F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Command Reference-6PW100
58
ND attack defense configuration commands
The following matrix shows the feature and hardware compatibility:
Hardware ND attack defense com
p
atible
F1000-A-EI/F1000-S-EI Yes
F1000-E Yes
F5000 Yes
Firewall module Yes
U200-A Yes
U200-S No
Source MAC consistency check commands
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check is disabled for ND packets.
Views
System view
Default command level
2: System level
Usage guidelines
In a typical forged ND packet, the Ethernet frame header conveys a source MAC address different than
the source link layer address option. To filter out these invalid ND packets, use the source MAC
consistency check function to check ND packets for MAC address inconsistency.
If VRRP is used, disable source MAC consistency check for ND packets to prevent incorrect dropping of
packets. With VRRP, the NA message always conveys a MAC address different than the source link layer
address option.
Examples
# Enable source MAC consistency check for ND packets.
<Sysname> system-view