The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see System Management Configuration Guide.

As a best practice, disable the ND logging feature to avoid excessive ND logs.

Examples

# Enable the ND logging feature.

<Sysname> system-view

[Sysname] ipv6 nd check log enable

Related commands

ipv6 nd mac-check enable

Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.

Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.

Syntax

ipv6 nd mac-check enable

undo ipv6 nd mac-check enable

Default

Source MAC consistency check for ND messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.

Examples

# Enable source MAC consistency check for ND messages.

<Sysname> system-view

[Sysname] ipv6 nd mac-check enable

ND attack detection commands

display ipv6 nd detection statistics

Use display ipv6 nd detection statistics to display statistics for ND messages dropped by ND attack detection.

Syntax

display ipv6 nd detection statistics [ interface interface-type interface-number [ service-instance instance-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for ND messages dropped by ND attack detection on all interfaces.

service-instance instance-id: Specifies an Ethernet service instance by its ID in the range of 1 to 4096. If you do not specify an Ethernet service instance, this command displays statistics in all Ethernet service instances on the specified interface.

Examples

# Display statistics for all ND messages dropped by ND attack detection.

<Sysname> display ipv6 nd detection statistics

ND packets dropped by ND detection:

Interface/AC Packets dropped

GE1/0/1 78

GE1/0/2 0

GE1/0/3 0

GE1/0/4 0

GE1/0/5-srv1 0

GE1/0/5-srv2 10

Table 1 Command output

Field	Description
Interface/AC	Input interface or AC link of the ND messages.
Packets dropped	Number of ND messages dropped by ND attack detection.

ipv6 nd detection enable

Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.

Use undo ipv6 nd detection enable to disable ND attack detection.

Syntax

ipv6 nd detection enable

undo ipv6 nd detection enable

Default

ND attack detection is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

VLAN view

VSI view

Predefined user roles

network-admin

Examples

# Enable ND attack detection for GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 nd detection enable

# Enable ND attack detection for Bridge-Aggregation 1.

<Sysname> system-view

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] ipv6 nd detection enable

# Enable ND attack detection for VLAN 10.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] ipv6 nd detection enable

# Enable ND attack detection for VSI vsi1.

<Sysname> system-view

[Sysname] vsi vsi1

[Sysname-vsi-vsi1] ipv6 nd detection enable

ipv6 nd detection log enable

Use ipv6 nd detection log enable to enable ND attack detection logging.

Use undo ipv6 nd detection log enable to disable ND attack detection logging.

Syntax

ipv6 nd detection log enable

undo ipv6 nd detection log enable

Default

ND attack detection logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command allows a device to generate logs when it detects ND attacks. The log information helps administrators locate and solve problems. The ND attack detection logging feature sends the log message to the information center. The information center can then output log messages from different source modules to different destinations. For more information about information center, see System Management Configuration Guide.

The device performance is degraded when the device outputs a large number of ND attack detection logs. You can disable ND attack detection logging to ensure the device performance.

Examples

# Enable ND attack detection logging.

<Sysname> system-view

[Sysname] ipv6 nd detection log enable

ipv6 nd detection port-match-ignore

Use ipv6 nd detection port-match-ignore to ignore ingress ports of ND packets in ND attack detection.

Use undo ipv6 nd detection port-match-ignore to remove the configuration.

Syntax

ipv6 nd detection port-match-ignore

undo ipv6 nd detection port-match-ignore

Default

Ingress ports of ND packets are examined in ND attack detection.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

With ND attack detection enabled, the device can perform security check on received packets based on the local and remote IPSG bindings. Remote IPSG bindings do not contain port information. The device drops ND packets that match remote IPSG bindings because it does not find matching ingress ports for these packets. To prevent the device from dropping these packets, you can configure the device to ignore ingress ports of ND packets. This feature does not examine the ingress ports of ND packets, so that ND packets that match remote IPSG bindings will not be dropped.

Operating mechanism

This command configures ND attack detection to ignore the ingress port information of ND packets when the packets are compared with the entries in ND attack detection.

Examples

# Ignore ingress ports of ND packets in ND attack detection.

<Sysname> system-view

[Sysname] ipv6 nd detection port-match-ignore

ipv6 nd detection trust

Use ipv6 nd detection trust to configure an interface as an ND trusted interface.

Use undo ipv6 nd detection trust to restore the default.

Syntax

ipv6 nd detection trust

undo ipv6 nd detection trust

Default

All interfaces are ND untrusted interfaces. All ACs are ND untrusted ACs.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Ethernet service instance view (AC)

Predefined user roles

network-admin

Examples

# Configure GigabitEthernet 1/0/1 as an ND trusted interface.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 nd detection trust

# Configure Bridge-Aggregation 1 as an ND trusted interface.

<Sysname> system-view

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] ipv6 nd detection trust

# Configure Ethernet service instance 1 on GigabitEthernet 1/0/1 as an ND trusted AC.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] service-instance 1

[Sysname-GigabitEthernet1/0/1-srv1] ipv6 nd detection trust

reset ipv6 nd detection statistics

Use reset ipv6 nd detection statistics to clear ND attack detection statistics.

Syntax

reset ipv6 nd detection statistics [ interface interface-type interface-number [ service-instance instance-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ND attack detection statistics for all interfaces.

service-instance instance-id: Specifies an Ethernet service instance by its ID in the range of 1 to 4096. If you do not specify an Ethernet service instance, this command clears ND attack detection statistics in all Ethernet service instances on the specified interface.

Examples

# Clear all ND attack detection statistics.

<Sysname> reset ipv6 nd detection statistics

ND scanning commands

ipv6 nd scan auto enable

Use ipv6 nd scan auto enable to enable automatic ND scanning in a specified address range on an interface.

Use undo ipv6 nd scan auto enable to disable automatic ND scanning on an interface.

Syntax

ipv6 nd scan auto enable start-ipv6-address to end-ipv6-address [ source-addr source-ipv6-address ]

undo ipv6 nd scan auto enable

Default

Automatic ND scanning is disabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

Predefined user roles

network-admin

Parameters

start-ipv6-address: Specifies the start IPv6 address of the scanning range.

to end-ipv6-address: Specifies the end IPv6 address of the scanning range. The end IPv6 address must be higher than or equal to the start IPv6 address. The maximum number of IPv6 addresses in the range is 65535.

source-addr source-ipv6-address: Specifies the source address for the NS requests. The source-ipv6-address argument can be any valid IPv6 addresses. If you do not specify this option, the interface uses its IPv6 address as the source address.

Usage guidelines

The device automatically creates ND entries by NS and NA messages when triggered by traffic. If no traffic is received or sent in a period of time, the ND entries cannot be created or updated in time.

To resolve this issue, you can enable the automatic ND scanning feature on the device. This feature enables the device to periodically send ND packets (NS requests) at a specified rate to the IPv6 addresses not in the specified ND entries.

You can specify the source address for the sending NS requests when you enable automatic ND scanning on an interface:

· If you do not specify the source address, the interface uses its IPv6 address as the source address. The interface scans the IPv6 addresses that belong to both the automatic ND scanning range and the subnet of the interface IPv6 address.

If the interface is configured with multiple subnet IPv6 addresses and the addresses are also in the scanning range, the source address is the IPv6 address with the longest prefix. If the prefixes are in the same length, the source address is the primary IPv6 address for the interface.

· If you specify the source address, the interface uses the specified source address, and it scans all the IPv6 addresses in the automatic ND scanning range.

If the interface is enabled with ND proxy, the specified source address does not affect the Layer 3 forwarding route. For more information about ND proxy, see IPv6 basics in Layer 3—IP Services Configuration Guide.

You can set the ND packet sending rate by using the ipv6 nd scan auto send-rate command.

To avoid any impact on device performance, use automatic ND scanning only on networks where users come online and go offline frequently.

Examples

# Configure the device to scan neighbors in an address range.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 nd scan auto enable 2001::1 to 2001::10

ipv6 nd scan auto send-rate

Use ipv6 nd scan auto send-rate to set the ND packet sending rate for automatic ND scanning.

Use undo ipv6 nd scan auto send-rate to restore the default.

Syntax

ipv6 nd scan auto send-rate { ppm ppm | pps }

undo ipv6 nd scan auto send-rate

Default

The device sends ND packets at the rate of 48 pps during automatic ND scanning.

