ipv6 nd source-mac threshold

Function

The ipv6 nd source-mac threshold command sets an attack detection threshold for ND messages with fixed source MAC addresses.

The undo ipv6 nd source-mac threshold command restores the default attack detection threshold for ND messages with fixed source MAC addresses.

The default attack detection threshold is 30 for ND messages with fixed source MAC addresses.

Format

ipv6 nd source-mac threshold threshold-value

undo ipv6 nd source-mac threshold [ threshold-value ]

Parameters

Parameter Description Value
threshold-value

Specifies an attack detection threshold for ND messages with fixed source MAC addresses.

The value is an integer ranging from 1 to 5000.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
nd write

Usage Guidelines

Usage Scenario

The ND protocol has powerful functions. However, if there is no security mechanism, the ND protocol can be easily used by attackers. The system collects statistics about ND messages sent to the CPU based on the source MAC addresses of the messages. You can run the ipv6 nd source-mac threshold command to set an attack detection threshold for ND messages with fixed source MAC addresses.If the number of ND messages with the same source MAC address received within 5 seconds exceeds a specified threshold, the system considers that an attack occurs and adds the MAC address to an attack entry. Before the attack entry ages out. If a MAC address is added to an ND attack entry, the MAC address is aged out after the aging time expires.

Example

# Set an attack detection threshold for ND messages with fixed source MAC addresses to 50.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd source-mac threshold 50
Parent Topic: IPv6 ND Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >