06-Commands For Layer 3 Interface and ARP, ND - Word

Commands for Layer 3
Forward and ARP, ND Content
Content
CHAPTER 1 COMMANDS FOR LAYER 3 MANAGEMENT......1-1
1.1 COMMANDS FOR LAYER 3 INTERFACE..................................................1-1

1.1.1 shutdown.................................................................................................1-1
1.1.2 interface vlan...........................................................................................1-1
1.2 COMMANDS FOR IPV4/V6 CONFIGURATION...........................................1-2

1.2.1 clear ipv6 neighbor.................................................................................1-2
1.2.2 debug ip packet......................................................................................1-2
1.2.3 debug ipv6 packet..................................................................................1-2
1.2.4 debug ipv6 icmp.....................................................................................1-3
1.2.5 debug ipv6 nd.........................................................................................1-3
1.2.6 ip address................................................................................................1-4
1.2.7 ipv6 address............................................................................................1-5
1.2.8 ipv6 nd dad attempts..............................................................................1-5
1.2.9 ipv6 nd ns-interval..................................................................................1-6
1.2.10 ipv6 neighbor........................................................................................1-6
1.2.11 show ip traffic.......................................................................................1-7
1.2.12 show ipv6 interface..............................................................................1-9
1.2.13 show ipv6 route..................................................................................1-10
1.2.14 show ipv6 neighbors..........................................................................1-11
1.2.15 show ipv6 traffic.................................................................................1-13
1.2.16 show ipv6 enable................................................................................1-14
1.3 COMMANDS FOR ARP CONFIGURATION.............................................1-14

1.3.1 arp..........................................................................................................1-14
1.3.2 clear arp-cache.....................................................................................1-14
1.3.3 clear arp traffic......................................................................................1-15
1.3.4 debug arp..............................................................................................1-15
1.3.5 show arp................................................................................................1-15
1.3.6 show arp traffic.....................................................................................1-16
CHAPTER 2 COMMANDS FOR ARP SCANNING PREVENTION
.....................................................................................................2-1
2.1 ANTI-ARPSCAN ENABLE.......................................................................2-1

2.2 ANTI-ARPSCAN PORT-BASED THRESHOLD.............................................2-1
1
2.3 ANTI-ARPSCAN IP-BASED THRESHOLD..................................................2-2

2.4 ANTI-ARPSCAN TRUST.........................................................................2-2
2.5 ANTI-ARPSCAN TRUST IP......................................................................2-3
2.6 ANTI-ARPSCAN RECOVERY ENABLE......................................................2-3
2.7 ANTI-ARPSCAN RECOVERY TIME...........................................................2-4
2.8 ANTI-ARPSCAN LOG ENABLE................................................................2-4
2.9 ANTI-ARPSCAN TRAP ENABLE..............................................................2-4
2.10 SHOW ANTI-ARPSCAN........................................................................2-5
2.11 DEBUG ANTI-ARPSCAN.......................................................................2-6
CHAPTER 3 COMMANDS FOR PREVENTING ARP, ND
SPOOFING..................................................................................3-1
3.1 IP ARP-SECURITY UPDATEPROTECT......................................................3-1

3.2 IPV6 ND-SECURITY UPDATEPROTECT....................................................3-1
3.3 IP ARP-SECURITY LEARNPROTECT........................................................3-2
3.4 IPV6 ND-SECURITY LEARNPROTECT......................................................3-2
3.5 IP ARP-SECURITY CONVERT..................................................................3-3
3.6 IPV6 ND-SECURITY CONVERT................................................................3-3
3.7 CLEAR IP ARP DYNAMIC.......................................................................3-3
3.8 CLEAR IPV6 ND DYNAMIC.....................................................................3-4
CHAPTER 4 COMMAND FOR ARP GUARD.............................4-1
4.1 ARP-GUARD IP.....................................................................................4-1
CHAPTER 5 COMMANDS FOR GRATUITOUS ARP
CONFIGURATION.......................................................................5-1
5.1 IP GRATUITOUS-ARP............................................................................5-1
5.2 SHOW IP GRATUITOUS-ARP..................................................................5-1
CHAPTER 6 COMMANDS FOR ND SNOOPING.......................6-1
6.1 CLEAR IPV6 ND SNOOPING BINDING......................................................6-1

6.2 DEBUG IPV6 ND SNOOPING..................................................................6-1
2
6.3 IPV6 ND SNOOPING ENABLE (GLOBAL MODE).......................................6-2

6.4 IPV6 ND SNOOPING MAC-BINDING-LIMIT................................................6-2
6.5 IPV6 ND SNOOPING MAX-DAD-DELAY....................................................6-3
6.6 IPV6 ND SNOOPING MAX-DAD-PREPARE-DELAY......................................6-3
6.7 IPV6 ND SNOOPING MAX-SAC-LIFETIME.................................................6-3
6.8 IPV6 ND SNOOPING POLICY..................................................................6-4
6.9 IPV6 ND SNOOPING PORT-BINDING-LIMIT...............................................6-4
6.10 IPV6 ND SNOOPING STATIC-BINDING....................................................6-5
6.11 IPV6 ND SNOOPING TRUST.................................................................6-6
6.12 IPV6 ND SNOOPING USER-CONTROL....................................................6-6
6.13 show ipv6 nd snooping binding........................................................6-7
3
Forward and ARP, ND Chapter 1 Commands for Layer 3 Management
Chapter 1 Commands for Layer 3