Views

System view

Predefined user roles

network-admin

Parameters

ppm ppm: Specifies the ND packet sending rate, in packets per minute (ppm). The value range for the ppm argument is 10 to 600, and the value must be a multiple of 10. Alternatively, a configuration error will occur.

ppm pps: Specifies the ND packet sending rate, in packets per second (pps). The value range for the pps argument is 10 to 1000, and the value must be a multiple of 10. Alternatively, a configuration error will occur.

Usage guidelines

This command enables the device to periodically send ND packets (NS requests) at a specified rate. You can adjust the ND packet sending rate to avoid impact on device performance.

To avoid any impact on device performance, the actual ND packet sending rate might be smaller than the configured rate.

Examples

# Set the ND packet sending rate to 10 pps during automatic ND scanning.

<Sysname> system-view

[Sysname] ipv6 nd scan auto send-rate 10

Related commands

ipv6 nd scan auto enable

ND SNMP notification commands

snmp-agent trap enable nd

Use snmp-agent trap enable nd to enable SNMP notifications for ND.

Use undo snmp-agent trap enable nd to disable SNMP notifications for ND.

Syntax

snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | user-ip-conflict ] *

undo snmp-agent trap enable nd [ entry-limit | local-conflict | nd-miss | user-ip-conflict ] *

Default

SNMP notifications for ND are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

entry-limit: Specifies ND entry limit notifications.

local-conflict: Specifies endpoints and local device conflict notifications.

nd-miss: Specifies rate limit notifications for sending ND Miss messages and ND packets.

user-ip-conflict: Specifies user IPv6 address conflict notifications.

Usage guidelines

Enable SNMP notifications for ND as required.

· If you enable ND entry limit notifications, the device sends the current ND entry information as a notification to the SNMP module when the number of ND entries exceeds the alarm threshold.

· If you enable endpoint and local device conflict notifications, the device sends a notification to the SNMP module when an endpoint and local device conflict occurs. The notification includes the source IPv6 address, source MAC address, destination IPv6 address, and destination MAC address in the conflicting ND packet.

· If you enable rate limit notifications for sending ND Miss messages and ND packets, the device sends the highest threshold-crossed rate as a notification to the SNMP module. When the device receives an IP packet in which the destination IP address is unresolvable, it sends a ND Miss message to the CPU.

· If you enable user IPv6 address conflict notifications, the device sends a notification to the SNMP module when a user IPv6 address conflict occurs. The notification includes the source IPv6 and MAC addresses in the conflicting ND packet, and MAC address in the corresponding local ND entry.

If you do not specify any keywords, this command enables all SNMP notifications for ND.

For ND event notifications to be sent correctly, you must also configure SNMP on the device. For more information, see SNMP configuration in Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for endpoint and local device conflicts.

<Sysname> system-view

[Sysname] snmp-agent trap enable nd local-conflict

ND keepalive entry scanning commands

display ipv6 nd scan keepalive entry

Use display ipv6 nd scan keepalive entry to display ND keepalive entries.

Syntax

display ipv6 nd scan keepalive entry [ interface interface-type interface-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays ND keepalive entries for all interfaces.

count: Displays the total number of ND keepalive entries.

Examples

<Sysname> display ipv6 nd scan keepalive entry

Interface: GE1/0/1

IPv6 address: 1::23 MAC address: 08-00-27-00-50-38

VLANID: 1 SECVLANID: 1

Port interface: -- VPN instance: --

Scan status: 1 Probe count: 10

Scan time: 08:01:01

Table 2 Command output

Field	Description
Interface	Name of the Layer 3 interface.
IPv6 address	IPv6 address in the ND keepalive entry.
MAC address	MAC address in the ND keepalive entry.
VLANID	ID of the primary VLAN.
SECVLANID	ID of the secondary VLAN.
Port interface	Layer 2 input interface for ND packets.
VPN instance	Name of the VPN instance.
Scan status	Status of the ND keepalive entry: · 0—Offline. · 1—Online.
Probe count	Number of scans on the ND keepalive entry.
Scan time	Time when the ND keepalive entry became offline, in hh:mm:ss format. · hh—Represents the hours. · mm—Represents the minutes. · ss—Represents the seconds.

‌

display ipv6 nd scan keepalive statistics

Use display ipv6 nd scan keepalive statistics to display statistics about ND keepalive entry scanning.

