ND attack defense configuration commands
Source MAC consistency check commands
ipv6 nd mac-check enable
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the ipv6 nd mac-check enable command to enable source MAC consistency check for ND packets.
Use the undo ipv6 nd mac-check enable command to disable source MAC consistency check for ND
packets.
By default, source MAC consistency check is disabled for ND packets.
In a typical forged ND packet, the Ethernet frame header conveys a source MAC address different than
the source link layer address option. To filter out these invalid ND packets, use the source MAC
consistency check function to check ND packets for MAC address inconsistency.
NOTE:
If VRRP is used, disable source MAC consistency check for ND packets to prevent incorrect dropping of
packets. With VRRP, the NA message always conveys a MAC address different than the source link
layer address option.
Examples
# Enable source MAC consistency check for ND packets.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
331