No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic IPv6 Configuration Commands

Basic IPv6 Configuration Commands

NOTE:

The CE6810LI does not support IPv6 Layer 3 forwarding. After the IPv6 function is enabled on an interface of the CE6810LI, the configured IPv6 address can only be used to manage the switch.

assign forward ipv6 longer-mask resource

Function

The assign forward ipv6 longer-mask resource command specifies the number of IPv6 addresses or IPv6 routes with prefixes longer than 64 bits.

The undo assign forward ipv6 longer-mask resource command deletes the configuration of the specified number of IPv6 addresses or IPv6 routes with prefixes longer than 64 bits.

By default, the number of IPv6 addresses or IPv6 routes with prefixes longer than 64 bits is not specified on a switch.

NOTE:

The CE5810EI, CE5850HI, CE6810EI, CE6810LI, CE6850EI, CE6880EI, and CE6870EI do not support this command.

Format

assign forward ipv6 longer-mask resource ipv6-address-number

undo assign forward ipv6 longer-mask resource [ ipv6-address-number ]

Parameters

Parameter Description Value
ipv6-address-number

Specifies the number of IPv6 addresses or IPv6 routes with prefixes longer than 64 bits permitted on a switch.

The value can be 256, 512, 1024, or 2048.

NOTE:

When the system resource mode is large routing (configured using the system resource command) on the device, the value of ipv6-address-number can only be 1024.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before configuring IPv6 addresses or IPv6 routes with prefixes longer than 64 bits, run the assign forward ipv6 longer-mask resource command to specify the number of IPv6 addresses and routes with prefixes longer than 64 bits supported by the switch.

Precautions

After the number of IPv6 addresses or IPv6 routes with prefixes longer than 64 bits permitted on a switch is specified using the assign forward ipv6 longer-mask resource command, the number of routes on the IPv6 network segment and that on the IPv4 network segment are reduced.

Follow-up Procedure

After running the assign forward ipv6 longer-mask resource command to specify the number of IPv6 addresses or IPv6 routes with prefixes longer than 64 bits permitted on a switch, run the save command to save the configuration and run the reboot command to restart the switch to make the configuration take effect.

Example

# Set the number of IPv6 addresses or IPv6 routes with prefixes longer than 64 bits permitted on a switch to 256.

<HUAWEI> system
[~HUAWEI] assign forward ipv6 longer-mask resource 256

display icmpv6 statistics

Function

The display icmpv6 statistics command displays ICMPv6 traffic statistics.

Format

display icmpv6 statistics [ interface interface-type interface-number ]

Parameters

Parameter Description Value
interface interface-type interface-number Specifies the interface type and interface number. If this parameter is specified, ICMPv6 traffic statistics on the specified interface are displayed. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

Through the output of the display icmpv6 statistics command displays the statistics about sent and received ICMPv6 error messages and four types of ICMPv6 messages in the neighbor discovery mechanism, including RS, RA, NS, and NA messages.

In the ping IPv6 operation, you can run the display icmpv6 statistics command on the device and check whether the total number of sent and received messages on the device is correct based on the command output.

Precautions

The total number of messages received by the switch includes the number of messages forwarded by the switch, the number of messages delivered by the switch to the upper layer, and the number of messages discarded by the switch.

Example

# Display the statistics about ICMPv6 messages processed by the device.

<HUAWEI> display icmpv6 statistics
  Sent packets:
    Total              : 0
    Unreached          : 0              Prohibited         : 0
    Hop count exceeded : 0              Parameter problem  : 0
    Too big            : 0              Echoed             : 0
    Echo replied       : 0              Router solicit     : 0
    Router advert      : 0              Neighbor solicit   : 2
    Neighbor advert    : 0              Redirected         : 0
    Rate limited       : 0                             
  Received packets:
    Total              : 0              Format error       : 0
    Checksum error     : 0              Too short          : 0
    Bad code           : 0              Bad length         : 0
    Unknown info type  : 0              Unknown error type : 0 
    Unreached          : 0              Prohibited         : 0
    Hop count exceeded : 0              Parameter problem  : 0
    Too big            : 0              Echoed             : 0 
    Echo replied       : 0              Router solicit     : 0
    Router advert      : 0              Neighbor solicit   : 0
    Neighbor advert    : 0              Redirected         : 0
    Rate limited       : 0
Table 8-60  Description of the display icmpv6 statistics command output

Item

Description

Sent packets

Statistics about the sent ICMPv6 messages

Total

Total number of the sent ICMPv6 messages

Unreached

Total number of ICMPv6 Destination Unreachable messages

Prohibited

Total number of the sent ICMPv6 messages to notify that the destination is administratively prohibited

Hop count exceeded

Total number of the sent ICMPv6 messages to notify that the hop limit is crossed

Parameter problem

Total number of the sent ICMPv6 Parameter Problem messages

Too big

Total number of the sent ICMPv6 Packet Too Big messages

Echoed

Total number of the sent ICMPv6 Echo-Request messages

Echo replied

Total number of the sent ICMPv6 Echo-Reply messages

Router solicit

Total number of the sent Router Solicitation (RS) messages

Router advert

Total number of the sent Router Advertisement (RA) messages

Neighbor solicit

Total number of the sent Neighbor Solicitation (NS) messages

Neighbor advert

Total number of the sent Neighbor Advertisement (NA) messages

Redirected

Total number of the sent ICMPv6 Redirection messages

Rate limited

Total number of the ICMPv6 packets that fail to be sent because of rate limit

Received packets

Statistics about the received ICMPv6 messages

Total

Total number of the received ICMPv6 messages

Format error

Total number of the received ICMPv6 messages notifying format errors

Checksum error

Total number of the received ICMPv6 messages notifying checksum errors

Too short

Total number of the received ICMPv6 messages notifying that the packet length is too short

Bad code

Total number of the received ICMPv6 messages notifying code errors

Bad length

Total number of the received ICMPv6 messages notifying packet length errors

Unknown info type

Total number of the received ICMPv6 messages notifying that the packet is with an unrecognized information type

Unknown error type

Total number of the received ICMPv6 messages notifying that the packet is with an unrecognized error type

Unreached

Total number of the received ICMPv6 Destination Unreachable messages

Prohibited

Total number of ICMPv6 messages notifying that the destination is administratively prohibited

Hop count exceeded

Total number of the received ICMPv6 messages notifying that the hop limit is crossed

Parameter problem

Total number of the received ICMPv6 Parameter Problem messages

Too big

Total number of the received ICMPv6 Packet Too Big messages

Echoed

Total number of the received ICMPv6 Echo-Request messages

Echo replied

Total number of the received ICMPv6 Echo-Reply messages

Router solicit

Total number of the received RS messages

Router advert

Total number of the received RA messages

Neighbor solicit

Total number of the received NS messages

Neighbor advert

Total number of the received NA messages

Redirected

Total number of the received ICMPv6 Redirection messages

Rate limited

Total number of the ICMPv6 packets that fail to be received because of rate limit

display ipv6 address-policy

Function

The display ipv6 address-policy command displays information about address selection policy entries.

Format

display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6-address prefix-length }

Parameters

Parameter Description Value
vpn-instance vpn-instance-name Specifies the name of a VPN instance. After this parameter is specified, the address selection policy entries of the specified VPN instance can be displayed. The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string.
all Displays all the address selection policy entries. -
ipv6-address Specifies the prefix of an IPv6 address. The prefix is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length Specifies the prefix length of an IPv6 address. The value is an integer that ranges from 0 to 128.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

When this command is run:

  • If the parameter is specified to be vpn-instance vpn-instance-name, the address selection policy entry of the VPN is displayed.

  • If the parameter is specified to be all, all policy entries (including default policy entries) are displayed.

  • If the parameter is specified to be ipv6-address prefix-length, the policy entry with the specified prefix is displayed.

Precautions

If no address selection policy entry is configured, the default address selection policy entries, that is , the entries with prefixes being ::1, ::, 2002::, FC00::, and ::ffff:0.0.0.0 are displayed when this command is run.

Example

# View the address selection policy entries of the VPN instance R1_VPN6.

<HUAWEI> display ipv6 address-policy vpn-instance R1_VPN6 all
Policy Table :
Total:5
-------------------------------------------------------------------------------
Prefix     : ::                                      PrefixLength  : 0
Precedence : 40                                      Label         : 1
Default    : Yes

Prefix     : ::1                                     PrefixLength  : 128
Precedence : 50                                      Label         : 0
Default    : Yes

Prefix     : ::FFFF:0.0.0.0                          PrefixLength  : 96
Precedence : 10                                      Label         : 4
Default    : Yes

Prefix     : 2002::                                  PrefixLength  : 16
Precedence : 30                                      Label         : 2
Default    : Yes

Prefix     : FC00::                                  PrefixLength  : 7
Precedence : 20                                      Label         : 3
Default    : Yes
-------------------------------------------------------------------------------
Table 8-61  Description of the display ipv6 address-policy command output

Item

Description

Policy Table

Information of address selection policy entries

Total

Number of address selection policy entries

Prefix

Prefix of an IPv6 address

PrefixLength

Prefix length of an IPv6 address

Precedence

Indicates the precedence of a policy entry when a destination address is selected.

Label

Indicates the label used to match available policy entries when a source address is selected.

Default

Whether this is a default policy entry

  • YES
  • NO
Related Topics

display ipv6 interface

Function

The display ipv6 interface command displays IPv6 information about an interface.

Format

display ipv6 interface [ interface-type interface-number | brief ]

Parameters

Parameter Description Value
interface-type Specifies the interface type. -
interface-number Specifies the interface number. -
brief Displays brief information about the interface. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

If an interface is assigned an IPv6 address, run the display ipv6 interface command to view the IPv6 status and configuration on this interface.

Precautions

Ensure that the designated interfaces are assigned IPv6 addresses; otherwise, you cannot view information on the interfaces.

Follow-up Procedure

You can run the display interface description command to view the description of the interface.

You can run the display interface command to view detailed information about the operation and statistics of the interface.

Example

# Display IPv6 information on 10GE 1/0/1.

<HUAWEI> display ipv6 interface 10GE 1/0/1
10GE1/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00
  Global unicast address(es):
    2001:db8::1, subnet is 2001:db8::/64
  Joined group address(es):
    FF02::1:FF00:1
    FF02::1:FF04:5D00
    FF02::2
    FF02::1
  MTU is 1500 bytes
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND retransmit interval is 1000 milliseconds
  Hosts use stateless autoconfig for addresses
Table 8-62  Description of the display ipv6 interface command output

Item

Description

10GE1/0/1 current state

Physical status of 10GE1/0/1
  • UP

  • DOWN

  • Administratively DOWN

IPv6 protocol current state

Protocol status of the interface
  • UP

  • DOWN

link-local address

Link local address configured for that interface

Global unicast address(es)

All unicast addresses configured on that interface

  • If the value is DUPLICATED, an IPv6 address status conflict occurs. For details about how to address the conflict, see Troubleshooting > IP Forwarding and Routing > IPv6 Forwarding in CE8800, CE7800, CE6800, and CE5800 series switches.
  • If the involved ND entry does not exist, the ND entry fails to be created. For details about how to address the issue, see Troubleshooting > IPv6 Address Conflicts Occur on Interfaces > ND Entries Cannot Be Learned in CE8800, CE7800, CE6800, and CE5800 series switches.

Joined group address(es)

All multicast addresses that have joined the interface

MTU

Maximum transmission unit for that interface

Number of DAD attempts

Number of conflicting address detection times

ND reachable time

Time period for a neighbor to keep reachable

ND retransmit interval

Retransmission interval

Hosts use stateless autoconfig for addresses

Stateless address auto configuration

# Display brief IPv6 information of all interfaces.

<HUAWEI> display ipv6 interface brief
*down: administratively down
!down: FIB overload down
(l): loopback
(s): spoofing
(d): Dampening Suppressed

Interface                    Physical              Protocol VPN
10GE1/0/1         up                    up       ifm_abcdefghijklmn
[IPv6 Address] 2001:db8::1
10GE1/0/2         up                    up       --
[IPv6 Address] 2001:db8::2
Table 8-63  Description of the display ipv6 interface brief command output

Item

Description

*down

Reason that interface is physically Down.

Administratively DOWN: The network administrator runs the shutdown command on the interface.

!down

The interface goes Down because the number of route prefixes in the FIB exceeds the upper limit.

(l): loopback

The loopback function is configured on the interface.

(s): spoofing

The spoofing feature of the link protocol status of the interface. That is, the link protocol status of the interface is always Up.

This is the build-in attribute of an interface. When this interface is assigned an IP address, (s) is still displayed.

(d): Dampening Suppressed

The flapping control function is configured on the interface.

Interface

Interface name.

Physical

Physical status of the interface:
  • up

  • down

  • Administratively DOWN

Protocol

Status of the link protocol:
  • up

  • down

VPN

Status of a virtual private network (VPN) configured on the interface:
  • -: No VPN is configured
  • ifm01234567...: Specifies the name of a VPN instance.
:

IPv6 Address

IP address of the interface.

display ipv6 nd security nonce

Function

The display ipv6 nd security nonce command displays the Nonce value of the current secure ND transaction.

Format

display ipv6 nd security nonce interface-type interface-number

Parameters

Parameter Description Value
interface-type interface-number Specifies the type and the number of an interface. That is, the Nonce value in the SEND message on the specified interface is displayed. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Nonce option contains a random number selected by the sender of a solicitation message. This option prevents replay attacks during packet exchange. For example, a sender sends an NS message carrying the Nonce option and receives an NA message as a response that also carries the Nonce option; the sender verifies the NA message based on the Nonce option.

You can run the display ipv6 nd security nonce command to view the Nonce value in an SEND message and the IPv6 address of the peer interface.

Example

# Display the Nonce value in the SEND message on 10GE 1/0/1.

<HUAWEI> display ipv6 nd security nonce 10ge 1/0/1
Total Number of Nonce Entries : 1
--------------------------------------------------------------
Peer Address                                  Nonce Value
--------------------------------------------------------------
FE80::1CA1:5572:34D5:632F                  0x57 22 da 69 01 b3
Table 8-64  Description of the display ipv6 nd security nonce command output
Item

Description

Total Number of Nonce Entries

Total number of Nonce entries

Peer Address

IPv6 address of the peer interface

Nonce Value

Nonce value in an SEND message

display ipv6 nd security statistics

Function

The display ipv6 nd security statistics command displays the statistics of IPv6 SEND messages on a specified interface.

Format

display ipv6 nd security statistics interface-type interface-number

Parameters

Parameter Description Value
interface-type interface-number Displays statistics of IPv6 SEND messages on a specified interface. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To check whether SEND functions properly, run the display ipv6 nd security statistics command.

Example

# Display the statistics on SEND messages on 10GE 1/0/1.

<HUAWEI> display ipv6 nd security statistics 10ge 1/0/1
Received Packet Statistics:
------------------------------------------------------------------------------
Type                      NA         NS         RA         RS         Redirect
------------------------------------------------------------------------------
Total                     0          0          0          0          0
Secured                   0          0          0          0          0
Unsec: No CGA             0          0          0          0          0
Unsec: No RSA             0          0          0          0          0
Unsec: KeyLen Mismatch    0          0          0          0          0
Unsec: Others             0          0          0          0          0

Sent Packet Statistics:
------------------------------------------------------------------------------
Type                      NA         NS         RA         RS         Redirect
------------------------------------------------------------------------------
Sent                      0          0          0          0          0
Aborted                   0          0          0          0          0

Dropped Packet Statistics:
------------------------------------------------------------------------------
Type                      NA         NS         RA         RS         Redirect
------------------------------------------------------------------------------
No Nonce                  0          0          0          0          0
No TS                     0          0          0          0          0
CGA Verify Fail           0          0          0          0          0
RSA Verify Fail           0          0          0          0          0
Nonce Verify Fail         0          0          0          0          0
TS Verify Fail            0          0          0          0          0
RateLimit                 0          0          0          0          0
Fully Secured Mode        0          0          0          0          0
Table 8-65  Description of the display ipv6 nd security statistics command output

Item

Description

Received Packet Statistics

Statistics on received messages

Type

Message type, including NA, NS, Router Advertisement (RA), Router Solicitation (RS), and Redirect messages

Total

Total number of received ND messages, including secure and insecure messages

Secured

Number of received secure ND messages that have passed the Nonce, Timestamp, CGA, and RSA authentication

Unsec: No CGA

Number of received ND messages that carry some security options but are considered insecure due to the following reasons in non-strict security mode:
  • The source addresses of received RS messages are not unspecified addresses and do not carry the CGA option.
  • The NS, NA, and RA message do not carry the CGA option.

Unsec: NO RSA

Number of received ND messages that carry some security options but are considered insecure due to the following reasons in non-strict security mode:
  • The source addresses of received RS messages are not unspecified addresses and do not carry the RSA option.
  • The NS, NA, and RA message do not carry the RSA option.

Unsec: KeyLen Mismatch

Number of received ND messages that carry the Nonce, Timestamp, CGA, or RSA options and pass the Nonce, Timestamp, and CGA authentication but are considered insecure because the key length exceeds the allowable range in non-strict security mode.

Unsec: Others

Number of ND messages that are considered insecure due to but not limited to the following reasons in non-strict security mode:
  1. The received ND messages do not carry any security option (Nonce, Timestamp, CGA, or RSA option).
  2. The received ND messages carry some security options but not Nonce and Timestamp options.
  3. The received ND messages carry the RSA option but not the Timestamp option.
  4. The received RS/NS messages carry the RSA option but not the Nonce option.
These four reasons are listed in sequence, and the statistics are collected only once for ND messages that are considered insecure due to any of these reasons.