Syntax

display ipv6 nd scan keepalive statistics [ slot slot-number ] [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics about ND keepalive entry scanning for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about ND keepalive entry scanning on all cards.

Usage guidelines

Interfaces enabled with ND keepalive entry scanning send NS packets to the IPv6 addresses in offline ND keepalive entries until the entries restore online state. This command displays the number of the NS packets sent the IPv6 addresses in the offline keepalive entries in the last five seconds, one minute, and five minutes.

A great many NS packets indicate that the number of offline keepalive entries is great or some offline entries remain in offline state for a long time. The reasons and solutions are as follows:

1. Use the display ipv6 nd scan keepalive entry command to identify the number of offline keepalive entries.

2. If the number of offline keepalive entries is large, check the aging time set for offline keepalive entries. Shorten the aging time if it is too long.

3. If the aging time is proper, the problem might be caused by too many abnormal user offline events. In this case, check the network configuration and condition.

4. If the number of offline keepalive entries is not large, the problem might be because some offline keepalive entries cannot restore online state through NS packets. In this case, troubleshoot according to the offline entries.

Examples

# Display statistics about NS packets sent the IPv6 addresses in offline keepalive entries on slot 1.

<Sysname> display ipv6 nd scan keepalive statistics slot 1

Scanning statistics for slot 1:

Total NS packets: 1000 packets

Start time for statistics: 12:20:30

Interface 5 secs 1 min 5 mins

GigabitEthernet1/0/1 123 200 230

GigabitEthernet1/0/2 0 0 0

GigabitEthernet1/0/3 0 0 0

GigabitEthernet1/0/4 0 0 0

GigabitEthernet1/0/5 0 0 0

GigabitEthernet1/0/6 0 0 0

Table 3 Command output

Field	Description
Total NS packets	Total number of NS packets sent the IPv6 addresses in offline keepalive entries.
Start time for statistics	Time when the device started counting the number of NS packets sent the IPv6 addresses in offline keepalive entries.
Interface	Name of an interface that sends NS packets the IPv6 addresses in offline keepalive entries.
5 secs	Number of the NS packets sent in the last five seconds.
1 min	Number of the NS packets sent in the last one minute.
5 mins	Number of the NS packets sent in the last five minutes.

Related commands

reset ipv6 nd scan keepalive statistics

ipv6 nd scan keepalive aging-time

Use ipv6 nd scan keepalive aging-time to set the aging time for ND keepalive entries.

Use undo ipv6 nd scan keepalive aging-time to restore the default.

Syntax

ipv6 nd scan keepalive aging-time time

undo ipv6 nd scan keepalive aging-time

Default

In system view, the aging time for ND keepalive entries is 60 minutes.

In interface view, the aging time for ND keepalive entries is the aging time set in system view.

Views

System view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

Predefined user roles

network-admin

Parameters

time: Specifies the aging time for ND keepalive entries in minutes. The value range for this argument is 1 to 1440.

Usage guidelines

Application scenarios

With ND keepalive entry scanning enabled, the device generates a keepalive entry in online state for a user that comes online. If the user goes offline abnormally, the device will perform the following tasks:

· Set the state of the keepalive entry for that user to offline state.

· Delete the keepalive entry if its state does not restore to online after the aging time elapses.

To enable ND keepalive entry scanning, use the ipv6 nd scan keepalive enable command. For more information about ND keepalive entry scanning, see the configuration guide.

Operating mechanism

You can set the aging time for ND keepalive entries in both system view and interface view. The aging time set in interface view takes precedence over the aging time set in system view. In interface view, the default aging time for ND keepalive entries is the aging time set in system view.

Examples

# Set the aging time for ND keepalive entries to 10 minutes.

<Sysname> system-view

[Sysname] ipv6 nd scan keepalive aging-time 10

# Set the aging time for ND keepalive entries to 100 minutes on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 nd scan keepalive aging-time 100

Related commands

ipv6 nd scan keepalive enable

Use ipv6 nd scan keepalive enable to enable ND keepalive entry scanning.

Use undo ipv6 nd scan keepalive enable to disable ND keepalive entry scanning.

