

Examples

# Enable interface-based ND attack suppression.

<Sysname> system-view

[Sysname] ipv6 nd attack-suppression enable per-interface

Related commands

display ipv6 nd attack-suppression per-interface

ipv6 nd attack-suppression check-interval

ipv6 nd attack-suppression threshold

ipv6 nd attack-suppression suppression-time

Use ipv6 nd attack-suppression suppression-time to set the interface-based ND attack suppression time.

Use undo ipv6 nd attack-suppression suppression-time to restore the default.

Syntax

ipv6 nd attack-suppression suppression-time time

undo ipv6 nd attack-suppression suppression-time

Default

The interface-based ND attack suppression time is 300 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time: Specifies the suppression time in seconds. The value range is 60 to 6000.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the suppression time to 60 seconds for interface-based ND attack suppression.

<Sysname> system-view

[Sysname] ipv6 nd attack-suppression suppression-time 60

Related commands

display ipv6 nd attack-suppression configuration

ipv6 nd attack-suppression enable per-interface

ipv6 nd attack-suppression threshold

Use ipv6 nd attack-suppression threshold to set the threshold for triggering interface-based ND attack suppression.

Use undo ipv6 nd attack-suppression threshold to restore the default.

Syntax

ipv6 nd attack-suppression threshold threshold-value

undo ipv6 nd attack-suppression threshold

Default

The threshold for triggering interface-based ND attack suppression is 1000.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold for triggering interface-based ND attack suppression, in the range of 1 to 5000. The threshold defines the maximum number of ND requests that an interface can receive in each check interval.

Usage guidelines

When the number of ND requests that an interface received within the check interval exceeds the threshold, the device determines that the interface is being attacked. To set the check interval, use the ipv6 nd attack-suppression check-interval command.

Examples

# Set the threshold to 500 for triggering interface-based ND attack suppression.

<Sysname> system-view

[Sysname] ipv6 nd attack-suppression threshold 500

Related commands

display ipv6 nd attack-suppression per-interface

ipv6 nd attack-suppression check-interval

ipv6 nd attack-suppression enable per-interface

reset ipv6 nd attack-suppression per-interface

Use reset ipv6 nd attack-suppression per-interface to delete interface-based ND attack suppression entries.

Syntax

reset ipv6 nd attack-suppression per-interface [ interface interface-type interface-number ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Deletes interface-based ND attack suppression entries for the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes interface-based ND attack suppression entries on the active MPU.

Usage guidelines

If you do not specify any parameters, this command deletes all interface-based ND attack suppression entries.

Examples

# Delete all interface-based ND attack suppression entries.

<Sysname> reset ipv6 nd attack-interface per-interface

Related commands

display ipv6 nd attack-suppression per-interface

reset ipv6 nd attack-suppression per-interface statistics

Use reset ipv6 nd attack-suppression per-interface statistics to clear statistics for ND messages dropped by interface-based ND attack suppression.

Syntax

reset ipv6 nd attack-suppression per-interface statistics [ interface interface-type interface-number ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Clears statistics for ND messages dropped by interface-based ND attack suppression on the specified interface. The interface-type interface-number arguments specify an interface by its type and number.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears related statistics on the active MPU.

Usage guidelines

After you execute this command, the value for the Packets dropped field from the output of the display ipv6 nd attack-suppression per-interface command will be cleared.

If you do not specify any parameters, this command clears all statistics for ND messages dropped by interface-based ND attack suppression.

Examples

# Clear statistics for ND messages dropped by interface-based ND attack suppression.

<Sysname> reset ipv6 nd attack-interface per-interface statistics

Related commands

display ipv6 nd attack-suppression per-interface

Source MAC consistency check commands

ipv6 nd check log enable

Use ipv6 nd check log enable to enable the ND logging feature.

Use undo ipv6 nd check log enable to restore the default.

Syntax

ipv6 nd check log enable

undo ipv6 nd check log enable

Default

The ND logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

As a best practice, disable the ND logging feature to avoid excessive ND logs.

Examples

# Enable the ND logging feature.

<Sysname> system-view

[Sysname] ipv6 nd check log enable

Related commands

ipv6 nd mac-check enable

ipv6 nd mac-check enable

Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.

Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.

Syntax

ipv6 nd mac-check enable

undo ipv6 nd mac-check enable

Default

Source MAC consistency check for ND messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.

Examples

# Enable source MAC consistency check for ND messages.

<Sysname> system-view

[Sysname] ipv6 nd mac-check enable

ND SNMP notification commands

snmp-agent trap enable nd

Use snmp-agent trap enable nd to enable SNMP notifications for ND.

Use undo snmp-agent trap enable nd to disable SNMP notifications for ND.

Syntax

snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | user-ip-conflict ] *

undo snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | user-ip-conflict ] *

Default

SNMP notifications for ND are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

entry-limit: Specifies ND entry limit notifications.

local-conflict: Specifies endpoint and local device conflict notifications.

nd-miss: Specifies rate limit notifications for sending ND Miss messages or ND packets.

user-ip-conflict: Specifies user IPv6 address conflict notifications.

Usage guidelines

Enable SNMP notifications for ND as required.

·     If you enable ND entry limit notifications, the device sends the current number of ND entries as a notification to the SNMP module when the number of ND entries exceeds the alarm threshold.

·     If you enable endpoint and local device conflict notifications, the device sends a notification to the SNMP module when an endpoint and local device conflict occurs. The notification includes the source IPv6 address, source MAC address, destination IPv6 address, and destination MAC address in the conflicting ND packet.

·     If you enable rate limit notifications for sending ND Miss messages or ND packets, the device sends the highest threshold-crossed rate as a notification to the SNMP module.

·     If you enable user IPv6 address conflict notifications, the device sends a notification to the SNMP module when a user IPv6 address conflict occurs. The notification includes the source IPv6 and MAC addresses in the conflicting ND packet, and the MAC address in the corresponding local ND entry.

For ND event notifications to be sent correctly, you must also configure SNMP on the device. For more information, see SNMP configuration in Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for endpoint and local device conflicts.

<Sysname> system-view

[Sysname] snmp-agent trap enable nd local-conflict

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products

Cloud & AI

H3C Workspace Cloud Desktop

Learn more

H3C UIS 3000 G5 HCI

Learn more

Intelligent Connection

Intelligent Computing

H3C UniServer R4900 G5 Server

Learn more

Security

Situational Awareness

Learn more

Zero Trust Security Solution

Learn more

SMB Products

Intelligent Terminal Products

Industry Solutions

The Government Cloud “1+N+N+1” Innovation Model Becomes a Template

Learn more

Strong Support for the G20 Hangzhou Summit

Learn more
  • Product Support Services
  • Technical Service Solutions
All Services

Product Support Services

Technical Service Solutions

  • Resource Center
  • Policy
  • Online Help
All Support

Resource Center

Policy

Online Help

Training & Certification

  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Partner Business Management

Service Business

  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us

Company Information

News & Events

Online Exhibition Center

Contact Us

新华三官网