Login
- Table of Contents
-
- 15-Security Command Reference
- 00-Preface
- 01-Keychain commands
- 02-Public key management commands
- 03-PKI commands
- 04-Crypto engine commands
- 05-SSH commands
- 06-SSL commands
- 07-Packet filter commands
- 08-DHCP snooping commands
- 09-DHCPv6 snooping commands
- 10-ARP attack protection commands
- 11-ND attack defense commands
- 12-Attack detection and prevention commands
- 13-IP source guard commands
- 14-uRPF commands
- 15-MACsec commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-ND attack defense commands | 91.01 KB |
Contents
ipv6 nd rate-limit log interval
Source MAC consistency check commands
display ipv6 nd detection statistics
reset ipv6 nd detection statistics
ND attack defense commands
ND packet rate limit commands
ipv6 nd rate-limit
Use ipv6 nd rate-limit to enable ND packet rate limit.
Use undo ipv6 nd rate-limit to disable ND packet rate limit.
Syntax
ipv6 nd rate-limit [ pps ]
undo ipv6 nd rate-limit
Default
ND packet rate limit is enabled.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Layer 3 Ethernet interface view
Layer 3 aggregate interface view
Predefined user roles
network-admin
Parameters
pps: Specifies the upper limit for ND packet receiving rate, in pps. The value range is 5 to 2000. If you do not specify the limit, the default value applies.
Usage guidelines
The rate limit limits the receiving rate of ND packets that are to be delivered to the CPU, preventing the CPU from being overwhelmed by ND packets. Packets that exceed the rate limit are dropped.
Examples
# Enable ND packet rate limit on Layer 2 Ethernet interface HundredGigE 1/0/1, and set the rate limit to 50 pps.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 nd rate-limit 50
ipv6 nd rate-limit log enable
Use ipv6 nd rate-limit log enable to enable logging for ND packet rate limit.
Use undo ipv6 nd rate-limit log enable to disable logging for ND packet rate limit.
Syntax
ipv6 nd rate-limit log enable
undo ipv6 nd rate-limit log enable
Default
Logging for ND packet rate limit is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When logging for ND packet rate limit is enabled, the device sends the highest threshold-crossed ND packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for ND packet rate limit.
<Sysname> system-view
[Sysname] ipv6 nd rate-limit log enable
Related commands
ipv6 nd rate-limit log interval
ipv6 nd rate-limit log interval
Use ipv6 nd rate-limit log interval to set the log message sending interval for ND packet rate limit.
Use undo ipv6 nd rate-limit log interval to restore the default.
Syntax
ipv6 nd rate-limit log interval interval
undo ipv6 nd rate-limit log interval
Default
The device sends log messages every 60 seconds when the ND packet receiving rate on an interface exceeds the limit.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies an interval in the range of 1 to 86400 seconds.
Usage guidelines
To change the default interval and activate it, you must enable ND packet rate limit and enable sending log messages for ND packet rate limit.
Examples
# Configure the device to send log messages every 120 seconds when the ND packet receiving rate on an interface exceeds the limit.
<Sysname> system-view
[Sysname] ipv6 nd rate-limit log interval 120
Related commands
ipv6 nd rate-limit log enable
Source MAC consistency check commands
ipv6 nd check log enable
Use ipv6 nd check log enable to enable the ND logging feature.
Use undo ipv6 nd check log enable to restore the default.
Syntax
ipv6 nd check log enable
undo ipv6 nd check log enable
Default
The ND logging feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see System Management Configuration Guide.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Examples
# Enable the ND logging feature.
<Sysname> system-view
[Sysname] ipv6 nd check log enable
Related commands
ipv6 nd mac-check enable
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check for ND messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Examples
# Enable source MAC consistency check for ND messages.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
ND attack detection commands
display ipv6 nd detection statistics
Use display ipv6 nd detection statistics to display statistics for ND messages dropped by ND attack detection.
Syntax
display ipv6 nd detection statistics [ interface interface-type interface-number [ service-instance instance-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for ND messages dropped by ND attack detection on all interfaces.
service-instance instance-id: Specifies an Ethernet service instance by its ID in the range of 1 to 4096. If you do not specify an Ethernet service instance, this command displays statistics in all Ethernet service instances on the specified interface.
Examples
# Display statistics for all ND messages dropped by ND attack detection.
<Sysname> display ipv6 nd detection statistics
ND packets dropped by ND detection:
Interface/AC Packets dropped
HGE1/0/1 78
HGE1/0/2 0
HGE1/0/3 0
HGE1/0/4 0
HGE1/0/5-srv1 0
HGE1/0/5-srv2 10
Table 1 Command output
|
Field |
Description |
|
Interface/AC |
Input interface or AC link of the ND messages. |
|
Packets dropped |
Number of ND messages dropped by ND attack detection. |
ipv6 nd detection enable
Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.
Use undo ipv6 nd detection enable to disable ND attack detection.
Syntax
ipv6 nd detection enable
undo ipv6 nd detection enable
Default
ND attack detection is disabled.
Views
VSI view
Predefined user roles
network-admin
Examples
# Enable ND attack detection for VSI vsi1.
<Sysname> system-view
[Sysname] vsi vsi1
[Sysname-vsi-vsi1] ipv6 nd detection enable
ipv6 nd detection log enable
Use ipv6 nd detection log enable to enable ND attack detection logging.
Use undo ipv6 nd detection log enable to disable ND attack detection logging.
Syntax
ipv6 nd detection log enable
undo ipv6 nd detection log enable
Default
ND attack detection logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command allows a device to generate logs when it detects ND attacks. The log information helps administrators locate and solve problems. The ND attack detection logging feature sends the log message to the information center. The information center can then output log messages from different source modules to different destinations. For more information about information center, see System Management Configuration Guide.
The device performance is degraded when the device outputs a large number of ND attack detection logs. You can disable ND attack detection logging to ensure the device performance.
Examples
# Enable ND attack detection logging.
<Sysname> system-view
[Sysname] ipv6 nd detection log enable
reset ipv6 nd detection statistics
Use reset ipv6 nd detection statistics to clear ND attack detection statistics.
Syntax
reset ipv6 nd detection statistics [ interface interface-type interface-number [ service-instance instance-id ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ND attack detection statistics for all interfaces.
service-instance instance-id: Specifies an Ethernet service instance by its ID in the range of 1 to 4096. If you do not specify an Ethernet service instance, this command clears ND attack detection statistics in all Ethernet service instances on the specified interface.
Examples
# Clear all ND attack detection statistics.
<Sysname> reset ipv6 nd detection statistics
ND scanning commands
ipv6 nd scan auto enable
Use ipv6 nd scan auto enable to enable automatic ND scanning in a specified address range on an interface.
Use undo ipv6 nd scan auto enable to disable automatic ND scanning on an interface.
Syntax
ipv6 nd scan auto enable start-ipv6-address to end-ipv6-address [ source-addr source-ipv6-address ]
undo ipv6 nd scan auto enable
Default
Automatic ND scanning is disabled on an interface.
Views
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Layer 3 aggregate interface view
Layer 3 aggregate subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
start-ipv6-address: Specifies the start IPv6 address of the scanning range.
to end-ipv6-address: Specifies the end IPv6 address of the scanning range. The end IPv6 address must be higher than or equal to the start IPv6 address. The maximum number of IPv6 addresses in the range is 65535.
source-addr source-ipv6-address: Specifies the source address for the NS requests. The source-ipv6-address argument can be any valid IPv6 addresses. If you do not specify this option, the interface uses its IPv6 address as the source address.
Usage guidelines
The device automatically creates ND entries by NS and NA messages when triggered by traffic. If no traffic is received or sent in a period of time, the ND entries cannot be created or updated in time.
To resolve this issue, you can enable the automatic ND scanning feature on the device. This feature enables the device to periodically send ND packets (NS requests) at a specified rate to the IPv6 addresses not in the specified ND entries.
You can specify the source address for the sending NS requests when you enable automatic ND scanning on an interface:
· If you do not specify the source address, the interface uses its IPv6 address as the source address. The interface scans the IPv6 addresses that belong to both the automatic ND scanning range and the subnet of the interface IPv6 address.
If the interface is configured with multiple subnet IPv6 addresses and the addresses are also in the scanning range, the source address is the IPv6 address with the longest prefix. If the prefixes are in the same length, the source address is the primary IPv6 address for the interface.
· If you specify the source address, the interface uses the specified source address, and it scans all the IPv6 addresses in the automatic ND scanning range.
If the interface is enabled with ND proxy, the specified source address does not affect the Layer 3 forwarding route. For more information about ND proxy, see IPv6 basics in Layer 3—IP Services Configuration Guide.
You can set the ND packet sending rate by using the ipv6 nd scan auto send-rate command.
To avoid any impact on device performance, use automatic ND scanning only on networks where users come online and go offline frequently.
Examples
# Configure the device to scan neighbors in an address range.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] ipv6 nd scan auto enable 2001::1 to 2001::10
# Configure the device to scan neighbors in an address range.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] ipv6 nd scan auto enable 2001::1 to 2001::10
ipv6 nd scan auto send-rate
Use ipv6 nd scan auto send-rate to set the ND packet sending rate for automatic ND scanning.
Use undo ipv6 nd scan auto send-rate to restore the default.
Syntax
ipv6 nd scan auto send-rate { ppm ppm | pps }
undo ipv6 nd scan auto send-rate
Default
The device sends ND packets at the rate of 48 pps during automatic ND scanning.
Views
System view
Predefined user roles
network-admin
Parameters
ppm ppm: Specifies the ND packet sending rate, in packets per minute (ppm). The value range for the ppm argument is 10 to 600, and the value must be a multiple of 10. Alternatively, a configuration error will occur.
ppm pps: Specifies the ND packet sending rate, in packets per second (pps). The value range for the pps argument is 10 to 1000, and the value must be a multiple of 10. Alternatively, a configuration error will occur.
Usage guidelines
This command enables the device to periodically send ND packets (NS requests) at a specified rate. You can adjust the ND packet sending rate to avoid impact on device performance.
To avoid any impact on device performance, the actual ND packet sending rate might be smaller than the configured rate.
Examples
# Set the ND packet sending rate to 10 pps during automatic ND scanning.
<Sysname> system-view
[Sysname] ipv6 nd scan auto send-rate 10
Related commands
ipv6 nd scan auto enable