Syntax

ipv6 nd scan keepalive enable

undo ipv6 nd scan keepalive enable

Default

ND keepalive entry scanning is disabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

Layer 3 aggregate subinterface view

VSI interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

In a large-scale network, it takes a long time for ND scanning to identify the hosts that go offline abnormally if you specify a large scanning range. After you enable ND keepalive entry scanning, the system can quickly locate those hosts and monitor the host status within the aging time.

Operating mechanism

When users come online, the system generates ND entries and IPSG binding entries. Enabled with ND keepalive entry scanning, the system also creates online keepalive entries when users come online. If users go offline, the corresponding ND entries are deleted and the status of the keepalive entries is set to offline. The device sends NS packets at intervals to the IPv6 addresses in the offline keepalive entries until the keepalive entries become online again.

The interval varies with the number of NS packets that have been sent to the IPv6 address in an offline keepalive entry:

· If the number is not greater than 50, the device sends an NS packet every 30 seconds.

· If the number is greater than 50 but not greater than 100, the device sends an NS packet every 45 seconds.

· If the number is greater than 100, the device sends an NS packet every 60 seconds.

To view the keepalive entries, use the display ipv6 nd scan keepalive entry command.

For more information about IP source guard configuration, see Security Configuration Guide.

Restrictions and guidelines

The offline keepalive entries are deleted when the aging time expires. To set the aging time for ND keepalive entries, use the ipv6 nd scan keepalive aging-time command.

Examples

# Enable ND keepalive entry scanning on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ipv6 nd scan keepalive enable

Related commands

display ipv6 nd scan keepalive entry

ipv6 nd scan keepalive send-rate

Use ipv6 nd scan keepalive send-rate to set the NS packet sending rate for keepalive entry scanning.

Use undo ipv6 nd scan keepalive send-rate to restore the default.

Syntax

ipv6 nd scan keepalive send-rate pps

undo ipv6 nd scan keepalive send-rate

Default

The device sends NS packets at a rate of 48 pps during keepalive entry scanning.

Views

System view

Predefined user roles

network-admin

Parameters

pps: Specifies the NS packet sending rate, in packets per second (pps). The value range for this argument is 10 to 1000, and the value must be a multiple of 10.

Usage guidelines

Application scenarios

Enabled with keepalive entry scanning, the interface sends NS packets to the IPv6 addresses in the offline keepalive entries. To avoid any impact on the device performance, use this command to set the NS packet sending rate for keepalive entry scanning.

Operating mechanism

If the status of a keepalive entry is set to offline and does not become online within an interval, the keepalive entry is to be scanned. The interface sends an NS packet per second to the IPv6 address in each keepalive entry to be scanned.

The NS packet sending rate is the maximum number of scanned keepalive entries per second.

· If the number of keepalive entries to be scanned per second is lower than the sending rate, the device scans all these keepalive entries within a second.

· If the number of keepalive entries to be scanned per second is greater than the sending rate, the device scans the keepalive entries at the sending rate.

Restrictions and guidelines

When you set the sending rate to a large value, the device might use a rate lower than the specified rate to ensure the device performance.

Examples

# Set the NS packet sending rate to 10 pps during keepalive entry scanning.

<Sysname> system-view

[Sysname] ipv6 nd scan keepalive send-rate 10

Related commands

ipv6 nd scan keepalive enable

reset ipv6 nd scan keepalive statistics

Use reset ipv6 nd scan keepalive statistics to clear statistics about ND keepalive entry scanning.

Syntax

reset ipv6 nd scan keepalive statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics about ND keepalive entry scanning on all cards.

Usage guidelines

This command clears statistics about the NS packets sent to the IPv6 addresses in offline keepalive entries and resets the start time of NS packet statistics collection.

The NS packet count and the statistics start time displayed by the display ipv6 nd scan keepalive statistics command are the data collected since the most recent execution of the reset ipv6 nd scan keepalive statistics command.

Examples

# Clear statistics about NS packets sent the IPv6 addresses in offline keepalive entries.

<Sysname> reset ipv6 nd scan keepalive statistics

Related commands

display ipv6 nd scan keepalive statistics

19-Security Command Reference

Application scenarios

Operating mechanism

snmp-agent trap enable nd

Application scenarios

Operating mechanism

ipv6 nd scan keepalive enable

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us