Sent Packet Statistics

Statistics on sent messages

Sent

Total number of sent ND messages

Aborted

Total number of messages that are discarded before being sent

Dropped Packet Statistics

Statistics about discarded packets in strict security mode

No Nonce

Number of received RS/NS messages that carry the RSA option but not the Nonce option in strict security mode

No TS

Number of received ND messages that carry the RSA option but not the Timestamp option in strict security mode

CGA Verify Fail

Number of messages that fail CGA authentication in strict security mode

RSA Verify Fail

Number of messages that fail RSA authentication and the RSA key length exceeds the allowable range in strict security mode

Nonce Verify Fail

Number of messages that fail Nonce authentication in strict security mode

TS Verify

Number of messages that fail Timestamp authentication in strict security mode

RateLimit

Number of messages that are discarded because the RSA signature computation and authentication rates exceed the upper limits in strict security mode

Fully Secured Mode

Number of messages that are discarded because they are considered insecure due to any of the following reasons in strict security mode:
  • The source addresses of received RS messages are not unspecified addresses and do not carry the CGA or RSA option.
  • The source addresses of received RS messages are not unspecified addresses.
  • The NS, NA, and RA message do not carry the CGA or RSA option.
  • The received ND messages carry some security options but not Nonce and Timestamp options.

display ipv6 nd security timestamp

Function

The display ipv6 nd security timestamp command displays the timestamp value of the last received and accepted SEND message (RDlast) and the local time at which the last SEND message for this peer is accepted (TSlast). The receiver records the two time values after receiving an SEND message.

Format

display ipv6 nd security timestamp interface-type interface-number

Parameters

Parameter Description Value
interface-type interface-number Specifies the type and the number of an interface. That is, the RDlast and the TSlast values of the SEND message on the specified interface is displayed. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display ipv6 nd security timestamp command to view the RDlast and the TSlast values of an SEND message on an interface. Then, you can determine whether the difference between the receive time and the send time of the SEND message is out of the allowed time range based on the following formula.

  • When a message is received from a new peer:

    -delta-value < (RDnew - TSnew) < +delta-value

  • When a message is received from a known peer:

    TSnew + fuzz-value > TSlast + (RDnew - RDlast) x (1 - drift-value) - fuzz-value

NOTE:
  • delta-value, drift-value, and fuzz-value: parameters in the ipv6 nd security timestamp command
  • RDnew: the local time at which the new SEND message is received
  • RDlast: the local time at which the last SEND message for this peer is accepted
  • TSnew: the timestamp value present in the new received SEND message (the time is recorded by the sender in the Timestamp option in the newly sent ND message)
  • TSlast: the timestamp value of the last received and accepted SEND message (the time is recorded by the sender in the Timestamp option in the last sent ND message)

Precautions

If no neighbor relationship is set up or no SEND message is transmitted between a local interface and a remote interface, running the display ipv6 nd security timestamp command does not display any command output.

Example

# Display the RDlast and the TSlast values of an SEND message.

<HUAWEI> display ipv6 nd security timestamp 10ge 1/0/1
Total Number of Timestamp Entries : 2
Peer Address : FE80::1812:16D1:319F:B44F
TSlast       : 4c209e350000
RDlast       : 4c209e350000
                             
Peer Address : FE80::3066:6FC:B4D7:5891
TSlast       : 4c209e360000
RDlast       : 4c209e360000
Table 8-66  Description of the display ipv6 nd security timestamp command output
Item

Description

Total Number of Timestamp Entries

Total number of timestamp entries

Peer Address

IPv6 address of a peer interface

RDlast

The local time at which the last SEND message for this peer is accepted, converted into seconds elapsed since 0:00:00 January 1, 1970 Coordinated Universal Time (UTC)

TSlast

The timestamp value of the last received and accepted SEND message

display ipv6 neighbors

Function

The display ipv6 neighbors command displays information about ND entries.

Format

display ipv6 neighbors [ ipv6–address | interface-type interface-number | vpn-instance vpn-instance-name ]

display ipv6 neighbors vlan vlan-id interface-type interface-number

display ipv6 neighbors brief

Parameters

Parameter Description Value
interface-type interface-number Specifies the interface type and interface number. If this parameter is specified, information about neighbor entries on the specified interface is displayed. -
ipv6-address Specifies the IPv6 address. If this parameter is specified, information about ND entries of the specified IPv6 address is displayed.

The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

vpn-instance vpn-instance-name Specifies the name of an IPv6 VPN instance. If this parameter is specified, information about ND entries of the specified IPv6 VPN instance is displayed. The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string.
vlan vlan-id Specifies the ID of the VLAN to which a VLANIF interface belongs.

An integer ranging from 1 to 4094.

brief Specifies brief information about neighbor entries. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

Through the output of the display ipv6 neighbors command displays information about dynamic and static ND entries and check the following:

  • Whether the local switch has learnt MAC addresses from neighbors
  • Status of the neighbors of the local switch, including neighbor unreachable, neighbor reachable, or unknown

Precautions

If no parameter is specified when the display ipv6 neighbors command is run, information about all ND entries is displayed.

Example

# Display contents in the neighbor cache of the VLANIF interface 1.

<HUAWEI> display ipv6 neighbors Vlanif 1
-----------------------------------------------------------------------------
IPv6 Address : 2001:DB8::1                                                          
Link-layer   : 00fe-00e0-0089                     State     : INCMP               
Interface    : 10GE1/0/1                          Age       : -                   
VLAN         : 1                                  CEVLAN    : -                   
VPN name     : -                                  Is Router : TRUE               
Secure FLAG  : SECURE                             Nickname  : -
Destination IP: -                                 Source IP : -          
VNI          : -                                  BD        : -
-----------------------------------------------------------------------------
Total: 1        Dynamic: 0      Static: 1

# Display contents in the neighbor cache of 10GE 1/0/1.

<HUAWEI> display ipv6 neighbors 10ge 1/0/1
-----------------------------------------------------------------------------
IPv6 Address : FE80::2E0:FCFF:FE89:FE6E                                         
Link-layer   : 00e0-fc89-fe6e                     State     : INCMP               
Interface    : 10GE1/0/1                          Age       : -                   
VLAN         : -                                  CEVLAN    : -                   
VPN name     : vpn1                               Is Router : TRUE               
Secure FLAG  : SECURE                             Nickname  : -
Destination IP: -                                 Source IP : -          
VNI          : -                                  BD        : -
-----------------------------------------------------------------------------
Total: 1        Dynamic: 0      Static: 1 

# Display contents in the neighbor cache with the IPv6 address of 2001:db8::2.

<HUAWEI> display ipv6 neighbors 2001:db8::2
-----------------------------------------------------------------------------
IPv6 Address : 2001:DB8::2                                         
Link-layer   : 00e0-fc89-fe6e                     State     : STALE               
Interface    : 10GE1/0/1                            Age       : -                   
VLAN         : -                                  CEVLAN    : -                   
VPN name     : -                                  Is Router : TRUE               
Secure FLAG  : SECURE                             Nickname  : -
Destination IP: -                                 Source IP : -          
VNI          : -                                  BD        : -
-----------------------------------------------------------------------------
Total: 1        Dynamic: 0      Static: 1 

# Display neighbor entries of the IPv6 VPN instance named vpnA.

<HUAWEI> display ipv6 neighbors vpn-instance vpnA
-----------------------------------------------------------------------------
IPv6 Address : FE80::2E0:FCFF:FE89:FE6E                                         
Link-layer   : 00e0-fc89-fe6e                     State     : INCMP               
Interface    : 10GE1/0/1                          Age       : -
VLAN         : -                                  CEVLAN    : -                   
VPN name     : vpnA                               Is Router : TRUE               
Secure FLAG  : SECURE                             Nickname  : -
Destination IP: -                                 Source IP : -          
VNI          : -                                  BD        : -
-----------------------------------------------------------------------------
Total: 1        Dynamic: 0      Static: 1 

# Display contents in the neighbor cache of Vbdif1.

<HUAWEI> display ipv6 neighbors Vbdif1
-----------------------------------------------------------------------------
IPv6 Address : 2001:DB8::2                                                      
Link-layer   : 386f-da21-1200                     State     : STALE             
Interface    : Vbdif1                             Age       : 32                
VLAN         : -                                  CEVLAN    : -                 
VPN name     : -                                  Is Router : TRUE              
Secure FLAG  : UN-SECURE                          Nickname  : -                 
Destination IP: 2.2.2.2                           Source IP : 2.2.2.1           
VNI          : 20                                 BD        : 1                 

-----------------------------------------------------------------------------
Total: 1        Dynamic: 1      Static: 0  

# Display brief information about neighbor entries.

<HUAWEI> display ipv6 neighbors brief
D-Dynamic,S-Static
I-INCMP,R-REACH,S-STALE,D-DELAY,P-PROBE
-----------------------------------------------------------------
IPv6 Address         Link-layer       State Type Interface 
-----------------------------------------------------------------
2001:DB8::3                                                                            
                     0001-0002-0003   I     S    10GE1/0/1                                     
2001:DB8::4                                                                            
                     0001-0002-0004   I     S    10GE1/0/2                                     
-----------------------------------------------------------------
Total: 2        Dynamic: 0      Static: 2
Table 8-67  Description of the display ipv6 neighbors command output

Item

Description

IPv6 Address

IPv6 address of the neighbor

Link-layer

Link layer address (MAC address of the neighbor)

State

Status of ND entries
  • INCMP: indicates that the neighbor is unreachable. When the address is being resolved, the link layer address of the neighbor is not detected. If resolution succeeds, the neighbor enters the REACH state.

  • REACH: indicates that the neighbor is reachable within a specified period. By default, the period is 20 minutes. If the period expires and this entry is unused, the entry enters the Stale state.

  • STALE: indicates that whether the neighbor is reachable is unknown. That is, the entry is unused within a specified period. By default, the period is 20 minutes. In this case, reachability of the neighbor is not detected unless a packet is sent to the neighbor.

  • DELAY: indicates that whether the neighbor is reachable is unknown. A packet is sent to the neighbor. If no response is received within a specified period, the neighbor enters the PROBE state.

  • PROBE: indicates that whether the neighbor is reachable is unknown. A neighbor request packet is sent to the neighbor to detect whether the neighbor is reachable. If a response is received within a specified period, the neighbor enters the REACH state. If no response is received, the neighbor enters the INCMP state.

Type

Type of neighbor entries:
  • Dynamic: dynamic neighbor entry
  • Static: static neighbor entry

Interface

Interface to which the ND entry belongs

Age

Elapsed time after an ND entry is created, including the following situations:
  • The elapsed time after a static entry is created is "-".

  • The elapsed time after a dynamic entry is created includes the following types:
    • The elapsed time of a proactively created dynamic entry is the time that the REACH state lasts, in minutes.
    • The elapsed time of a passively learned dynamic entry is the time that elapsed after the entry is created (in minutes) if the entry is in the STALE state. When the state of the entry is changed to REACH, the elapsed time is the time that the REACH state lasts, in minutes.

VLAN

Neighbors in the specified VLAN.

CEVLAN

Neighbors in the specified VLAN ID of CE.

VPN name

Name of the VPN instance to which the neighbor belongs

Is Router

Whether a device is a router

Secure FLAG

Secure flag of a neighbor entry
  • UN-SECURE
  • SECURE

Nickname

Nickname of an ND entry generated in a TRILL scenario.

Destination IP

Destination IP address of a VXLAN tunnel

Source IP

Source IP address of a VXLAN tunnel

VNI

VXLAN network identifier

BD

Bridge domain

Total

Total number of ND entries

Dynamic

Total number of dynamic ND entries

Static

Total number of static ND entries

Related Topics

display ipv6 pathmtu

Function

The display ipv6 pathmtu command displays all IPv6 PMTU entries.

Format

display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | all | dynamic | static }

Parameters

Parameter Description Value
vpn-instance vpn-instance-name Displays PMTU entries with a specified IPv6 VPN instance. The name is a string of 1 to 31 case-sensitive characters.
ipv6-address Displays PMTU entries with a specified IPv6 address.

The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

all Displays all PMTU entries. -
dynamic Displays all dynamic PMTU entries. -
static Displays all static PMTU entries. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

When the MTU of the outbound interface on an intermediate device is smaller than the MTU of the source host, the PMTU discovery mechanism is used to determine the maximum size of packets that can be transmitted on the path, that is, a PMTU.

To check dynamic and static PMTU entries, run the display ipv6 pathmtu command. The switch fragments packets into a size smaller than a set PMTU and forwards the fragments.

Precautions

If no PMTU is set using the ipv6 pathmtu command, no static PMTU entries are displayed in the display ipv6 pathmtu command output.

Example

# Display all PMTU entries.

<HUAWEI> display ipv6 pathmtu all
Total: 2        Dynamic: 1      Static: 1
-----------------------------------------------------------------------------

IPv6 Destination Address                 ZoneID  PathMTU  LifeTime(M)  Type     Fragment Flag
2001:DB8::2                                   0     1300           9   Dynamic  NO
2001:DB8::1                                   0     1500  -            Static   NO

# Display PMTU entries of vpn1.

<HUAWEI> display ipv6 pathmtu vpn-instance vpn1 all
Total: 2        Dynamic: 1      Static: 1
-----------------------------------------------------------------------------

IPv6 Destination Address                 ZoneID  PathMTU  LifeTime(M)  Type     Fragment Flag
2001:DB8::4                                   1     1500           10  Dynamic  NO
2001:DB8::3                                   1     1600  -            Static   NO
Table 8-68  Description of the display ipv6 pathmtu command output

Item

Description

Total

Total number of PMTU entries

Dynamic

Number of dynamic PMTU entries

Static

Number of static PMTU entries

IPv6 Destination Address

IPv6 destination address

ZoneID

Zone of an IPv6 address

PathMTU

PMTU of an IPv6 address

LifeTime (M)

Remaining lifetime of a dynamic PMTU entry, in minutes

This field displays a hyphen (-) for a static PMTU entry.

Type

Type of a PMTU:
  • Dynamic

  • Static

Fragment Flag

Fragmentation flag:

  • YES: Packets are fragmented, and a fragment header is added to a packet.
  • NO: Packets are not fragmented.

display ipv6 security interface

Function

The display ipv6 security interface command displays the IPv6 SEND configuration.

Format

display ipv6 security interface interface-type interface-number

Parameters

Parameter Description Value
interface-type interface-number Specifies the type and the number of an interface. The IPv6 SEND configuration on the specified interface is displayed. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ipv6 security interface command to view the IPv6 SEND configuration on the specified interface, including the CGA IPv6 address, RSA key pair bound to the interface, timestamp configuration, and whether the strict security mode is enabled on the interface.

Example

# Display the IPv6 SEND configuration on 10GE 1/0/1.

<HUAWEI> display ipv6 security interface 10ge 1/0/1
 (L) : Link local address
 SEND: Security ND
 SEND information for the interface : 10GE1/0/1
----------------------------------------------------------------------------
 IPv6 address                                   PrefixLength Collision Count
----------------------------------------------------------------------------
 FE80::18A8:19F0:C5A4:7A52 (L)                  10           0
 1::18F5:E2FA:63CF:31DE                         64           0
----------------------------------------------------------------------------
 Send sec value                     : 0
 Send security modifier value       : 1::1
 Send RSA key label bound           : huawei  
 Send ND minimum key length value   : 1280
 Send ND maximum key length value   : 2000
 Send ND Timestamp delta value      : 100
 Send ND Timestamp fuzz value       : 2
 Send ND Timestamp drift value      : 2
 Send ND fully secured mode         : enabled
Table 8-69  Description of the display ipv6 security interface command output

Item

Description

SEND information for the interface

IPv6 SEND configuration on the interface

IPv6 address

CGA IPv6 address

PrefixLength

Prefix length of the CGA IPv6 address

Collision Count

Number of CGA IPv6 addresses conflicts

Send sec value

Security level of the CGA address

Send security modifier value

Modifier value of the CGA address

Send RSA key label bound

Name of the RSA key pair that is bound to the interface

Send ND minimum key length value

Minimum key length allowed on the interface

Send ND maximum key length value

Maximum key length allowed on the interface

Send ND Timestamp delta value

delta value of the timestamp in the ND message

Send ND Timestamp fuzz value

fuzz-factor value of the timestamp in the ND message

Send ND Timestamp drift value

drift value of the timestamp in the ND message

Send ND fully secured mode

Whether the strict security mode is enabled on the interface

display ipv6 socket

Function

The display ipv6 socket command displays information about sockets, such as the socket type, socket ID, and the associated task ID. The information includes:

  • Send-buffer

  • Receive-buffer

  • All socket-level options set for this particular socket

  • Socket pair

If no parameter is specified in the command, information about all types of sockets is displayed.

Format

display ipv6 socket [ socket-type socket-type ] [ cid cid ] [ socket-id socket-id ]

Parameters

Parameter Description Value
socket-type socket-type Indicates the type of the socket to be displayed. The value is an integer ranging from 1 to 4.
socket-id socket-id Specifies the ID of the socket to be displayed The value is an integer ranging from 0 to 2147418111.
cid cid Specifies the CID of the APP component. The value is a hexadecimal integer ranging from 0 to ffffffff.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The display ipv6 socket command can be used to display information about a specific type or all types of sockets.

Precautions

No information will be displayed if there is no information about sockets.

Example

# Display the related socket information about the socket type, socket ID, and the associated task ID.

<HUAWEI> display ipv6 socket
Total: 2



Cid = 0x8035272E, socketid = 1, Proto = 17,
LA=:::1024, FA=:::0,
sndbuf = 0, rcvbuf = 0, sb_cc = 0, rb_cc = 0,
socket option = SO_REUSEADDR ,
socket state = SS_NBIO SS_ASYNC

Cid = 0x80C8272D, socketid = 3, Proto = 6,
LA = ::->23, FA = ::->0,
sndbuf = 0, rcvbuf = 0, sb_cc = 0, rb_cc = 0,
socket option = SO_REUSEADDR SO_ACCEPTCONN SO_REUSEADDR ,
socket state = SS_NBIO SS_ASYNC SS_NBIO SS_ASYNC
Table 8-70  Description of the display ipv6 socket command output

Item

Description

Total

Indicates the total number of socket instances.

Cid

Indicates the CID of the APP component.

Task = VTYD (14)

Indicates the type and ID of the task that uses the socket.

For example, the preceding display shows that the task named VTYD uses the socket, with the task ID being 14.

socketid = 4

Indicates the socket ID.

Proto = 6

Indicates the protocol ID.

LA = ::->22, FA = ::->0

  • LA: indicates the local address and local port number.

  • FA: indicates the remote address and remote port number.

sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,

  • sndbuf: indicates the upper limit of the cache of packet sending.

  • rcvbuf: indicates the upper limit of the cache of packet receiving.

  • sb_cc: indicates the number of the sent packets.

  • rb_cc: indicates the number of the received packets.

socket option

Indicates the socket options that have been set.

socket state

Indicates the socket status.

display ipv6 statistics

Function

The display ipv6 statistics command displays IPv6 traffic statistics.

Format

display ipv6 statistics [ interface interface-type interface-number ]

Parameters

Parameter Description Value
interface interface-type interface-number Specifies the interface type and interface number. If this parameter is specified, IPv6 traffic statistics on the specified interface are displayed. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

Through the output of the display ipv6 statistics command displays statistics about sent and received IPv6 packets.

During packet transmission, if the source has fragmented packets, you can run this command to view the total number of IPv6 packets that are successfully fragmented and the total number of sent fragments, and then check whether the number of fragments received by the destination is correct.

Precautions

The number of received packets displayed in the command indicates the total number of packets received by the host, that is, the total number of packets received and then forwarded, sent to service modules, or discarded on the host.

Example

# Display statistics about the IPv6 packet processed by the device.

<HUAWEI> display ipv6 statistics
  Sent packets:
    Total                : 2
    Local sent out       : 2           Forwarded            : 0
    Raw packets          : 0           Discarded            : 0
    Fragmented           : 0           Fragments            : 0
    Fragments failed     : 0           Multicast            : 2
  Received packets:
    Total                : 0           Local host           : 0
    Hop count exceeded   : 0           Header error         : 0
    Too big              : 0           Routing failed       : 0
    Address error        : 0           Protocol error       : 0
    Truncated            : 0           Option error         : 0
    Fragments            : 0           Reassembled          : 0
    Reassembly timeout   : 0           Multicast            : 0
    Extension header:
     Hop-by-hop options    : 1            Mobility header        : 0
     Destination options   : 0            Routing header         : 0
     Fragment header       : 0            Authentication header  : 0
     Encapsulation header  : 0            No header              : 0
     TLV length error      : 0            Header length error    : 0
     Unknown header type   : 0            Unknown TLV type       : 0
Table 8-71  Description of the display ipv6 statistics command output

Item

Description

Sent packets

Statistics about the sent packets

Total

Total number of the sent packets

Local sent out

Total number of the packets sent by local hosts

Forwarded

Total number of the forwarded packets

Raw packets

Total number of the packets sent through the raw socket, such as Ping or Tracert packets

Discarded

Total number of the discarded packets

Fragmented

Total number of the IPv6 packets successfully fragmented

Fragments

Total number of the sent fragments

Fragments failed

Total number of the IPv6 packets that fail to be fragmented

Multicast

Total number of the sent multicast packets

Received packets

Statistics about the received packets

Total

Total number of the received packets

Local host

Total number of packets received by the local host, including the packets with the unicast destination address as the local address or multicast destination address belonging to the same multicast group as that of the local host

Packets with incorrect IPv6 headers, the packet length shorter than 40 bytes, or the extension header length greater than the packet length are not counted.

Hop count exceeded

Total number of the packets with excessive hop count

Header error

Total number of the packets with wrong header formats

Too big

Total number of the received packets that cannot be forwarded because of excessive sizes

Routing failed

Total number of the packets that fail to be routed

Address error

Total number of the packets that carry wrong IP addresses

Protocol error

Total number of the packets that carry wrong protocol types

Truncated

Total number of the packets discarded because the actual packet length is shorter than that specified in the packet length field

Option error

Total number of the packets that carry wrong options

Fragments

Total number of the received fragments

Reassembled

Total number of the packets successfully reassembled

Reassembled timeout

Total number of the packets that fail to be reassembled because of timeout

Extension header

Statistics on extension headers of received packets

Hop-by-hop options

Total number of hop-by-hop options headers

Mobility header

Total number of mobility headers

Destination options

Total number of destination options headers

Routing header

Total number of route options headers

Fragment header

Total number of fragment headers

Authentication header

Total number of authentication headers

Encapsulation header

Total number of encapsulation headers

No header

Total number of headers not followed by any upper-layer protocols

TLV length error

Total number of extension headers with an incorrect TLV length

Header length error

Total number of extension headers with an incorrect length

Unknown header type

Total number of unknown extension header types

Unknown TLV type

Total number of unknown TLV types

Related Topics

display rawip ipv6 statistics

Function

The display rawip ipv6 statistics command displays the statistics about IPv6 RawIP packets.

Format

display rawip ipv6 statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The statistics about IPv6 RawIP packets include the number of sent IPv6 RawIP packets and the number of received IPv6 RawIP packets.

RSVP, OSPF, and ICMP packets are encapsulated into RawIP packets to be sent. During the ipv6 ping operation, for example, you can run the display rawip ipv6 statistics command to view the number of IPv6 RawIP packets sent by the local device to check whether the abnormality on the network is caused by abnormal sending and receiving of IPv6 RawIP packets.

Precautions

The number of packets received by a switch includes the number of forwarded packets, packets sent to the upper layer, and discarded packets.

Example

# Display statistics about IPv6 RawIP packets.

<HUAWEI> display rawip ipv6 statistics
------------------------ Display Rawip Statistics -------------------
Received packets:
    Total: 0
    Input packets missing pcb cache: 0
Send packets:
    Total: 0
-----------------------------------------------------------------------
Table 8-72  Description of the display rawip ipv6 statistics command output
Item Description

Received packets

Number of received packets

Total

Total number of received packets

Input packets missing pcb cache

Number of packets discarded because no corresponding Protocol Control Block (PCB) exists

Send packets

Number of sent packets

Total

Total number of sent packets

display snmp-agent trap feature-name ipv6 all

Function

The display snmp-agent trap feature-name ipv6 all command displays all trap messages of the IPv6 module.

Format

display snmp-agent trap feature-name ipv6 all

Parameters

None.

Views

All views

Default Level

3: Management level

Usage Guidelines

The Simple Network Management Protocol (SNMP) is a standard network management protocol widely used on TCP/IP networks. It uses a central computer (a network management station) that runs network management software to manage network elements. The management agent on the network element automatically reports traps to the network management station. Then, the network administrator immediately takes measures to resolve the problem.

Prerequisites

SNMP has been enabled. See snmp-agent.

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name ipv6 all command to check the status of all traps of IPv6. You can use the snmp-agent trap enable feature-name ipv6 command to enable the trap function of IPv6.

Example

# Display all trap messages of the IPv6module.

<HUAWEI> display snmp-agent trap feature-name ipv6 all
------------------------------------------------------------------------------
Feature name: IPV6
Trap number : 1
------------------------------------------------------------------------------
Trap name                      Default switch status   Current switch status  
ipv6IfStateChange              off                     off
Table 8-73  Description of the display snmp-agent trap feature-name ipv6 all command output

Item

Description

Feature name

Name of the module to which a trap message belongs.

Trap number

Number of trap messages.

Trap name

Name of a trap message of the IPv6module:

  • ipv6IfStateChange: indicates that the IPv6 protocol status on an interface is changed.

Default switch status

Status of the default trap function:

  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status

Status of the current trap function:

  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

display tcp ipv6 statistics

Function

The display tcp ipv6 statistics command displays IPv6 TCP packet statistics.

Format

display tcp ipv6 statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can judge the network connection status according to the following items in the command output:

  • Established connections: You can view information about "Established connections" to check whether the number of connections exceeds the upper limit, and then determine to deploy services such as BGP services or adjust the load.
  • Duplicate ACK packets: You can view information about "Duplicate ACK packets" to check whether the device is attacked by unknown ACK packets. That is, if the device receives a large number of unknown ACK packets, it is probably attacked.
  • Out-of-order packets: You can view information about "Out-of-order packets" to check the network quality. If the network quality is poor, a lot of out-of-order packets are generated.

Precautions

  • The number of packets received by a switch includes the number of forwarded packets, packets sent to the upper layer, and discarded packets.

  • Before collecting the IPv6 TCP packet statistics during a specific period, you are recommended to run the reset tcp ipv6 statistics command to clear the previous IPv6 TCP packet statistics.

Example

# View the statistics about the transmitted and received IPv6 TCP packets.

<HUAWEI> display tcp ipv6 statistics
Received packets:
    Total packets                    : 0
    SYN packets                      : 0
    FIN packets                      : 0
    Packets bytes in sequence        : 0
    Window probe packets             : 0
    Window update packets            : 0
    Checksum error                   : 0
    Offset error                     : 0
    Short error                      : 0
    Duplicate packets bytes          : 0
    Partially duplicate packets bytes: 0
    Out-of-order packets bytes       : 0
    Packets with data after window   : 0
    Packets after close              : 0
    ACK packets bytes                : 0
    Duplicate ACK packets            : 0
Sent packets:
    Total packets             : 0
    Urgent packets            : 0
    Control packets RST       : 0
    Window probe packets      : 0
    Window update packets     : 0
    Data packets              : 0
    Data packets retransmitted: 0
    ACK only packets          : 0

Retransmitted timeout                                 : 0
Connection dropped in retransmitted timeout           : 0
Keepalive timeout                                     : 0
Keepalive probe                                       : 0
Keepalive timeout, so connections disconnected        : 0
Initiated connections                                 : 0
Accepted connections                                  : 0
Established connections                               : 0
Closed connections                                    : 0
Packets dropped with MD5 authentication               : 0
Packets permitted with MD5 authentication             : 0
Send Packets permitted with Keychain authentication   : 0
Receive Packets permitted with Keychain authentication: 0
Receive Packets Dropped with Keychain authentication  : 0
Receive Packets permitted with TCP-AO authentication  : 0
Receive Packets Dropped with TCP-AO authentication    : 0
Table 8-74  Description of the display tcp statistics command output

Item

Description

Received packets

Number of received packets

Total packets

Total number of received packets

SYN packets

Number of received SYN packets

FIN packets

Number of received FIN packets

Packets bytes in sequence

Number of packets that arrive in sequence (total bytes)

Window probe packets

Number of window probe packets

Window update packets

Number of window update packets

Checksum error

Number of packets with incorrect checksum

Offset error

Number of packets in incorrect length

Short error

Number of packets whose length is too short

Duplicate packets bytes

Number of completely repeated packets (total bytes)

Partially duplicate packets bytes

Number of partly repeated packets (total bytes)

Out-of-order packets bytes

Number of packets in incorrect sequence (total bytes)

Packets with data after window

Number of packets outside the receiving window

Packets after close

Number of packets that arrive after the connection is closed

ACK packets

Number of the acknowledged packets (the acknowledged data byte number)

Duplicate ACK packets

Number of the re-acknowledged packets

Sent packets

Number of sent packets

Total packets

Total number of sent packets

Urgent packets

Number of urgent data packets

Control packets RST

Number of control packets (number of RST packets)

Window probe packets

Number of window probe packets

Window update packets

Number of window update packets

Data packets

Number of data packets

Data packets retransmitted

Number of retransmitted packets (total bytes)

ACK only packets

Number of ACK packets

Retransmitted timeout

Times of timeout of the retransmission timer

Connection dropped in retransmitted timeout

Number of dropped connections because their retransmission number exceeds the limit

Keepalive timeout

Timeout period of the Keepalive timer

Keepalive probe

Number of sent Keepalive packets

Keepalive timeout, so connections disconnected

Number of discarded connections because the Keepalive probe fails

Initiated connections

Number of initiated connections

Accepted connections

Number of accepted connections

Established connections

Number of established connections

Closed connections

Number of closed connections (number of dropped connections (after receiving SYN), number of active connection failures (before receiving the peer SYN))

Packets dropped with MD5 authentication

Number of dropped packets after MD5 authentication

Packets permitted with MD5 authentication

Number of passed packets after MD5 authentication

Send Packets permitted with Keychain authentication

Number of sent packets after keychain authentication

Receive Packets permitted with Keychain authentication

Number of received packets after keychain authentication

Receive Packets Dropped with Keychain authentication

Number of received packets that are discarded due to keychain authentication failures

Receive Packets permitted with TCP-AO authentication

Number of received packets after TCP-AO authentication

Receive Packets Dropped with TCP-AO authentication

Number of received packets that are discarded due to a TCP-AO authentication failure

display tcp ipv6 status

Function

The display tcp ipv6 status command displays all IPv6 TCP connections.

Format

display tcp ipv6 status [ local-ip local-ip | local-port local-port | remote-ip remote-ip | remote-port remote-port ] * [ cid cid ] [ socket-id socket-id ]

Parameters

Parameter Description Value
local-ip local-ip Displays the IPv6 TCP connection with a specified local IP address. The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
local-port local-port Displays the IPv6 TCP connection with a specified local port number. The value ranges from 0 to 65535.
remote-ip remote-ip Displays the IPv6 TCP connection with a specified remote IP address. The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
remote-port remote-port Displays the IPv6 TCP connection with a specified remote port number. The value ranges from 0 to 65535.
cid cid Displays the IPv6 TCP connection with a specified APP CID. The value ranges from 0 to 4294967295.
socket-id socket-id Displays the IPv6 TCP connection with a specified socket ID. The value ranges from 0 to 2147418111.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can use this command to view all valid IPv6 TCP connections and details about each valid IPv6 TCP connection.

  • ID of the IPv6 TCP socket
  • ID of the APP component
  • Local IPv6 address and port number
  • Remote IPv6 address and port number
  • Status of the IPv6 TCP connection
  • Status of the IPv6 TCP connection

Precautions

If no TCP connection is available, the command output is empty.

Example

# Display the status of IPv6 TCP connections.

<HUAWEI> display tcp ipv6 status
* - MD5 Authentication is enabled.
# - Keychain Authentication is enabled.
--------------------------------------------------------------------------------
Cid/SocketID         Local Address                Foreign Address              VPNID      State        
--------------------------------------------------------------------------------
0x80C82720/2         ::->23                       ::->0                   4294967295      LISTEN       
--------------------------------------------------------------------------------
Table 8-75  Description of the display tcp ipv6 status command output

Item

Description

Cid/SocketID

Socket ID

Local Address

Local IPv6 address

Foreign Address

Peer IPv6 address

VPNID

VPN interface ID

State

Status of an IPv6 TCP connection:
  • Established: indicates that the connection has been established.

  • LISTEN: indicates that the connection is being listened to.

display this ipv6 interface

Function

The display this ipv6 interface command displays IPv6 information on an existing interface.

Format

display this ipv6 interface

Parameters

None

Views

Interface view

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To view IPv6 information on an interface, run the display this ipv6 interface command.

Precautions

Information displayed using the display this ipv6 interface command in the current interface view is the same as the information displayed using the display ipv6 interface command.

.

Example

# Display IPv6 information on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] display this ipv6 interface
10GE1/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::3ABA:1200:78A:6E02
  Global unicast address(es):
    2001:db8:1::1, subnet is 2001:db8:1::/64
  Joined group address(es):
    FF02::1:FF00:1
    FF02::1:FF8A:6E02
    FF02::2
    FF02::1
  MTU is 1500 bytes
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 1200000 milliseconds
  ND retransmit interval is 1000 milliseconds
  Hosts use stateless autoconfig for addresses
Table 8-76  Description of the display this ipv6 interface command output

Item

Description

10GE1/0/1 current state

Physical status of 10GE 1/0/1
  • UP

  • DOWN

  • Administratively DOWN

IPv6 protocol current state

Protocol status of 10GE 1/0/1
  • UP

  • DOWN

IPv6 is enabled

The IPv6 capability is configured on the interface.

link-local address

Link-local address of the interface

Global unicast address(es)

Global unicast address of the interface

Joined group address(es)

Addresses of the joined multicast group on the interface

MTU

Maximum transmission unit (MTU) of the interface

number of DAD attempts

Number of conflicting addresses

ND reachable time

Time when the neighboring device became reachable

ND retransmit interval

Interval at which packets are retransmitted

Hosts use stateless autoconfig for addresses

Host address obtained using stateless autoconfiguration

display udp ipv6 statistics

Function

The display udp ipv6 statistics command displays IPv6 UDP packet statistics.

Format

display udp ipv6 statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

UDP is a communications protocol used for packet exchanging on the Internet. It uses the simplest transmission model to send messages from one user application to another. To view IPv6 UDP packet statistics, run the display udp ipv6 statistics command. The following information will be displayed:
  • Number of received and sent packets

  • Number of discarded packets

  • Number of redirected packets

Precautions

The number of packets received by a device includes the number of packets forwarded to another device, the number of packets sent to the upper layer on the device, and the number of packets discarded by the device.

Example

# Display IPv6 UDP packet statistics.

<HUAWEI> display udp ipv6 statistics
Received packets:
    Total: 0
    Checksum error: 0
    Shorter than header: 0
    Data length larger than packets: 0
    No socket on port :0
    Broadcast: 0
    Not delivered, input socket full: 0
    Input packets missing pcb cache: 0
Sent packets:
    Total: 0
-----------------------------------------------------------------------
Table 8-77  Description of the display udp ipv6 statistics command output

Item

Description

Received packets

Information about received packets

Total

Number of received packets

Checksum error

Number of packets with checksum errors

Shorter than header

Number of IPv6 UDP packets of which the actual length is smaller than the packet length field value in the packet header

Data length larger than packets

Number of packets with the data length larger than the packet length

No socket on port

Number of packets with no socket on the interface

Broadcast

Number of broadcast/multicast packets

Not delivered, input socket full

Number of the packets that are not processed after the receive buffer is full

Input packets missing pcb cache

Number of received packets that miss the PCB cache

Sent packets

Information about the sent packets

Total

Number of packets

display udp ipv6 status

Function

The display udp ipv6 status command displays information about IPv6 UDP connections.

Format

display udp ipv6 status [ local-ip local-ip | local-port local-port | remote-ip remote-ip | remote-port remote-port ] * [ cid cid ] [ socket-id socket-id ]

Parameters

Parameter Description Value
local-ip local-ip Displays information about IPv6 UDP connections based on a specified local IP address.

The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

local-port local-port Displays information about IPv6 UDP connections based on a specified local port number. The value ranges from 0 to 65535.
remote-ip remote-ip Displays information about IPv6 UDP connections based on a specified remote IP address.

The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

remote-port remote-port Displays information about IPv6 UDP connections based on a specified remote port number. The value ranges from 0 to 65535.
cid cid Displays information about IPv6 UDP connections based on a specified CID of the APP component. The value ranges from 0 to 4294967295.
socket-id socket-id Displays information about IPv6 UDP connections based on a specified socket ID. The value ranges from 0 to 2147418111.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

Run the display udp ipv6 status command to view the following information about IPv6 UDP connections:

  • IPv6 UDP socket ID
  • CID of the APP component
  • Local IPv6 address and port number
  • Remote IPv6 address and port number

You can also specify the socket ID, local IP address, local port number, remote IP address, or remote port number so that only the information satisfying the specified parameter is displayed. This decreases the information output and increases the efficiency and accuracy in locating faults.

Precautions

If no UDP connections are established, no information is displayed in the display udp ipv6 status command output.

Example

# Display information about IPv6 UDP connections.

<HUAWEI> display udp ipv6 status
--------------------------------------------------------------------------------
    SockId        Cid Local Address             Foreign Address           FeNode           
--------------------------------------------------------------------------------
         3 0x8053271E ::->546                   ::->0                        265              
         3 0x80532725 ::->546                   ::->0                        266              
         4 0x8053271E ::->547                   ::->0                        265              
         4 0x80532725 ::->547                   ::->0                        266              
         8 0x805303FF ::->546                   ::->0                          0                
         8 0x805303FF ::->546                   ::->0                 4294901761       
         9 0x805303FF ::->547                   ::->0                          0                
         9 0x805303FF ::->547                   ::->0                 4294901761       
--------------------------------------------------------------------------------
Table 8-78  Description of the display udp ipv6 status command output

Item

Description

SockId

IPv6 UDP socket ID

Cid

CID of the APP component

Local Address

Local IPv6 address and port number of a UDP connection

Foreign Address

Remote IPv6 address and port number of a UDP connection

FeNode

Node ID of a board

ipv6 address

Function

The ipv6 address command configures a global unicast address for an interface.

The undo ipv6 address command deletes the global unicast address configured for an interface.

By default, no global unicast address is configured for an interface.

Format

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

undo ipv6 address [ ipv6-address prefix-length | ipv6-address/prefix-length ]

Parameters

Parameter Description Value
ipv6-address Specifies the IPv6 address to be configured for the interface. The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length

Specifies the prefix length of the IPv6 address.

An IPv6 address whose prefix length is 128 bits can be configured only for a loopback interface.

The value is an integer that ranges from 1 to 128.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A global unicast address equals an IPv4 public network address. Global unicast addresses are for links that can be aggregated and are provided for network service providers. The structure of global unicast addresses allows route-prefix aggregation for limiting the number of global routing entries. A global unicast address is composed of a 48-bit route prefix managed by operators, a 16-bit subnet ID managed by local nodes, and a 64-bit interface ID.

Configuring an IPv6 address with the prefix length of 127 has the following advantages:

  • Avoids loops in traffic forwarding on P2P links that have no neighbor discovery mechanisms.

  • Addresses the neighbor cache exhaustion issue when network devices are attacked.

  • Saves IPv6 address resources.

Prerequisites

Before running the ipv6 address command to configure a global unicast address for an interface, you need to run the ipv6 enable command in the interface view to enable the IPv6 function on the interface.

Configuration Impact

If the ipv6 address is run to configure an IPv6 address for an interface but no link-local address is configured for the interface, the system automatically generates a link-local address for the interface.

If no parameter (IPv6 address and prefix length) is specified in the undo ipv6 address command, all the IPv6 addresses configured for the interface are deleted.

Precautions

The following conditions are prohibited for different interfaces on the same device:
  • The IPv6 addresses are the same.
  • The network prefixes of the IPv6 addresses are the same. For example, if the IPv6 address of interface A is 2001:db8::1/12 and its network prefix is 200:: and the IPv6 address of interface B is 2001:db8::1/127 and its network prefix is 2001:db8::, the configuration succeeds. If the IPv6 address of interface B is 2002:db8::1/12 and its network prefix is also 200::, the configuration fails.

An interface can be configured with a maximum of 16 global unicast addresses.

The 6to4 addresses can be configured for a 6to4 tunnel interface but not a 6in4 tunnel interface.

The following IPv6 addresses cannot be configured for an interface:
  • Loopback address (::1/128)

  • Unspecified address (::/128)

  • Multicast address

  • Anycast address

IPv4-mapped IPv6 addresses (0:0:0:0:0:FFFF:IPv4-address) can be configured on public networks but not on VPNs.

A global unicast address cannot be the same as its network prefix because an IPv6 address which is the same as its network prefix is a subnet-router anycast address reserved for a device. However, this rule does not apply to an IPv6 address with a 127-bit network prefix. For example, if the ipv6 address command is run to configure an IPv6 address as 2001:db8:5::10 with the prefix length of 124 bits and the network prefix of the IPv6 address is also 2001:db8:5::10, this IPv6 address is a subnet-router anycast address and cannot be configured as a global unicast address. To configure an IPv6 anycast address, run the ipv6 address anycast command.

Before configuring IPv6 addresses with prefixes longer than 64 bits on a switch, run the assign forward ipv6 longer-mask resource command to specify the number of IPv6 addresses and routes with prefixes longer than 64 bits supported by the switch.

Example

# Configure a global unicast address 2001:db8::1/64 for the 10GE interface.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 address 2001:db8::1 64

ipv6 address anycast

Function

The ipv6 address anycast command configures an anycast IPv6 address.

The undo ipv6 address anycast command deletes an anycast IPv6 address.

By default, anycast IPv6 addresses are not configured.

Format

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

Parameters

Parameter Description Value
ipv6-address Specifies an IPv6 address. The prefix is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length

Specifies the prefix length of an IPv6 address.

An IPv6 address whose prefix length is 128 bits can be configured only for a loopback interface.

The value is an integer that ranges from 1 to 128.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An anycast address is used to identify a group of interfaces that are configured on different nodes. The packets that are sent to an anycast address are transmitted to an interface that is in the interface group identified by the anycast address and is closest to the source node. (The distance between an interface and the source node is calculated based on a routing protocol).

When the 6to4 tunnel is used for communication between the 6to4 network and the native IPv6 network, you can configure an anycast address whose prefix is 2001:db8:1::1/64 on the tunnel interface of the 6to4 relay switch. If an anycast address is used, you need to configure the same address for the tunnel interfaces of all devices. In this manner, the number of addresses is reduced.

Prerequisites

Before running this command, run the ipv6 enable command on the interface view to enable the IPv6 function of the tunnel interface.

Configuration Impact

When the undo command is run, if no parameter is specified, all IPv6 addresses (including anycast addresses but excluding the link-local address that is configured automatically) are deleted.

Precautions

An anycast address cannot be used as a source address. Therefore, when a device is used to send packets, a global unicast address is configured for the device.

An anycast address is not necessarily a subnet-router anycast address and can be a global unicast address configured using the ipv6 address anycast command.

Before configuring IPv6 addresses with prefixes longer than 64 bits on a switch, run the assign forward ipv6 longer-mask resource command to specify the number of IPv6 addresses and routes with prefixes longer than 64 bits supported by the switch.

Example

# Configure the anycast address 2001:db8:1::1/64 on Tunnel 1 interface of the 6to4 tunnel.

<HUAWEI> system-view
[~HUAWEI] interface tunnel 1
[*HUAWEI-Tunnel1] tunnel-protocol ipv6-ipv4 6to4
[*HUAWEI-Tunnel1] ipv6 enable
[*HUAWEI-Tunnel1] ipv6 address 2001:db8:1:: 64 anycast

ipv6 address cga

Function

The ipv6 address cga command configures a CGA global unicast address.

The undo ipv6 address cga command deletes a CGA global unicast address.

By default, no CGA global unicast addresses are configured.

Format

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga

undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga

Parameters

Parameter Description Value
ipv6-address Specifies the prefix of an IPv6 address. The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length Specifies the prefix length of an IPv6 address. The value is an integer ranging from 1 to 64.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To enable IPv6 SEND to protect ND messages, you need to configure a CGA IPv6 address on an interface. Running the ipv6 address cga command configures a CGA IPv6 global unicast address.

Prerequisites

Before running the ipv6 address cga command, you must complete the following configurations:

  1. Run the rsa key-pair label command in the system view to create an RSA key pair.

  2. Run the ipv6 enable command in the interface view to enable IPv6 on the interface.

  3. Run the ipv6 security rsakey-pair command in the interface view to bind the created RSA key pair to the interface.

  4. Run the ipv6 security modifier command in the interface view to configure a modifier value and a security level for the CGA address.

Configuration Impact

If a CGA IPv6 address is configured for an interface, the ND message sent by the interface will carry CGA and RSA options. After receiving the ND message, the remote interface checks the validity of the ND message sender and the integrity of the ND message based on the CGA and RSA options. If the strict security mode is configured on a local interface, the interface processes secure packets and discards insecure packets sent from a remote interface.

Follow-up Procedure

Run the ipv6 nd security strict command to enable the strict security mode on the interface.

Precautions

An interface allows the configuration of a maximum of 16 global unicast addresses.

Running the undo command without specifying any parameter will delete all IPv6 addresses (including the CGA global unicast address) except the automatically configured IPv6 link-local address.

Example

# Configure a CGA global unicast address on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] rsa key-pair label huawei modulus 2048
[*HUAWEI] interface 10ge 1/0/0
[*HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 security rsakey-pair huawei
[*HUAWEI-10GE1/0/1] ipv6 security modifier sec-level 1
[*HUAWEI-10GE1/0/1] ipv6 address 2001:db8::1/64 cga

ipv6 address eui-64

Function

The ipv6 address eui-64 command configures an EUI-64 global unicast address for an interface.

The undo ipv6 address eui-64 command deletes the configuration.

By default, no EUI-64 global unicast address is configured for an interface.

Format

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

Parameters

Parameter Description Value
ipv6-address Specifies the IPv6 address to be configured for the interface. The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length Specifies the prefix length of the IPv6 address. The value is an integer that ranges from 1 to 128. In the EUI-64 address format, the prefix length must be less than 64.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the IPv6 addressing scheme, every IPv6 unicast address needs an interface identifier. The interface identifier is unique, similar to a 48-bit MAC address.

The interface identifier of an IPv6 host address complies with the IEEE EUI-64 format. A 64-bit interface identifier is generated based on an existing MAC address; therefore, such an interface identifier is unique globally.

Prerequisites

Before running the ipv6 address eui-64 command to configure an EUI-64 global unicast address for an interface, you need to run the ipv6 enable command in the interface view to enable the IPv6 function on the interface.

Configuration Impact

If the ipv6 address eui-64 is run to configure an EUI-64 IPv6 address for an interface but no link-local address is configured for the interface, the system automatically generates a link-local address for the interface.

Precautions

The following conditions are prohibited for different interfaces on the same device:
  • The EUI-64 IPv6 addresses are the same.
  • The network prefixes of the EUI-64 IPv6 addresses are the same. For example, if the IPv6 address of interface A is 2001:db8:1::1/64 and its network prefix is 2001:db8:1:: and the IPv6 address of interface B is 2001:db8:2::1/64 and its network prefix is 2001:db8:2::, the configuration succeeds. If the IPv6 address of interface B is 2002:db8:1::2/64 and its network prefix is also 2001:db8:1::, the configuration fails.

An interface can be configured with a maximum of 16 global unicast addresses.

The following EUI-64 IPv6 addresses cannot be configured for an interface:
  • Loopback address (::1/128)

  • Unspecified address (::/128)

  • Multicast address

  • Anycast address

IPv4-mapped IPv6 addresses (0:0:0:0:0:FFFF:IPv4-address) can be configured on public networks but not on VPNs.

The ipv6 address command is used to specify a 128–bit IP address. Using the ipv6 address eui-64 command, you can specify the high-order 64 bits of an IPv6 address. The low-order 64 bits of an IP address are automatically generated in the EUI-64 format. Even when the low-order 64 bits are manually specified, the automatically generated ones will override them.

Example

# Configure an EUI-64 IPv6 address 2001:db8:1::1/64 for 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 address 2001:db8:1::1 64 eui-64

ipv6 address-policy

Function

The ipv6 address-policy command configures the policies for selecting source and destination addresses.

The undo ipv6 address-policy command deletes the policies for selecting source and destination addresses.

By default, only default address selection policy entries are configured. These entries are prefixed with ::1, ::, 2002::, FC00::, and ::ffff:0.0.0.0.

Format

ipv6 address-policy [ vpn-instance vpn-instance-name ] ipv6-address prefix-length precedence label

undo ipv6 address-policy [ vpn-instance vpn-instance-name ] ipv6-address prefix-length

Parameters

Parameter Description Value
vpn-instance vpn-instance-name Specifies the name of a VPN instance. The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string.
ipv6-address Specifies an IPv6 address. The prefix is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length Specifies the prefix length of an IPv6 address. The value is an integer that ranges from 0 to 128.
precedence Specifies the priority of an IPv6 address when the address is the destination address. The value is an integer that ranges from 0 to 4294967295.
label Specifies the priority of an IPv6 address when the address is the source address. The value is an integer that ranges from 0 to 4294967295.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When specifying or planning source and destination addresses, define a group of rules for selecting addresses by using the ipv6 address-policy command. An address selection policy table is created based on these rules. This table, similar to a routing table, can be queried by using the longest matching rule. The address is selected based on the source and destination addresses.

Configuration Impact

  • The label parameter can be used to determine the result of source address selection. The address whose label value is the same as the label value of the destination address is selected preferably as the source address.
  • The destination address is selected based on both the label and precedence parameters. If label values of the candidate addresses are the same, the address whose precedence value is the largest is selected preferably as the destination address.

Precautions

The default policy entries are those whose prefixes are ::1, ::, 2002::, FC00::, and :ffff:0.0.0.0.

Default policy entries cannot be configured by using a command.

Example

# Configure the priorities to be 15 and 20 respectively when the IPv6 address 2001::1/64 is used as a source address and a destination address.

<HUAWEI> system-view
[~HUAWEI] ipv6 address-policy vpn-instance one 2001::1 64 15 20

ipv6 blacklist packet permit

Function

The ipv6 blacklist packet permit command enables the system to reply with TCP/UDP packets to the source end.

The undo ipv6 blacklist packet permit command disables the system from replying with TCP/UDP packets to the source end.

By default, the system cannot reply with TCP/UDP packets to the source end.

Format

ipv6 blacklist packet permit

undo ipv6 blacklist packet permit

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If TCP6 or UDP6 packets are denied by a configured ACL6, the ipv6 blacklist packet permit command and its undo format can be used to control the system whether to reply with packets to the source end.

  • Running the ipv6 blacklist packet permit command enables the system to reply with packets to the source end.

  • Running the undo ipv6 blacklist packet permit command disables the system from replying with packets to the source end.

Configuration Impact

After the ipv6 blacklist packet permit command is run, the system will reply with specific packets to the source end based on the type of the packets denied by the system.

  • If the denied packets are TCP6 packets, the system will reply with TCP-RST packets to the source end.

  • If the denied packets are UDP6 packets, the system will reply with PORT-UNREACHABLE packets to the source end.

Example

# Enable the system to reply with packets to the source end.

<HUAWEI> system-view
[~HUAWEI] ipv6 blacklist packet permit 

# Disable the system from replying with packets to the source end.

<HUAWEI> system-view
[~HUAWEI] undo ipv6 blacklist packet permit 

ipv6 enable (interface view)

Function

The ipv6 enable command enables the IPv6 capability on an interface.

The undo ipv6 enable command disables the IPv6 capability on an interface.

By default, the IPv6 capability is disabled on an interface.

Format

ipv6 enable

undo ipv6 enable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can perform other IPv6 configurations on an interface only when IPv6 is enabled in the interface view.

Configuration Impact

After the IPv6 function is disabled on the interface, the IPv6 addresses of the interface are deleted and IPv6-related commands no longer can be configured on the interface.

Follow-up Procedure

Perform IPv6-related configurations, including configuring IPv6 addresses and ND-related parameters (M flag, O flag, RA halt flag, interval for sending RA messages, lifetime of RA messages, interval for sending NS messages, DAD times, time period during which the IPv6 neighbor keeps reachable, prefix carried in the RA message, and static ND entries); bind the interface to an IPv6 VPN.

Precautions

After you disable IPv6 on an interface, IPv6-related configurations are removed. For example, IS-IS IPv6 and RIPng are disabled on the interface, that is, the isis ipv6 enable and ripng enable commands become ineffective.

Example

# Enable the IPv6 capability on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable

ipv6 icmp hop-limit-exceeded send

Function

The ipv6 icmp hop-limit-exceeded send disable command disables an interface from sending ICMPv6 Hop Limit Exceeded messages.

The undo ipv6 icmp hop-limit-exceeded send disable command enables the function.

By default, the transmission of ICMPv6 Hop Limit Exceeded messages configured globally also takes effect on an interface.

Format

ipv6 icmp hop-limit-exceeded send disable

undo ipv6 icmp hop-limit-exceeded send disable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

If a router receives a packet with a hop limit of 1, it replies with an ICMPv6 Hop Limit Exceeded message. This ICMPv6 error message carries the IPv6 address of the router as its source IPv6 address, which exposes the IPv6 address of the router and brings security risks. If the router is attacked by flooding packets, the router keeps replying with ICMPv6 Hop Limit Exceeded messages, causing high CPU usage and affecting device performance. To address this problem, run the ipv6 icmp hop-limit-exceeded send disable command on the outbound interface of ICMPv6 packets to disable the transmission of ICMPv6 Hop Limit Exceeded messages.

Example

# Disable 10GE 1/0/1 from sending ICMPv6 Hop Limit Exceeded messages.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 icmp hop-limit-exceeded send disable

ipv6 icmp host-unreachable send

Function

The ipv6 icmp host-unreachable send disable command disables an interface from sending ICMPv6 host-unreachable packets.

The undo ipv6 icmp host-unreachable send disable command enables an interface to send ICMPv6 host-unreachable packets.

By default, the transmission of ICMPv6 host Unreachable messages configured globally also takes effect on an interface.

Format

ipv6 icmp host-unreachable send disable

undo ipv6 icmp host-unreachable send disable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Heavy network traffic load (for example, sending ICMPv6 host-unreachable packets frequently) increases the processing load and degrades the device performance. You can run the ipv6 icmp host-unreachable send disable command to disable the interface from sending ICMPv6 host-unreachable packets, which improves network performance and security.

Example

# Disable the Vlanif 100 interface from sending ICMPv6 host-unreachable packets.

<HUAWEI> system-view
[~HUAWEI] interface Vlanif 100
[~HUAWEI-Vlanif100] ipv6 icmp host-unreachable send disable

ipv6 icmp port-unreachable send

Function

The ipv6 icmp port-unreachable send disable command disables an interface from sending ICMPv6 Port Unreachable messages.

The undo ipv6 icmp port-unreachable send disable command enables the function.

By default, the transmission of ICMPv6 Port Unreachable messages configured globally also takes effect on an interface.

Format

ipv6 icmp port-unreachable send disable

undo ipv6 icmp port-unreachable send disable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

When a router receives a TCP6/UDP6 packet but cannot find the corresponding socket entry, the router replies with an ICMPv6 Port Unreachable message. This ICMPv6 error message carries the IPv6 address of the router as its source IPv6 address, which exposes the IPv6 address of the router and brings security risks. If the router is attacked by flooding packets, the router keeps replying with ICMPv6 Port Unreachable messages, causing high CPU usage and affecting device performance. To address this problem, run the ipv6 icmp port-unreachable send disable command on the interface that sends ICMPv6 packets to disable the transmission of ICMPv6 Port Unreachable message.

Example

# Enable 10GE 1/0/1 to send ICMPv6 Port Unreachable messages.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] undo ipv6 icmp port-unreachable send disable

ipv6 icmp receive

Function

ipv6 icmp receive disable command disables the system from accepting ICMPv6 packets.

undo ipv6 icmp receive disable command enables the system to accept ICMPv6 packets.

By default, the system accepts ICMPv6 packets.

Format

ipv6 icmp { icmpv6-type icmpv6-code | echo | echo-reply | err-header-field | frag-time-exceeded | hop-limit-exceeded | host-admin-prohib | host-unreachable | neighbor-advertisement | neighbor-solicitation | network-unreachable | packet-too-big | port-unreachable | redirect | router-advertisement | router-solicitation | unknown-ipv6-opt | unknown-next-hdr | all } receive disable

undo ipv6 icmp { icmpv6-type icmpv6-code | echo | echo-reply | err-header-field | frag-time-exceeded | hop-limit-exceeded | host-admin-prohib | host-unreachable | neighbor-advertisement | neighbor-solicitation | network-unreachable | packet-too-big | port-unreachable | redirect | router-advertisement | router-solicitation | unknown-ipv6-opt | unknown-next-hdr | all } receive disable

Parameters

Parameter Description Value
icmpv6-type Type of ICMPv6 packets

An integer ranging from 0 to 255.

icmpv6-code Code of ICMPv6 packets

An integer ranging from 0 to 255.

echo ECHO packets. -
echo-reply ECHO response packets. -
err-header-field A packet generated in response to a packet with an error header. -
frag-time-exceeded A packet generated in response to a framentation-timeout packet. -
hop-limit-exceeded A packet generated in response to a packet with a large hop number. -
host-admin-prohib A packet generated in response to a packet that is rejected by a host. -
host-unreachable A packet generated in response to a packet that cannot be delivered to the host. -
neighbor-advertisement Neighbor advertisement packets. -
neighbor-solicitation Neighbor solicitation packets. -
network-unreachable A packet generated in response to a packet that cannot be delivered to the destination. -
packet-too-big A packet generated in response to a large-size error packet. -
port-unreachable A packet generated in response to a packet that cannot be delivered to the port. -
redirect Redirected packets. -
router-advertisement Router advertisement packets. -
router-solicitation Router solicitation packets. -
unknown-ipv6-opt A packet generated in response to a packet with unknown options. -
unknown-next-hdr A packet generated in response to a packet with unknown next header. -
all All ICMPv6 packets -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the network is in good performance, routing devices will receive a proper number of ICMPv6 packets. However, when network traffic load is heavy and host unreachable or port unreachable events frequently occur, routing devices will receive a large number of ICMPv6 packets, which burdens the network and the performance of the routing devices deteriorates. In addition, attackers may use ICMPv6 error packets to probe the internal network topology.

To improve network performance and security, the ipv6 icmp receive disable command can be used to disable the system from accepting ICMPv6 response packets, packets in response to host-unreachable packets, and packets in response to port-unreachable packets.

Configuration Impact

After the ipv6 icmp receive disable command is run, the main interface is disabled from processing the ICMPv6 packets, and the system does not collect statistics about the ICMPv6 response packets, packets in response to host-unreachable packets, and packets in response to port-unreachable packets. Only the total number of the discarded packets are collected.

Precautions

When the network is in good performance, the undo ipv6 icmp receive disable command can be used to enable the system to accept ICMPv6 packets.

Example

# Enable the system to accept all ICMPv6 packets.

<HUAWEI> system-view
[~HUAWEI] undo ipv6 icmp all receive disable

# Disable the system from accepting ICMPv6 host-unreachable packets.

[*HUAWEI] ipv6 icmp host-unreachable receive disable

ipv6 icmp rate-limit packet-too-big disable

Function

The ipv6 icmp rate-limit packet-too-big disable command disables the suppression of ICMPv6 Packet Too Big messages.

The undo ipv6 icmp rate-limit packet-too-big disable command enables the suppression of ICMPv6 Packet Too Big messages.

By default, a device is enabled with the suppression of ICMPv6 Packet Too Big messages.

Format

ipv6 icmp rate-limit packet-too-big disable

undo ipv6 icmp rate-limit packet-too-big disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the size of an IPv6 packet sent by the source node exceeds the link MTU of the outbound interface on a network node, the network node replies with an ICMPv6 Packet Too Big message that contains the MTU value of the outbound interface on the network node.

If the source node receives excessive ICMPv6 Packet Too Big messages, much memory will be used, and the system performance will be affected. By default, the system is enabled with the suppression of ICMPv6 Packet Too Big messages by processing only 50 ICMPv6 Packet Too Big messages within 1 second. If a large number of path MTU requests exist within a short period of time, run the ipv6 icmp rate-limit packet-too-big disable command to disable the suppression of ICMPv6 Packet Too Big messages.

Example

# Enable the suppression of ICMPv6 Packet Too Big messages.

<HUAWEI> system-view
[~HUAWEI] undo ipv6 icmp rate-limit packet-too-big disable

ipv6 icmp send

Function

The ipv6 icmp send disable command disables the system from sending ICMPv6 messages.

The undo ipv6 icmp send disable command enables the system to send ICMPv6 messages.

By default, the system is enabled to send ICMPv6 messages.

Format

ipv6 icmp { icmpv6-type icmpv6-code | echo | echo-reply | err-header-field | frag-time-exceeded | hop-limit-exceeded | host-admin-prohib | host-unreachable | neighbor-advertisement | neighbor-solicitation | network-unreachable | packet-too-big | port-unreachable | redirect | router-advertisement | router-solicitation | unknown-ipv6-opt | unknown-next-hdr | all } send disable

undo ipv6 icmp { icmpv6-type icmpv6-code | echo | echo-reply | err-header-field | frag-time-exceeded | hop-limit-exceeded | host-admin-prohib | host-unreachable | neighbor-advertisement | neighbor-solicitation | network-unreachable | packet-too-big | port-unreachable | redirect | router-advertisement | router-solicitation | unknown-ipv6-opt | unknown-next-hdr | all } send disable

Parameters

Parameter Description Value
icmpv6-type Type of ICMPv6 packets

An integer ranging from 0 to 255.

icmpv6-code Code of ICMPv6 packets

An integer ranging from 0 to 255.

echo Name of ICMPv6 packets are ECHO packets. -
echo-reply Name of ICMPv6 packets are ECHO response packets. -
err-header-field Name of ICMPv6 packets is a packet generated in response to a packet with an error header. -
frag-time-exceeded Name of ICMPv6 packets is a packet generated in response to a framentation-timeout packet. -
hop-limit-exceeded Name of ICMPv6 packets is a packet generated in response to a packet with a large hop number. -
host-admin-prohib Name of ICMPv6 packets is a packet generated in response to a packet that is rejected by a host. -
host-unreachable Name of ICMPv6 packets is a packet generated in response to a packet that cannot be delivered to the host. -
neighbor-advertisement Name of ICMPv6 packets are neighbor advertisement packets. -
neighbor-solicitation Name of ICMPv6 packets are neighbor solicitation packets. -
network-unreachable Name of ICMPv6 packets is a packet generated in response to a packet that cannot be delivered to the destination. -
packet-too-big Name of ICMPv6 packets is a packet generated in response to a large-size error packet. -
port-unreachable Name of ICMPv6 packets is a packet generated in response to a packet that cannot be delivered to the port. -
redirect Name of ICMPv6 packets are redirected packets. -
router-advertisement Name of ICMPv6 packets are router advertisement packets. -
router-solicitation Name of ICMPv6 packets are router solicitation packets. -
unknown-ipv6-opt Name of ICMPv6 packets is a packet generated in response to a packet with unknown options. -
unknown-next-hdr Name of ICMPv6 packets is a packet generated in response to a packet with unknown next header. -
all All ICMPv6 packets -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a normal network, a device can correctly send or receive ICMPv6 messages; however, when network traffic load is heavy, host unreachable or port unreachable events frequently occur and switchs need to send a large number of ICMPv6 messages, which burdens the network and degrades the performance of the switchs. In addition, attackers usually use ICMPv6 error messages to probe the internal network topology illegitimately.

To improve network performance and security, you need to run the ipv6 icmp send disable command to disable the system from sending ICMPv6 Echo-Reply messages, Host -Unreachable messages, and Port-Unreachable messages.

Configuration Impact

After the system is disabled from sending ICMPv6 Echo-Reply messages, Host -Unreachable messages, and Port-Unreachable messages, the system counts only the number of discarded messages instead of the number of sent Echo-Reply messages, Host -Unreachable messages, and Port-Unreachable messages.

Precautions

When the network becomes normal again, you can run the ipv6 icmp send disable command to re-enable the system to process ICMPv6 messages.

Example

# Enable the system to send ICMPv6 messages.

<HUAWEI> system-view
[~HUAWEI] undo ipv6 icmp all send disable

# Disable the system from sending ICMPv6 Host-Unreachable messages.

[*HUAWEI] ipv6 icmp host-unreachable send disable

ipv6 icmp-error

Function

The ipv6 icmp-error command limits the rate of sending ICMPv6 error messages.

The undo ipv6 icmp-error command restores the default.

By default, the size of the token buckets is 10 and the interval for placing tokens into the bucket is 100 milliseconds.

Format

ipv6 icmp-error { bucket bucket-size | ratelimit interval } *

undo ipv6 icmp-error

Parameters

Parameter Description Value
bucket bucket-size Specifies the number of tokens the bucket contains. It is an integer ranging from 1 to 200.
ratelimit interval Specifies the interval for placing tokens into the bucket. The value is an integer ranging from 0 to 2147483647, in milliseconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the case that a network does not suffer any attacks, a switch can correctly send ICMPv6 error messages to notify other devices of abnormalities in message transmission. If an attacker frequently sends ICMPv6 message to network devices, the network devices need to respond with ICMPv6 messages, which greatly affects the throughput and CPU usage of the system. Therefore, to prevent the system from sending a great number of ICMPv6 messages, you can run the ipv6 icmp-error command to limit the rate at which ICMPv6 messages are sent.

The token bucket algorithm is used for counting ICMPv6 messages. One token represents an ICMPv6 message. The system places tokens into the virtual bucket at a certain interval until the number of tokens in the bucket reaches the upper limit. Once the number of ICMPv6 messages exceeds the maximum tokens that the bucket can contain, the excessive messages are discarded. You can limit the rate at which ICMPv6 messages are sent by setting the bucket size and the interval for placing tokens into the bucket.

Configuration Impact

The ipv6 icmp-error command is circular in nature. That is, if the bucket sizes and intervals set two times are different, the latest setting takes effect.

If the interval for placing tokens into the bucket is 0, it indicates that the interval is not limited.

Example

# Set the interval for placing tokens into the bucket to 100 milliseconds.

<HUAWEI> system-view
[~HUAWEI] ipv6 icmp-error ratelimit 100

# Set the bucket size of ICMPv6 to 50.

<HUAWEI> system-view
[~HUAWEI] ipv6 icmp-error bucket 50

# Set the interval for placing tokens into the bucket to 100 milliseconds and the bucket size to 50.

<HUAWEI> system-view
[~HUAWEI] ipv6 icmp-error bucket 50 ratelimit 100

ipv6 mtu

Function

The ipv6 mtu command sets the maximum transfer unit (MTU) value for an interface to send IPv6 packets.

The undo ipv6 mtu command restores the default MTU value for an interface to send IPv6 packets.

Format

ipv6 mtu mtu

undo ipv6 mtu

Parameters

Parameter Description Value
mtu Specifies the MTU for an interface to send IPv6 packets.

The default IPv6 MTU value is recommended. The MTU values on various interfaces are as follows:

  • Ethernet interface and its sub-interface: The MTU value is an integer ranging from 1280 to 1500, in bytes. The default value is 1500.
  • GE interface and its sub-interface: The MTU value is an integer ranging from 1280 to 9600, in bytes. The default value is 1500.
  • Tunnel interface: The MTU value is an integer ranging from 1280 to 9600, in bytes. The default value is 1500.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the traffic capability on a link between the source and destination ends changes, this ipv6 mtu command is used to set the MTU value for sending IPv6 packets. If the packet length is greater than the IPv6 MTU of the interface, the system fragments the packet based on the set MTU value before forwarding the packet.

Configuration Impact

  • A dynamic path MTU discovery (PMTU) value is set based on IPv6 MTU values on interfaces.

    The PMTU mechanism helps the system obtain the smallest value among MTU values on all interfaces on the path between the source and destination ends.

  • If the IPv6 MTU value set using the ipv6 mtu command is smaller than the static PMTU value set using the ipv6 pathmtu command, the system fragments the packet based on the set MTU value before forwarding the packet.

Precautions

The directly connected interfaces must assigned the same IPv6 MTU value.

Example

# Set the IPv6 MTU value to 1400 for 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 mtu 1400

# Set the IPv6 MTU value to 1400 for an Eth-Trunk interface.

<HUAWEI> system-view
[~HUAWEI] interface eth-trunk 1
[*HUAWEI-Eth-Trunk1] undo portswitch
[*HUAWEI-Eth-Trunk1] ipv6 mtu 1400

ipv6 nd autoconfig managed-address-flag

Function

The ipv6 nd autoconfig managed-address-flag command sets the "managed address configuration" flag (M flag) in the RA message, indicating whether hosts should use stateful autoconfiguration to obtain addresses.

The undo ipv6 nd autoconfig managed-address-flag command clears the "managed address configuration" flag (M flag) set in the RA message.

By default, the "managed address configuration" flag (M flag) is not set in the RA message.

Format

ipv6 nd autoconfig managed-address-flag

undo ipv6 nd autoconfig managed-address-flag

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

  • If the M flag is set, the attached hosts should use stateful autoconfiguration to obtain IPv6 addresses.
  • If the M flag is not set, the attached hosts should use stateless autoconfiguration to obtain IPv6 addresses. For example, the attached hosts obtain IPv6 prefixes through the RA messages advertised by switchs.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

If the ipv6 nd autoconfig managed-address-flag command is run, hosts can obtain additional configuration information (excluding IPv6 addresses) though the ipv6 nd autoconfig other-flag command is not run. Additional configuration information includes the router lifetime, time period for the neighbor to keep reachable, retransmission interval, and PMTU.

To check whether the attached hosts obtain IPv6 addresses through stateful autoconfiguration or stateless autoconfiguration, run the display ipv6 interface command.

Precautions

The interface on a switch cannot use stateful address autoconfiguration and stateless address autoconfiguration simultaneously to obtain IPv6 addresses.

Example

# Set the M flag of stateful autoconfiguration in an RA packet on VLANIF100.
<HUAWEI> system-view
[~HUAWEI] interface vlanif 100
[*HUAWEI-Vlanif100] ipv6 enable
[*HUAWEI-Vlanif100] ipv6 nd autoconfig managed-address-flag
# Set the M flag of stateful autoconfiguration in an RA packet on 10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd autoconfig managed-address-flag

ipv6 nd autoconfig other-flag

Function

The ipv6 nd autoconfig other-flag command sets the "other configuration" flag (O flag) in the RA message, indicating whether hosts should use stateful autoconfiguration to obtain additional information (excluding addresses).

The undo ipv6 nd autoconfig other-flag command clears the "other configuration" flag (O flag) set in the RA message.

By default, the "other configuration" flag (O flag) is not set in the RA message.

Format

ipv6 nd autoconfig other-flag

undo ipv6 nd autoconfig other-flag

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

  • If the O flag is set, the attached hosts should use stateful autoconfiguration to obtain additional configuration information (excluding IPv6 addresses). Additional configuration information includes the router lifetime, neighbor reachable time, retransmission interval, and PMTU.
  • If the O flag is not set, the attached hosts should use stateless autoconfiguration to obtain additional configuration information. That is, the attached hosts obtain additional configuration information through the RA messages advertised by switchs.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

If the ipv6 nd autoconfig managed-address-flag command is run, hosts can obtain additional configuration information (excluding IPv6 addresses) though the ipv6 nd autoconfig other-flag command is not run.

Precautions

The interface on a switch cannot use stateful and stateless address autoconfiguration simultaneously to obtain additional configuration information (excluding IPv6 addresses).

Example

# Set the "other configuration" flag (O flag) on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd autoconfig other-flag

ipv6 nd auto-detect disable

Function

The ipv6 nd auto-detect enable command disables the auto-detection of ND entries.

The undo ipv6 nd auto-detect enable command enables the auto-detection of ND entries.

By default, the auto-detection function is enabled for ND entries.

Format

ipv6 nd auto-detect disable

undo ipv6 nd auto-detect disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To improve network reliability, you can run the undo ipv6 nd auto-detect disable command to enable the auto-detection of ND entries so that the system can send Neighbor Solicitation (NS) messages to probe whether its neighbors are reachable before aging ND entries.

Configuration Impact

If the system receives a Neighbor Advertisement (NA) message from a neighbor responding to the sent NS message, the system updates the aging time of the ND entries. If the system does not receive any NA message, the ND entries automatically age.

You are recommended to keep the auto-detection of ND entries enabled.

Precautions

If the auto-detection of ND entries is not enabled, the system directly deletes ND entries when the aging time of ND entries expires or the system no longer probes the reachability of its neighbors after the aging time of the passively established ND entries expires.

Example

# Enable the auto-detection of ND entries.

<HUAWEI> system-view
[~HUAWEI] undo ipv6 nd auto-detect disable

ipv6 nd dad attempts

Function

The ipv6 nd dad attempts command sets the number of NS messages that are sent when Duplicate Address Detection (DAD) is performed.

The undo ipv6 nd dad attempts command restores the default setting.

By default, one NS message is sent when DAD is performed.

Format

ipv6 nd dad attempts value

undo ipv6 nd dad attempts

Parameters

Parameter Description Value
value Specifies the number of NS messages that are sent when DAD is performed. It is an integer ranging from 0 to 600.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When you configure IPv6 addresses (including global unicast IPv6 addresses and link-local IPv6 addresses) for interfaces, the DAD function is required. DAD verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces on the local link. It ensures that the IPv6 address to be allocated to an interface is not used by any other interfaces connected with this interface and thus avoids address conflicts.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

If the number of NS messages that are sent when DAD is performed is set to 0, it indicates that DAD is prohibited.

Precautions

When the physical link on an interface fails, DAD cannot be implemented on the interface.

When traffic is heavy, setting the value to a larger value is recommended to increase the number of NS messages that can be sent.

Example

# Set the number of NS messages that are sent when DAD is performed to 20.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd dad attempts 20

# Disable the DAD function.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd dad attempts 0

ipv6 nd hop-limit

Function

The ipv6 nd hop-limit command sets the maximum number of hops through which IPv6 unicast packets sent by the switch are allowed to pass.

The undo ipv6 nd hop-limit command restores the default setting.

By default, the IPv6 unicast packets sent by the switch can pass through 64 hops.

Format

ipv6 nd hop-limit limit

undo ipv6 nd hop-limit

Parameters

Parameter Description Value
limit Specifies the hop limit. It is an integer ranging from 1 to 255.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A hop limit on the switch provides the following functions:

  • Controlling the number of hops through which IPv6 unicast packets are allowed to pass.

  • Helping a host automatically generate a hop limit

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

The hop limit for unicast packets is set using the ipv6 nd hop-limit command in the system view.

The hop limit for RA messages can be set using the ipv6 nd hop-limit command in the system view, or can be set using the ipv6 nd ra hop-limit command in the interface view:
  • If the hop limit for RA messages is not set in the interface view or in the system view, the hop limit for RA messages is 64 by default.
  • If the hop limit for RA messages is not set in the interface view but in the system view, the configuration in the system view takes effect.
  • If the hop limit for RA messages is set in the interface view, the configuration in the interface view takes effect, no matter whether the hop limit is set in the system view.

Precautions

The hop limit for IPv6 unicast packets sent by the switch is usually of the same value as the hop limit carried in an RA message. In the following cases, however, the hop limit for IPv6 unicast packets sent by the switch is 64 (the default value) whereas the hop limit carried in an RA message is 0.

  • No hop limit is set for IPv6 unicast packets sent by the switch.
  • The undo ipv6 nd hop-limit command is run to restore the default hop limit set on the switch.

After receiving an RA message with the hop limit of 0, a host uses the default hop limit 64, which is the same as the default hop limit on the switch.

Example

# In the system view, set the hop limit to 100 for IPv6 unicast packets sent by the switch.

<HUAWEI> system-view
[~HUAWEI] ipv6 nd hop-limit 100

ipv6 nd neighbor-limit

Function

The ipv6 nd neighbor-limit command configures the maximum number of dynamic neighbor entries allowed by an interface.

The undo ipv6 nd neighbor-limit command cancels the configuration.

By default, the maximum number of dynamic neighbor entries allowed by an interface is not configured.

Format

ipv6 nd neighbor-limit max-number

undo ipv6 nd neighbor-limit [ max-number ]

Parameters

Parameter Description Value
max-number Specifies the maximum number of dynamic neighbor entries allowed by an interface. The value is an integer ranging from 0 to 16384.
NOTE:

Setting the max-number parameter to 0 equals to running the undo ipv6 nd neighbor-limit [ max-number ] command.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Upon receipt of a large number of RA messages from an attacker, a device learns dynamic neighbor entries, which consumes high CPU and memory resources. To defend against RA flooding attacks, run the ipv6 nd neighbor-limit command to configure the maximum number of dynamic neighbor entries allowed by an interface.

When the number of dynamic neighbor entries exceeds a specified threshold, a large amount of redundant information exists, and the device stops recording. In this case, you can run the reset ipv6 neighbors command to clear specified dynamic neighbor entries. However, this operation may affect IPv6 packet forwarding. Exercise caution when you perform this operation.

Example

# Configure the maximum number of dynamic neighbor entries allowed by an interface as 16000.

<HUAWEI> system-view
[~HUAWEI] interface vlanif 10
[~HUAWEI-Vlanif10] ipv6 nd neighbor-limit 16000

ipv6 nd ns retrans-timer

Function

The ipv6 nd ns retrans-timer command sets the interval for sending NS messages.

The undo ipv6 nd ns retrans-timer command restores the default setting.

By default, the interval for sending NS messages is 1000 milliseconds.

Format

ipv6 nd ns retrans-timer interval

undo ipv6 nd ns retrans-timer

Parameters

Parameter Description Value
interval Specifies the interval for sending NS messages. The value is an integer ranging from 1000 to 4294967295, in milliseconds.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The interval for sending NS messages provides the following functions:

  • Controlling the interval for a local switch to probe the reachability of neighbors

  • Controlling the interval for a local switch to perform DAD

  • Being a parameter field in an RA message to notify the hosts of the interval for sending NS messages

Prerequisites

Before running the ipv6 nd ns retrans-timer command to set the interval for sending NS messages, you need to run the ipv6 enable command in the interface view to enable the IPv6 function on the interface.

Configuration Impact

Frequently sending NS messages results in the high CPU usage, which affects the system performance. Therefore, you are recommended to set the interval for sending NS messages to a longer value. The default interval, 1000 milliseconds, is recommended.

The ipv6 nd ns retrans-timer command is circular in nature. That is, if the intervals set two times are different, the latest setting takes effect.

Precautions

NOTE:
Commonly, the interval for sending NS message is the same as that for sending RA messages. In the following cases, however, the interval for sending NS messages is of the default value 1000 milliseconds whereas the interval for sending NA messages is 0 milliseconds.
  • The interval for sending NS messages is not set, that is, the default value is used.
  • The undo ipv6 nd ns retrans-timer command is run to restore the default setting.

After a host receives an RA message with the interval for sending NA messages being 0 milliseconds from a switch, it uses the default interval, 1000 milliseconds for sending NS messages, consistent with that on the switch.

Example

# Set the interval for sending NS messages to 10000 milliseconds on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd ns retrans-timer 10000

ipv6 nd nud reachable-time

Function

The ipv6 nd nud reachable-time command configures the neighbor reachable time.

The undo ipv6 nd nud reachable-time command restores the default neighbor reachable time.

By default, the IPv6 neighbor reachable time is 1200000 milliseconds.

Format

ipv6 nd nud reachable-time value

undo ipv6 nd nud reachable-time

Parameters

Parameter Description Value
value Specifies the neighbor reachable time. The value is an integer ranging from 1 to 3600000, in milliseconds.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The IPv6 neighbor reachable time provides the following functions:

  • Controlling the aging time of ND entries on a local switch

  • Being a parameter in an RA message to help a host to generate the neighbor reachable time

Each RA message sent by a switch carries the neighbor reachable time so that all the nodes along the same link can use the same time.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

A smaller neighbor reachable time set on a switch indicates that the switch can probe the neighbor reachability more quickly but more network bandwidth and CPU resources are occupied. Therefore, on a normal IPv6 network, you are not recommended to set the neighbor reachable time to a smaller value. The default value, 1200000 milliseconds, is recommended.

The ipv6 nd nud reachable-time command is circular in nature. That is, if the neighbor reachable times set two times are different, the latest setting takes effect.

Precautions

Commonly, the neighbor reachable time set on a switch is the same as that carried in an RA message. In the following cases, however, the neighbor reachable time set on a switch is of the default value 1200000 milliseconds whereas the neighbor reachable time carried in the RA message is 0 milliseconds:

  • The neighbor reachable time is not set on the switch, that is, the default value is used.

  • The undo ipv6 nd nud reachable-time command is run to restore the default setting.

After a host receives an RA message with the neighbor reachable time being 0 milliseconds, it uses the default neighbor reachable time 1200000 milliseconds, consistent with that on the switch.

Example

# Set the neighbor reachable time on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd nud reachable-time 10000

ipv6 nd pre-detect

Function

The ipv6 nd pre-detect command enables the pre-detection of ND entries.

The undo ipv6 nd pre-detect command disables the pre-detection of ND entries.

By default, the pre-detection of ND entries is not enabled.

Format

ipv6 nd pre-detect

undo ipv6 nd pre-detect

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To enable a switch to send an NS message to detect the validity of ND entries before the ND entries change from the REACHABLE state to the STALE state, you can enable the pre-detection of ND entries. If the neighbor still exists, the ND entry status is REACHABLE; otherwise, the ND entry is deleted. In this manner, the forwarding plane no longer needs to frequently sense ND entry status changes. Instead, it considers all the existent entries as available to packet forwarding, thereby improving forwarding efficiency.

Configuration Impact

Enabling the pre-detection of ND entries does not affect the system compatibility.

As defined in the ND protocol standard, if an ND entry is in the STALE state and a packet needs to use this entry, a switch must send an NS message to detect the availability of the entry. You are recommended to keep the pre-detection of ND entries disabled unless the entries are frequently in the STALE state and ND entry probes are repeatedly triggered during the lower-layer forwarding process, which affects the forwarding efficiency.

Precautions

By default, an ND entry changes from the REACHABLE state to the STALE state if it remains unused for 20 minutes.

Example

# Enable pre-detection on ND entries in the system view.

<HUAWEI> system-view
[~HUAWEI] ipv6 nd pre-detect

ipv6 nd ra

Function

The ipv6 nd ra command sets the interval for sending RA messages.

The undo ipv6 nd ra command restores the default setting.

By default, The maximum interval is 600s. For the minimum interval, if the maximum interval for advertising RA packets is 9s or greater, it is 1/3 of the maximum interval. In other cases, the default minimum interval is the same as the maximum interval for advertising RA packets.

Format

ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }

undo ipv6 nd ra { max-interval | min-interval }

Parameters

Parameter Description Value
max-interval maximum-interval Specifies the maximum interval for the device to advertise RA messages. The value is an integer ranging from 4 to 1800, in seconds. The maximum interval cannot be shorter than 4/3 of the minimum interval.
min-interval minimum-interval Specifies the minimum interval for the device to send RA messages. The value is an integer ranging from 3 to 1350, in seconds.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A switch periodically sends RA messages. An RA message carries both the IP address prefix and the flag of stateful address autoconfiguration.

You can run the ipv6 nd ra command to change the interval for sending RA messages.

Prerequisites

Before running the ipv6 nd ra command to set the interval for sending RA messages, you need to run the ipv6 enable command in the interface view to enable the IPv6 function on the interface.

Configuration Impact

Running the ipv6 nd ra command will change the number of NS messages that are sent when DAD is performed. Therefore, you are recommended to use the default interval.

The ipv6 nd ra command is circular in nature. That is, if the intervals set two times are different, the latest setting takes effect.

Precautions

Commonly, the interval for sending RA messages must be shorter than or equal to lifetime of the RA messages. You can run the ipv6 nd ra router-lifetime to change the lifetime of the RA messages.

The actual interval for sending RA messages is a random value between max-interval and min-interval.

Example

# Set the maximum interval for sending RA messages to 1000 seconds.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd ra max-interval 1000

# Set the minimum interval for sending RA messages to 300 seconds.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd ra min-interval 300

ipv6 nd ra advertised-mtu disable

Function

The ipv6 nd ra advertised-mtu disable command disables RA messages from carrying the MTU option.

The undo ipv6 nd ra advertised-mtu disable command restores the default configuration.

By default, RA messages carry the MTU option.

Format

ipv6 nd ra advertised-mtu disable

undo ipv6 nd ra advertised-mtu disable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the MTU value contained in RA messages is the same as that configured using the ipv6 mtu command. If the ipv6 mtu command has not been run to configure the MTU option, the default interface MTU is used. To disable RA messages sent by a device from carrying the MTU option, run the ipv6 nd ra advertised-mtu disable command.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

Upon receipt of the RA messages that carry the MTU option, the host adjusts the size of the RA messages to be forwarded based on the MTU value.

Example

# Configure the VLANIF10 so that the RA messages sent by the interface do not carry the MTU option.

<HUAWEI> system-view
[~HUAWEI] interface vlanif 10
[~HUAWEI-Vlanif10] ipv6 enable
[*HUAWEI-Vlanif10] ipv6 nd ra advertised-mtu disable

ipv6 nd ra preference

Function

The ipv6 nd ra preference command configures the default router preference value in the RA packets.

The undo ipv6 nd ra preference command restores the default router preference value in RA packets to be the default value.

By default, the router preference of RA packets is medium.

Format

ipv6 nd ra preference { high | medium | low }

undo ipv6 nd ra preference

undo ipv6 nd ra preference { high | medium | low }

Parameters

Parameter Description Value
high Specifies the default router preference to be high. -
medium Specifies the default router preference to be medium. -
low Specifies the default router preference to be low. -

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If there are multiple switchs on the links connected to a host, the host needs to select suitable switchs based on different destination addresses of the packets to be forwarded. Each switch advertises its default router priority and specific route information to the host so that the host can enhance its own capability of selecting suitable forwarding switchs based on different IP addresses of the packets to be forwarded.

After receiving an RA message that contains route information, the host updates its own routing table. Before sending packets to other devices, the host can search the updated route information to select a suitable route to forward the packets.

After receiving an RA message that contains the default router priority, the host updates its own default router list. If the host does not have any route to select when sending packets to other devices, the host will search the updated router list for the switch with the highest priority. If the switch with the highest priority becomes faulty, the host selects another switch in descending order of priority.

To set a default router priority in RA messages, run the ipv6 nd ra preference command. This setting allows the switch with the highest priority to function as the gateway for hosts.

Prerequisites

Before running this command, run the ipv6 enable command on the interface view to enable the IPv6 function.

By default, the switch does not advertise RA packets. Therefore, to allow the default router preference to be advertised to the host, you need to run the undo ipv6 nd ra halt command to enable the function of advertising RA packets for the device.

Precautions

If the system is deleting the binding relationship between an interface and an IPv6 address family VPN instance, you are prompted not to run the ipv6 nd ra preference command.

Example

# Configure the default router preference value in RA packets on 10GE1/0/1 to be high.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] undo ipv6 nd ra halt
[*HUAWEI-10GE1/0/1] ipv6 nd ra preference high

ipv6 nd ra prefix

Function

The ipv6 nd ra prefix command configures the prefix carried in RA messages sent by the switch.

The undo ipv6 nd ra prefix command configures RA messages not to carry the specified prefix.

By default, RA messages contain only the prefix specified through the ipv6 address command.

Format

ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | ipv6-prefix/ipv6-prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]

undo ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | ipv6-prefix/ipv6-prefix-length }

ipv6 nd ra prefix default no-advertise

undo ipv6 nd ra prefix default no-advertise

Parameters

Parameter Description Value
ipv6-address Specifies the IPv6 address carried in the RA message. The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
ipv6-prefix-length Specifies the prefix length of the IPv6 address.

The value is an integer that ranges from 0 to 128. Based on the IPv6 address and prefix length, a host can calculate the IPv6 prefix carried in the RA message.When allocating the IPv6 address by means of stateless auto-configuration, specify the length of address prefixes as 64 bites. Otherwise, the address will be invalid and RA messages will be discarded.

ipv6-prefix Specifies the IPv6 address prefix. The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
valid-lifetime Specifies the valid lifetime of the prefix. It is an integer ranging from 0 to 4294967295 seconds.
preferred-lifetime Specifies the preferred lifetime of the prefix. It is an integer ranging from 0 to 4294967295 seconds. The preferred lifetime cannot be bigger than the valid lifetime.
no-autoconfig Deletes the A-Flag. If this parameter is configured, a configured prefix cannot be used in stateless address allocation. -
off-link Indicates the O-Flag. If the ipv6 nd ra prefix command contains off-link, it indicates that the prefix carried in the RA message received by the host on the local link cannot be allocated to the local link. When the host sends packets to the address with this prefix, the packet needs to be forwarded through a default router. -
default no-advertise Indicates that RA messages do not carry the default prefix generated based on the interface IPv6 address. -

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the ipv6 nd ra prefix command is run to configure a prefix, the device advertises both the address prefix configured using the ipv6 nd ra prefix command and that using the ipv6 address command.

By default, RA messages do not carry the default prefix generated based on the interface IPv6 address. If a user does not want the RA message to carry the default address prefix, run the ipv6 nd ra prefix default no-advertise command.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

After a host receives the RA message with the prefix configured through the ipv6 nd ra prefix command, the host updates the local prefix information.

Precautions

The prefix configured through the ipv6 nd ra prefix command cannot be fe80:: (prefix of a link-local address), ff00:: (prefix of a multicast address), or prefix of an unspecified address. It neither can be the prefix that has been used by another interface (including the interface address prefix and prefix carried in RA messages).

Example

# On 10GE 1/0/1, configure the prefix carried in RA messages advertised by the switch.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd ra prefix 2001:db8:1::100 64 100 10
[*HUAWEI-10GE1/0/1] ipv6 nd ra prefix 2001:db8:2::100 128 1000 400 no-autoconfig
[*HUAWEI-10GE1/0/1] ipv6 nd ra prefix 2001:db8:1::100 64 1000 400 off-link

# Configure the 10GE 1/0/1 to not carry the default address prefix in RA messages.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/0
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd ra prefix default no-advertise

ipv6 nd ra halt disable

Function

The ipv6 nd ra halt disable command enable the switch to send RA messages.

The undo ipv6 nd ra halt disable command suppresses the switch from sending RA messages.

By default, the switch is suppressed from sending RA messages.

Format

ipv6 nd ra halt disable

undo ipv6 nd ra halt disable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

  • When a switch is connected to a host, it needs to periodically send RA messages to the host. An RA message carries both the IPv6 prefix and flag of stateful address autoconfiguration. You can run the ipv6 nd ra halt disable command to enable a switch to send RA messages.
  • When a switch is connected to a switch, that is, there is no host on the network, sending RA messages is not required. You are then recommended to keep SA message suppression enabled.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

After the undo ipv6 nd ra halt disable command is run to suppress a switch from sending RA messages, the switch no longer sends RA messages. In such a case, the hosts on the network cannot receive information about updated IPv6 prefixes periodically.

Precautions

By default, sending RA messages is suppressed. You can run the display icmpv6 statistics command to check whether a local switch has sent RA messages.

Example

# Suppress a switch from sending RA messages on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] undo ipv6 nd ra halt disable

ipv6 nd ra hop-limit

Function

The ipv6 nd ra hop-limit command sets the maximum number of hops through which IPv6 unicast packets sent by the switch are allowed to pass.

The undo ipv6 nd ra hop-limit command restores the default maximum number of hops for an RA message.

By default, the default maximum number of hops for an RA message is 64.

Format

ipv6 nd ra hop-limit limit

undo ipv6 nd ra hop-limit

Parameters

Parameter Description Value
limit Specifies the maximum number of hops for an RA message. The value is an integer ranging from 0 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The hop limit is a parameter carried in an RA message. It defines the maximum number of hops that the RA message (which is an IPv6 unicast packet) passes through.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

If the switch finds that the hop limit in its received RA message is different from that configured on the switch itself, the switch will discard this RA message.

Precautions

  • If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an RA message uses the value configured on the interface.

  • If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA message uses the value configured globally, that is, the value configured in the ipv6 nd hop-limit command.

Example

# Configure the maximum number of hops for an RA message to be 126.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd ra hop-limit 126

ipv6 nd ra router-lifetime

Function

The ipv6 nd ra router-lifetime command sets the lifetime of the RA messages sent by a switch.

The undo ipv6 nd ra router-lifetime command restores the default setting.

By default, the lifetime for RA messages is three times of the maximum interval for advertising RA messages.

Format

ipv6 nd ra router-lifetime ra-lifetime

undo ipv6 nd ra router-lifetime

Parameters

Parameter Description Value
ra-lifetime Specifies the lifetime of the RA messages sent by a switch. The value is 0 or an integer ranging from 4 to 9000, in seconds.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A switch adds the lifetime of the RA message to the RA message before sending the RA message to the hosts on the local network segment. The lifetime indicates the validity period of this switch as a default router of these hosts.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

If a host receives an RA message with the lifetime field being 0 from a switch, it does not update the address of this switch in its own default router entries.

Precautions

The lifetime of the RA messages must be longer than or equal to the interval for sending RA messages. (By default, the maximum and minimum intervals for sending RA messages are 600 seconds and 200 seconds, respectively. You can run the ipv6 nd ra command to set a proper interval.) If the set lifetime of the RA messages is shorter than the set interval for sending RA messages, the system prompts an error. In such a case, you need to re-set the lifetime.

Example

# On 10GE 1/0/1, set the lifetime of the RA messages sent by a switch to 1000s.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd ra router-lifetime 1000

ipv6 nd ra route-information

Function

The ipv6 nd ra route-information command configures route information in RA packets.

The undo ipv6 nd ra route-information command deletes route information in RA packets.

By default, there is no route in RA packets.

Format

ipv6 nd ra route-information ipv6-address prefix-length lifetime route-lifetime [ preference { high | medium | low } ]

undo ipv6 nd ra route-information ipv6-address prefix-length

undo ipv6 nd ra route-information ipv6-address prefix-length lifetime route-lifetime [ preference { high | medium | low } ]

Parameters

Parameter Description Value
ipv6-address Specifies the prefix of an IPv6 address. The prefix is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length Specifies the prefix length of an IPv6 address. The value is an integer that ranges from 0 to 128.
lifetime route-lifetime Specifies the lifetime of a route. The value is an integer ranging from 0 to 4294967295, in seconds.
preference Specifies the priority of a route. -
high Specifies the route priority to be high. -
medium Specifies the route priority to be medium. -
low Specifies the route priority to be low. -

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Application Environment

An RA packet includes route information. The switch sends the specified routes to the hosts on the local network segment by using this information. The hosts can send packets by using these routes.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

By default, the switch does not send RA packets. Therefore, to send the routers to the host, you need to run the undo ipv6 nd ra halt command to enable the function of advertising RA packets for the device.

Configuration Impact

When receiving the RA packets carrying route information, a host updates its routing table. When sending the RA packets to another device, a host queries the routing table and selects proper route for sending packets.

Precautions

When this command is to be run, the value of ipv6-address cannot be a loopback address.

Example

# Configure the route information of RA packets on 10GE1/0/1: The lifetime of the route with the destination address of 2001:db8::12/64 is 1550 seconds, and the priority of this route is high.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] undo ipv6 nd ra halt
[*HUAWEI-10GE1/0/1] ipv6 nd ra route-information 2001:db8::12 64 lifetime 1550 preference high

ipv6 nd security key-length

Function

The ipv6 nd security key-length command sets a key length that is allowed on an interface.

The undo ipv6 nd security key-length command restores the default key length.

By default, the minimum key length is 512 bits and the maximum key length is 2048 bits.

Format

ipv6 nd security key-length { minimum keylen-value | maximum keylen-value } *

undo ipv6 nd security key-length

Parameters

Parameter Description Value
minimum keylen-value

Specifies the minimum key length allowed on the interface.

The value is an integer ranging from 384 to 2048, in bits.
maximum keylen-value

Specifies the maximum key length allowed on the interface.

The value is an integer ranging from 384 to 2048, in bits.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an interface enabled with the strict security mode receives an ND message, it verifies the RSA key in the ND message to determine whether the ND message is secure. To set a key length that is allowed on an interface, you can run the ipv6 nd security key-length command. If the key length of the received ND message is out of the length range allowed on the interface, the interface regards the ND message insecure and discards it.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Follow-up Procedure

Run the ipv6 nd security strict command to enable the strict security mode on the interface.

Example

# Set a minimum key length and a maximum key length allowed on an interface to 1500 bits and 2000 bits respectively.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd security key-length minimum 1500 maximum 2000
[*HUAWEI-10GE1/0/1] ipv6 nd security strict

ipv6 nd security rate-limit

Function

The ipv6 nd security rate-limit command sets a rate limit for the system to compute or verify the RSA signature in a specified period (1s).

The undo ipv6 nd security rate-limit command deletes a rate limit.

By default, no rate limit is set for the system to process the RSA signature.

Format

ipv6 nd security rate-limit ratelimit-value

undo ipv6 nd security rate-limit

Parameters

Parameter Description Value
ratelimit-value Specifies a rate limit for the system to compute or verify the RSA signature in a specified period (1s). The value is an integer ranging from 1 to 100, in messages per second.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If an attacker keeps sending SEND messages to a device, the device will be busy verifying the RSA signature. To limit the rate at which the interface verifies the RSA signature of the SEND messages, you can run the ipv6 nd security rate-limit command. If the rate at which the interface verifies the RSA signature of the SEND messages is out of the allowed range, the device will regard these messages insecure and discard them.

Example

# Configure the system to process a maximum of 10 received ND messages per second.

<HUAWEI> system-view
[~HUAWEI] ipv6 nd security rate-limit 10

ipv6 nd security strict

Function

The ipv6 nd security strict command enables the strict security mode on an interface.

The undo ipv6 nd security strict command restores the default security mode.

By default, the strict security mode is not enabled on an interface.

Format

ipv6 nd security strict

undo ipv6 nd security strict

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an interface needs to reject insecure ND messages, you can run the ipv6 nd security strict command to configure the interface to work in strict security mode. By default, an interface receives all secure and insecure ND messages.

An interface regards a received ND message insecure in any of the following cases:

  • The received ND message does not carry a CGA or RSA option. That is, the interface that sent the ND message does not have a CGA address.
  • The key length in the received ND message is out of the range allowed on the interface.
  • The rate of processing the received ND message exceeds the rate limit of the system.
  • The difference between the receive time and the send time of the ND message is out of the range allowed on the interface.
NOTE:
On a link, device A is configured with strict IPv6 SEND whereas device B is not. In this case, device A regards the ND messages sent from device B insecure and rejects them.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

After the strict security mode is enabled on an interface, the system will not perform Duplicate Address Detection (DAD) on insecure nodes. In this case, the insecure conflicting addresses that may exist on the network cannot be detected. Therefore, re-triggering of DAD is recommended after the strict security mode is disabled.

Precautions

If an interface has been enabled to work in strict security mode, configure all addresses of the interface as CGA addresses. Otherwise, the interface may select a common IPv6 address as the source address, which causes a security check failure and a service interruption.

Example

# Enable the strict security mode on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd security strict

ipv6 nd security timestamp

Function

The ipv6 nd security timestamp command sets timestamp parameters for an ND message.

The undo ipv6 nd security timestamp command restores default timestamp parameters of an ND message.

By default, the maximum difference between the receive time and send time of an ND message is 300 seconds; the maximum difference between the system time of the sender and the system time of the receiver is 1%; the maximum alive time of an ND message is 1 second.

Format

ipv6 nd security timestamp { delta delta-value | drift drift-value | fuzz-factor fuzz-value } *

undo ipv6 nd security timestamp { delta | drift | fuzz-factor }

Parameters

Parameter Description Value
delta delta-value

Specifies the maximum difference between the receive time and send time of an ND message.

The value is an integer ranging from 0 to 1000, in seconds.
drift drift-value

Specifies the maximum difference between the system time of the sender and the system time of the receiver.

The value is an integer ranging from 0 to 100.
fuzz-factor fuzz-value

Specifies the maximum alive time of an ND message. If the difference between the receive time and send time of an ND message is larger than delta-value but smaller than fuzz-value, the ND message can still be received by the interface.

The value is an integer ranging from 0 to 1000, in seconds.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an ND message to be sent to an interface is intercepted by an attacker, the ND message will be delayed. Therefore, you can run the ipv6 nd security timestamp command to set timestamp parameters. The system then calculates an allowed time range based on these timestamp parameters. If the difference between the send time and receive time of an ND message is out of the allowed time range, the ND message will be regarded invalid and discarded.

  • If no neighbor relationship is established between a local interface and a remote interface, the allowed time range can be calculated based on the following formula:

    -delta-value < (RDnew - TSnew) < +delta-value

  • If a neighbor relationship has been established between a local interface and a remote interface, the allowed time range can be calculated based on the following formula:

    TSnew + fuzz-value > TSlast + (RDnew - RDlast) x (1 - drift-value) - fuzz-value

NOTE:
  • RDnew: the local time at which the new SEND message is received
  • RDlast: the local time at which the last SEND message for this peer is accepted
  • TSnew: the timestamp value present in the new received SEND message (the time is recorded by the sender in the Timestamp option in the newly sent ND message)
  • TSlast: the timestamp value of the last received and accepted SEND message (the time is recorded by the sender in the Timestamp option in the last sent ND message)

For example, Switch A sends the first ND message to Switch B at 4:00 (the system time of Switch A). That is, TSnew is 4:00. Switch B receives the ND message at 5:00 (the system time of Switch B). That is, RDnew is 5:00. If the received ND message is considered secure, Switch B records TSlast as 4:00 and RDlast as 5:00

Then, Switch A sends the second ND message to Switch B at 4:05 (the system time of Switch A). That is, TSnew is 4:05. Switch B receives the ND message at 5:05 (the system time of Switch B). That is, RDnew is 5:05. If the received ND message is considered secure, Switch B records TSlast as 4:05 and RDlast as 5:05.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command in the interface view.

Follow-up Procedure

Run the ipv6 nd security strict command to enable the strict security mode on the interface.

Example

# Set the maximum difference (delta value) between the receive time and send time of an ND message to 10s.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd security timestamp delta 10
[*HUAWEI-10GE1/0/1] ipv6 nd security strict

ipv6 nd stale-timeout

Function

The ipv6 nd stale-timeout command sets the timeout period of the STALE state of ND entries.

The undo ipv6 nd stale-timeout command restores the default setting.

By default, the timeout period of the STALE state of ND entries is 1200 seconds.

Format

ipv6 nd stale-timeout seconds

undo ipv6 nd stale-timeout

Parameters

Parameter Description Value
seconds Specifies the timeout period of the STALE state of ND entries. The value is an integer that ranges from 60 to 172800, in seconds.

Views

System view, Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The STALE state of an ND entry indicates that whether the neighbor is reachable is unknown. Probing whether the neighbor is reachable is not performed unless there is a packet to be sent to this neighbor.

The timeout period of the STALE state of ND entries is a variable. If you want to quickly clear invalid ND entries, you can set the timeout period to a smaller value through the ipv6 nd stale-timeout command to speed up entry aging.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

After the ipv6 nd stale-timeout command is run, the status of ND entries can be updated after the timeout period of the STALE state of ND entries expires.

Precautions

The system probes the validity of ND entries again after the timeout period of the STALE state of ND entries expires. If the neighbor is reachable, the ND entry status changes to REACHABLE; otherwise, the ND entry is deleted.

An ND entry contains information about the IPv6 address of the neighbor, link-layer address of the neighbor, status of the ND entry, interface name of the ND entry, time when the ND entry is created, VLAN ID of the ND entry, and VPN name of the neighbor. For detailed explanation, see the description of the output of the display ipv6 neighbors command.

Example

# Set the timeout period of the STALE state of ND entries to 2400 seconds for the entire device.

<HUAWEI> system-view
[~HUAWEI] ipv6 nd stale-timeout 2400

# Set the timeout period of the STALE state of ND entries to 3600 seconds on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 nd stale-timeout 3600

ipv6 neighbor

Function

The ipv6 neighbor command configures a static entry in the IPv6 neighbor discovery cache.

The undo ipv6 neighbor command deletes a static entry from the IPv6 neighbor discovery cache.

By default, no static entry is configured.

Format

VLANIF interface view :

ipv6 neighbor ipv6-address mac-address vlan vlan-id interface-type interface-number

undo ipv6 neighbor ipv6-address

VBDIF interface view :

ipv6 neighbor ipv6-address mac-address interface-type interface-number

ipv6 neighbor ipv6-address mac-address vlan vlan-id [ cevlan cevlan-id ] interface-type interface-number

undo ipv6 neighbor ipv6-address

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view :

ipv6 neighbor ipv6-address mac-address

undo ipv6 neighbor ipv6-address

Layer 3 sub-interface view:

ipv6 neighbor ipv6-address mac-address [ vlan vlan-id ]

undo ipv6 neighbor ipv6-address

NOTE:

Only dot1q termination Layer 3 sub-interfaces support the vlan parameter.

Parameters

Parameter Description Value
ipv6-address Specifies the IPv6 address of a static entry.

The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

mac-address Specifies the data link layer address of the static entry.

The value is a 12-digit hexadecimal number, in the format of H-H-H. Each H is 4 digits. If an H contains fewer than 4 digits, the left-most digits are padded with zeros. For example, e0 is displayed as 00e0.

vlan vlan-id Specifies the ID of the VLAN to which a VLANIF interface belongs.

The value is an integer ranging from 1 to 4094.

cevlan cevid Specifies the inner VLAN ID of CE.

The value is an integer ranging from 1 to 4094.

interface-type interface-number Specifies the type and number of a physical interface. -

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To filter the illegal packets, you can create static ND entries, binding the destination IPv6 addresses of these packets to nonexistent MAC addresses.

Prerequisites

Before running the ipv6 neighbor command to configure a static entry, you need to run the ipv6 enable command in the interface view to enable the IPv6 function on the interface.

Configuration Impact

An ND entry enters the REACHABLE state after being created, indicating that the interface connected to this neighbor is Up. If the interface connected to this neighbor turns Down, the ND entry needs to be deleted.

The static ND entries overwrite the ND entries dynamically learnt by switchs. That is, static ND entries are of higher priorities than dynamically learnt ND entries.

Precautions

You can configure a maximum of 16K static ND entries on an interface.

If the IPv6 address or MAC address specified in the ipv6 neighbor command is incorrect, communication with this neighbor fails.

You can run the reset ipv6 neighbors command to delete dynamic ND entries.

Example

# Configure static entries in the IPv6 neighbor discovery cache on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 neighbor 2001:db8::1 fe-e0-89
# Configure static entries in the IPv6 neighbor discovery cache on VLAN interface 1.
<HUAWEI> system-view
[~HUAWEI] interface Vlanif 1
[*HUAWEI--vlanif1] ipv6 enable
[*HUAWEI--vlanif1] ipv6 neighbor 2001:db8::1 fe-e0-89 vlan 1 10ge 1/0/1
# Configure static entries in the IPv6 neighbor discovery cache on QinQ interface.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 1/0/0.1
[*HUAWEI--GigabitEthernet 1/0/0.1] control-vid 1 qinq-termination
[*HUAWEI--GigabitEthernet 1/0/0.1] ipv6 enable
[*HUAWEI--GigabitEthernet 1/0/0.1] qinq termination pe-vid 1 ce-vid 2
[*HUAWEI--GigabitEthernet 1/0/0.1] ipv6 neighbor 2001:db8::1 1-1-1 vid 1 cevid 2

ipv6 pathmtu

Function

The ipv6 pathmtu command sets a PMTU for a specified destination IPv6 address.

The undo ipv6 pathmtu command deletes the PMTU set for a specified destination IPv6 address.

By default, the PMTU of a specified destination IPv6 address is 1500 bytes.

Format

ipv6 pathmtu ipv6-address [ vpn-instance vpn-instance-name ] [ path-mtu ]

undo ipv6 pathmtu ipv6-address [ vpn-instance vpn-instance-name ]

Parameters

Parameter Description Value
ipv6-address Specifies the IPv6 address for which a PMTU is to be set. The address is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X. The address can be a unicast address only.
vpn-instance vpn-instance-name Specifies the name of an IPv6 VPN instance for which a PMTU is to be set.

The value is a string of 1 to 31 case-sensitive characters.

The specified IPv6 VPN instance must exist on the device.

path-mtu Specifies the path MTU, that is, the maximum size of IPv6 packets allowed to be sent along the path. The value is an integer ranging from 1280 to 10000, in bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Path Maximum Transmission Unit (PMTU) is used to determine the proper size of packets to be transmitted along the path from a source to a destination. Commonly, a device fragments and forwards packets based on the dynamic PMTU learning function of the system, trying not to fragment packets during transmission. In this manner, loads on intermediate switchs are reduced and effective network resource use and optimized throughput are achieved.

In some special cases, however, to protect devices on the network and avoid the large-sized packet attacks, you can run the ipv6 pathmtu command to set a static PMTU for the specified destination IPv6 address to control the maximum size of packets that can be transmitted between the source and the destination.

Configuration Impact

On the path along which packets are transmitted, a node discards the received packets if its MTU is smaller than the PMTU of the received packets. Therefore, in most cases, dynamic PMTU learning is recommended unless there are security vulnerabilities on the network. You do not need to run the ipv6 pathmtu command to set a static PMTU, that is, use the default PMTU.

Precautions

The priorities of the static PMTU, dynamic PMTU, and default PMTU of the system are in a descending order.

Example

# Set the PMTU for the specified IPv6 address to 1300 bytes.

<HUAWEI> system-view
[~HUAWEI] ipv6 pathmtu 2001:db8::12 1300

# Set the PMTU for the address 2001:db8::1 in the IPv6 VPN instance to 1600 bytes.

<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpn6
[*HUAWEI] ipv6-family
[*HUAWEI] ipv6 pathmtu 2001:db8::1 vpn-instance vpn6 1600

ipv6 pathmtu age

Function

The ipv6 pathmtu age command sets the aging time for a dynamic PMTU.

The undo ipv6 pathmtu age command restores the default aging time.

By default, the aging time of the dynamic PMTU is 10 minutes.

Format

ipv6 pathmtu age age-time

undo ipv6 pathmtu age

Parameters

Parameter Description Value
age-time Specifies the aging time of the dynamic PMTU, in minutes. The value is an integer ranging from 10 to 100.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can change the lifetime of a PMTU by setting an aging time for the PMTU.

If you want to slow down PMTU aging, run the ipv6 pathmtu age command to change the aging time of the PMTU to a larger value.

Configuration Impact

This command can be used to change only the aging time of dynamic PMTUs. It is not applicable to static PMTUs because static PMTUs cannot age.

Precautions

The priority of a static PMTU is higher than that of a dynamic PMTU. If the static PMTU exists, the dynamic PMTU does not take effect.

The aging time for the PMTU is valid only for the dynamic PMTU entries generated after this configuration, instead of the PMTU entries generated before this configuration.

Example

# Set the aging time for a dynamic PMTU to 40 minutes.

<HUAWEI> system-view
[~HUAWEI] ipv6 pathmtu age 40

ipv6 security modifier

Function

The ipv6 security modifier command sets a modifier value and a security level for a CGA address.

The undo ipv6 security modifier command deletes the modifier value and security level of a CGA address.

By default, no modifier value is set for a CGA address and the security level is 0.

Format

ipv6 security modifier sec-level sec-value [ modifier-value ]

undo ipv6 security modifier

Parameters

Parameter Description Value
sec-level sec-value

Specifies the security level of the CGA address.

The value is an integer that can be 0 or 1.

1 indicates the highest security level. If the security level is 1, the modifier value will be automatically generated.

The modifier value can be manually configured only when the security level of the CGA address is 0.

modifier-value

Specifies the modifier value of the CGA address.

The value is a 32-digit hexadecimal number, in the format of XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before configuring a CGA address, you need to run the ipv6 security modifier command to set a modifier value and a security level for the CGA address. A CGA address is calculated by using a specific algorithm based on the public key, modifier value, and security level. The higher the security level, the securer the generated CGA address.

After a CGA address is configured for an interface, the ND messages sent by the interface are protected against attacks.

Prerequisites

Before running the ipv6 security modifier command, you must complete the following configurations:

  1. Run the rsa key-pair label command in the system view to create an RSA key pair.

  2. Run the ipv6 enable command in the interface view to enable IPv6 on the interface.

  3. Run the ipv6 security rsakey-pair command in the interface view to bind the created RSA key pair to the interface.

Configuration Impact

If a modifier value and a security level have already been configured on an interface, the binding between the RSA key pair and the interface cannot be deleted.

Follow-up Procedure

Run the ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga command or the ipv6 address ipv6-address link-local [ cga ] command to configure a CGA address.

Precautions

If a CGA address has been configured on an interface, the modifier value and security level of the CGA address cannot be deleted.

Example

# Configure a modifier value and a security level for the CGA address on 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] rsa key-pair label huawei modulus 2048
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] ipv6 enable
[*HUAWEI-10GE1/0/1] ipv6 security rsakey-pair huawei
[*HUAWEI-10GE1/0/1] ipv6 security modifier sec-level 1
[*HUAWEI-10GE1/0/1] ipv6 address 2001:db8:1::1/64 cga

ipv6 security rsakey-pair

Function

The ipv6 security rsakey-pair command binds an RSA key pair to an interface.

The undo ipv6 security rsakey-pair command unbinds an RSA key pair from an interface.

By default, an RSA key pair is not bound to any interface.

Format

ipv6 security rsakey-pair key-label

undo ipv6 security rsakey-pair key-label

Parameters

Parameter Description Value
key-label

Specifies the name of an RSA key pair.

The value is a string of 1 to 35 case-sensitive characters, spaces not supported.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An RSA key pair can be used to generate a modifier value and a CGA address on an interface only after the ipv6 security rsakey-pair command is run to bind the RSA key pair to the interface.

After a CGA address is configured for an interface, the ND messages sent by the interface are protected against attacks.

Prerequisites

  1. An RSA key pair has been created using the rsa key-pair label command in the system view.

  2. IPv6 has been enabled on an interface using the ipv6 enable command in the interface view.

Follow-up Procedure

  1. Run the ipv6 security modifier command in the interface view to configure a modifier value and a security level for the CGA address.

  2. Run the ipv6 address cga command or the ipv6 address ipv6-address link-local cga command in the interface view to configure a CGA address.

Precautions

The binding between an RSA key pair and an interface cannot be deleted in the following cases:

  • A modifier value and a security level are configured on the interface.
  • A CGA address is configured on the interface.

Example

# Bind a key pair named huawei to 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] rsa key-pair label huawei modulus 2048
[*HUAWEI] interface 10ge 1/0/0
[*HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/0] ipv6 enable
[*HUAWEI-10GE1/0/0] ipv6 security rsakey-pair huawei
[*HUAWEI-10GE1/0/0] ipv6 security modifier sec-level 1
[*HUAWEI-10GE1/0/1] ipv6 address 2001:db8:1::1/64 cga

snmp-agent trap enable feature-name ipv6

Function

The snmp-agent trap enable feature-name ipv6 command enables the trap function for the IPv6 module.

The undo snmp-agent trap enable feature-name ipv6 command disables the trap function for the IPv6 module.

By default, the trap function is disabled for the IPv6 module.

Format

snmp-agent trap enable feature-name ipv6 [ trap-name ipv6ifstatechange ]

undo snmp-agent trap enable feature-name ipv6 [ trap-name ipv6ifstatechange ]

Parameters

Parameter Description Value
trap-name Enables the traps of IPv6 events of specified types. -
ipv6ifstatechange Enables the trap function in case that the IPv6 protocol status on an interface is changed. -

Views

System view

Default Level

3: Management level

Usage Guidelines

To enable the traps of one or more events, you can specify type-name.

Example

# Enables all traps of IPv6 module.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable feature-name ipv6

reset ipv6 nd security nonce

Function

The reset ipv6 nd security nonce command clears the Nonce value in SEND messages on an interface.

Format

reset ipv6 nd security nonce interface-type interface-number

Parameters

Parameter Description Value
interface-type interface-number Clears the Nonce value in SEND messages on a specified interface. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

The reset ipv6 nd security nonce command clears the Nonce values cached by the system when sending SEND messages. If further SEDN messages are received, the system will discard the messages because no matching Nonce values can be found in the cache. Exercise caution when running this command.

Example

# Clear the Nonce value in the SEND messages on 10GE 1/0/1.

<HUAWEI> reset ipv6 nd security nonce 10ge 1/0/1

reset ipv6 nd security statistics

Function

The reset ipv6 nd security statistics command clears the statistics about SEND messages on an interface.

Format

reset ipv6 nd security statistics interface-type interface-number

Parameters

Parameter Description Value
interface-type interface-number Clears the statistics about SEND messages on a specified interface. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Running the reset ipv6 nd security statistics command will clear the statistics about SEND messages on a specified interface. Exercise caution when running this command.

Example

# Clear the statistics about SEND messages on 10GE1/0/1

<HUAWEI> reset ipv6 nd security statistics 10ge 1/0/1

reset ipv6 nd security timestamp

Function

The reset ipv6 nd security timestamp command clears the timestamp in SEND messages on a specified interface.

Format

reset ipv6 nd security timestamp interface-type interface-number

Parameters

Parameter Description Value
interface-type interface-number Clears the timestamp in SEND messages on a specified interface. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

The reset ipv6 nd security timestamp command clears the timestamp cached by the system when sending SEND messages. If further SEDN messages are received, the system will discard the messages because no matching timestamp can be found in the cache. Exercise caution when running this command.

Example

# Clear the timestamp in SEND messages on 10GE 1/0/1.

<HUAWEI> reset ipv6 nd security timestamp 10ge 1/0/1

reset ipv6 neighbors

Function

The reset ipv6 neighbors command clears dynamic IPv6 ND entries.

Format

reset ipv6 neighbors { dynamic | interface-type interface-number }

reset ipv6 neighbors vlan vlan-id [ interface-type interface-number ]

Parameters

Parameter Description Value
dynamic Clears dynamic ND entries on all interfaces. -
vlan vlan-id Clears dynamic ND entries of a specified VLAN ID.

The value is an integer ranging from 1 to 4094.

interface-type interface-number Clears dynamic ND entries on a specified interface. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the number of dynamic ND entries exceeds the upper threshold, run the reset ipv6 neighbors command to delete unwanted dynamic ND entries.

Configuration Impact

Running the reset ipv6 neighbors command clears specified dynamic ND entries. Exercise caution when running this command.

Example

# Clear dynamic ND entries on all interfaces.

<HUAWEI> reset ipv6 neighbors dynamic
# Clear all ND entries on VLANIF1.
<HUAWEI> reset ipv6 neighbors vlanif 1

# Clear all ND entries on 10GE 1/0/1.

<HUAWEI> reset ipv6 neighbors 10ge 1/0/1

reset ipv6 pathmtu

Function

The reset ipv6 pathmtu command clears dynamic PMTU entries.

Format

reset ipv6 pathmtu [ vpn-instance vpn-instance-name ] dynamic

Parameters

Parameter Description Value
vpn-instance vpn-instance-name Clears dynamic PMTU entries of a specified IPv6 VPN instance. The value is a string of 1 to 31 case-sensitive characters.
dynamic Clears all dynamic PMTU entries. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To clear dynamic PMTU entries, run the reset ipv6 pathmtu command. Either all dynamically learned PMTU entries or the PMTU entries of a specified VPN instance can be cleared.

If you want to collect statistics about dynamic PMTU entries within a specified period, run the reset ipv6 pathmtu command beforehand to clear the existing statistics about dynamic PMTU entries. You can then run the display ipv6 pathmtu command to view dynamic PMTU entries.

Configuration Impact

Running the reset ipv6 pathmtu command clears all dynamic PMTU entries. Exercise caution when running this command.

Example

# Clear all dynamic PMTU entries.

<HUAWEI> reset ipv6 pathmtu dynamic
Related Topics

reset ipv6 statistics

Function

The reset ipv6 statistics command clears IPv6 traffic statistics.

Format

reset ipv6 statistics

Parameters

None.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want to collect IPv6 traffic statistics within a specified period, run the reset ipv6 statistics command beforehand to clear the existing IPv6 traffic statistics. You can then run the display ipv6 statistics command to view the collected IPv6 traffic statistics.

Configuration Impact

Running the reset ipv6 statistics command clears the specified IPv6 traffic statistics. Exercise caution when running this command.

Example

# Clear IPv6 traffic statistics.

<HUAWEI> reset ipv6 statistics

reset rawip ipv6 statistics

Function

The reset rawip ipv6 statistics command clears statistics about IPv6 RawIP packets.

Format

reset rawip ipv6 statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want to collect statistics about IPv6 RawIP packets within a specified period, run the reset rawip ipv6 statistics command beforehand to clear the existing statistics. You can then run the display rawip ipv6 statistics command to view the collected statistics about IPv6 RawIP packets.

Configuration Impact

Running the reset rawip ipv6 statistics command clears statistics about IPv6 RawIP packets. Exercise caution when running this command.

Example

# Clear statistics about IPv6 RawIP packets.

<HUAWEI> reset rawip ipv6 statistics

reset tcp ipv6 statistics

Function

The reset tcp ipv6 statistics command clears IPv6 TCP packet statistics.

Format

reset tcp ipv6 statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want to collect IPv6 TCP packet statistics within a specified period, run the reset tcp ipv6 statistics command beforehand to clear the existing statistics. You can then run the display tcp ipv6 statistics command to view the collected IPv6 TCP packet statistics.

Configuration Impact

Running the reset tcp ipv6 statistics command clears IPv6 TCP packet statistics. Exercise caution when running this command.

Precautions

The reset tcp ipv6 statistics command clears IPv6 TCP packet statistics on all installed interface boards.

Example

# Clear IPv6 TCP packet statistics.

<HUAWEI> reset tcp ipv6 statistics

reset udp ipv6 statistics

Function

The reset udp ipv6 statistics command clears IPv6 UDP packet statistics.

Format

reset udp ipv6 statistics

Parameters

None

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want to collect IPv6 UDP packet statistics within a specified period, run the reset udp ipv6 statistics command beforehand to clear the existing statistics. You can then run the display udp ipv6 statistics command to view the collected IPv6 UDP packet statistics.

Configuration Impact

Running the reset udp ipv6 statistics command clears IPv6 UDP packet statistics. Exercise caution when running this command.

Precautions

The reset udp ipv6 statistics command clears IPv6 UDP packet statistics on all installed interface boards.

Example

# Clear IPv6 UDP packet statistics.

<HUAWEI> reset udp ipv6 statistics

tcp ipv6 max-mss

Function

The tcp ipv6 max-mss command sets the maximum MSS value for a TCP6 connection.

The undo ipv6 tcp ipv6 max-mss command deletes the maximum MSS value of a TCP6 connection.

By default, the maximum MSS value is not configured for TCP6 connections.

Format

tcp ipv6 max-mss mss-value

undo tcp ipv6 max-mss [ mss-value ]

Parameters

Parameter Description Value
mss-value Specifies the maximum MSS value for a TCP6 connection. The value is an integer ranging from 32 to 9600, in bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To establish a TCP6 connection, the MSS value is negotiated, which indicates the maximum length of packets that the local device can receive. If the path MTU is unavailable on one end of a TCP6 connection, this end cannot adjust the TCP6 packet size based on the MTU. As a result, this end may send TCP6 packets that are longer than the MTUs on intermediate devices, which will discard these packets. To prevent this problem, run the tcp ipv6 max-mss command on either end of a TCP6 connection to set the maximum MSS value of TCP6 packets. Then the MSS value negotiated by both ends will not exceed this maximum MSS value, and accordingly TCP6 packets sent from both ends will not be longer than this maximum MSS value and can travel through the intermediate network.

Example

# Set the maximum MSS value for a TCP6 connection to 1024 bytes.

<HUAWEI> system-view
[~HUAWEI] tcp ipv6 max-mss 1024

tcp ipv6 timer fin-timeout

Function

The tcp ipv6 timer fin-timeout command sets a TCP6 FIN-Wait timer value.

The undo tcp ipv6 timer fin-timeout command restores the default value.

By default, the TCP6 FIN-Wait timer value is 675 seconds.

Format

tcp ipv6 timer fin-timeout interval

undo tcp ipv6 timer fin-timeout

Parameters

Parameter Description Value
interval Specifies a TCP6 FIN-Wait timer value. The value is an integer ranging from 76 to 3600, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the TCP6 connection status changes from FIN_WAIT_1 to FIN_WAIT_2, the FIN-Wait timer is enabled. If no FIN packet is received before the timeout of FIN-Wait timer, the TCP6 connection is terminated.

Precautions

If this command is configured for several times in the same view, only the last configuration takes effect.

You are recommended to configure the parameter under the guidance of the technical personnel.

Example

# Configure the TCP6 FIN-Wait timer value to 800 seconds.

<HUAWEI> system-view
[~HUAWEI] tcp ipv6 timer fin-timeout 800

tcp ipv6 timer syn-timeout

Function

The tcp ipv6 timer syn-timeout command sets the TCP6 SYN-Wait timer.

The undo tcp ipv6 timer syn-timeout command restores the default value of the timer.

The default value of the TCP6 SYN-Wait timer is 75 seconds.

Format

tcp ipv6 timer syn-timeout interval

undo tcp ipv6 timer syn-timeout

Parameters

Parameter Description Value
interval Specifies the value of the TCP6 SYN-Wait timer, in seconds. The value ranges from 2 to 600.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a SYN packet is sent, TCP6 enables the SYN-Wait timer. If no response packet is received before SYN-Wait is timeout, the TCP6 connection is terminated.

Precautions

If this command is configured for several times in the same view, only the last configuration takes effect.

You are recommended to configure the parameters under the guidance of the technical personnel.

Example

# Set the TCP6 SYN-Wait timer to 100 seconds.

<HUAWEI> system-view
[~HUAWEI] tcp ipv6 timer syn-timeout 100

tcp ipv6 window

Function

The tcp ipv6 window command sets a TCP6 window size for setting up a TCP6 connection.

The undo tcp ipv6 window command restores the default TCP6 window size.

By default, the TCP6 window size is 8 Kbytes.

Format

tcp ipv6 window window-size

undo tcp ipv6 window

Parameters

Parameter Description Value
window-size Specifies a TCP6 window size, in Kbytes. The value ranges from 1 to 32.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To change the TCP6 window size that is used for setting up a TCP session, run the tcp window command.

Precautions

If the tcp window command is run more than once, the latest configuration overrides the previous one.

Set parameters under the guidance of Huawei technical personnel.

Example

# Configure a TCP6 window size for setting up a TCP6 connection as 4 Kbytes.

<HUAWEI> system-view
[~HUAWEI] tcp ipv6 window 4
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 50255

Downloads: 337

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next