Management
1.1 Commands for Layer 3 Interface
1.1.1 shutdown
Command: shutdown
no shutdown
Function: Shut down the specified VLAN interface of the switch. The no operation of the
command will enable the VLAN interface.
Command Mode: VLAN Interface Configuration Mode.
Default: The VLAN interface is enabled by default.
Usage Guide: While shutting down the VLAN interface of the switch, it will not send data
frames. If this interface needs to obtain an IP address via BOOTP/DHCP protocol, it
should be enabled.
Example: Enable the VLAN1 interface of the switch.
Switch(Config-if-Vlan1)#no shutdown
1.1.2 interface vlan

Command: interface vlan <vlan-id>
no interface vlan <vlan-id>
Function: Create a VLAN interface (a Layer 3 interface); the “no interface vlan <vlan-
id>” command deletes the Layer 3 interface specified.
Parameters: <vlan-id> is the VLAN ID of the established VLAN, ranging from 1 to 4094.
Default: No Layer 3 interface is configured upon switch shipment.
Command mode: Global Mode
Usage Guide: When creating a VLAN interface (Layer 3 interface), VLANs should be
configured first, for details, see the VLAN chapters. When VLAN interface (Layer 3
interface) is created with this command, the VLAN interface (Layer 3 interface)
configuration mode will be entered. After the creation of the VLAN interface (Layer 3
interface), interface vlan command can still be used to enter Layer 3 Port Mode.
Example: Creating a VLAN interface (layer 3 interface).
Switch (config)#interface vlan 1
1
1.2 Commands for IPv4/v6 configuration
1.2.1 clear ipv6 neighbor

Command: clear ipv6 neighbors
Function: Clear the neighbor cache of IPv6.
Parameter: None
Command Mode: Admin Mode
Default: None
Usage Guide: This command can not clear static neighbor.
Example: Clear neighbor list.
Switch#clear ipv6 neighbors
1.2.2 debug ip packet

Command: debug ip packet
no debug ip packet
Function: Enable the IP packet debug function: the “no debug IP packet” command
disables this debug function.
Parameter: None
Default: IP packet debugging information is disabled by default.
Command mode: Admin Mode
Usage Guide: Displays statistics for IP packets received/sent, including
source/destination address and bytes, etc.
Example: Enabling IP packet debug.
Switch#debug ip pa
IP PACKET: rcvd, src1.1.1.1, dst1.1.1.2, size 100
1.2.3 debug ipv6 packet

Command: debug ipv6 packet
no debug ipv6 packet
Function: IPv6 data packets receive/send debug message.
Parameter: None
Default: None
Usage Guide:
Example:
Switch#debug ipv6 packet
IPv6 PACKET: rcvd, src <fe80::203:fff:fe01:2786>, dst <fe80::1>, size <64>, proto <58>,
from Vlan1
Displayed information Explanation
2
IPv6 PACKET: rcvd Receive IPv6 data report

Src <fe80::203:fff:fe01:2786> Source IPv6 address
Dst <fe80::1> Destination IPv6 address
size <64> Size of data report
proto <58> Protocol field in IPv6 header

from Vlan1 IPv6 data report is collected from Layer 3
port vlan1
1.2.4 debug ipv6 icmp

Command: debug ipv6 icmp
no debug ipv6 icmp
Function: ICMP data packets receive/send debug message.
Parameter: None
Default: None
Example:
Switch#debug ipv6 icmp
IPv6 ICMP: sent, type <129>, src <2003::1>, dst <2003::20a:ebff:fe26:8a49> from Vlan1
IPv6 ICMP: sent Send IPv6 data report
type <129> Ping protocol No.
Src <2003::1> Source IPv6 address
Dst <2003::20a:ebff:fe26:8a49> Destination IPv6 address
from Vlan1 Layer 3 port being sent
1.2.5 debug ipv6 nd

Command: debug ipv6 nd [ ns | na | rs | ra | redirect ]
no debug ipv6 nd [ ns | na | rs | ra | redirect ]
Function: Function: Enable the debug of receiving and sending operations for specified
types of IPv6 ND messages. The ns, na, rs, ra and redirect parameters represent
neighbor solicitation, neighbor advertisement, route solicitation, route advertisement and
route redirect. No specification means to enable the debug for all five types of ND
message. The no operation of this command will disable debug of receiving and sending
operations for specified types of IPv6 ND messages, while no specification means to
disable that for all five types of ND message.
Parameter: None.
Default: The debug of receiving and sending operations for all five types of IPv6 ND
3
messages is disabled by default.

Usage Guide: The ND protocol is an essential part of IPv6. This command can display
the ND message of a specified type for troubleshooting.
Example:
Switch#debug ipv6 nd
IPv6 ND: rcvd, type <136>, src <fe80::203:fff:fe01:2786>, dst <fe80::203:fff:fe01:59ba>
IPv6 ND: rcvd Receive ND data report
type <136> ND Type
Src <fe80::203:fff:fe01:2786> Source IPv6 address
Dst <fe80::203:fff:fe01:59ba> Destination IPv6 address
1.2.6 ip address
Command: ip address <ip-address> <mask> [secondary]
no ip address [<ip-address> <mask>] [secondary]
Function: Set IP address and net mask of switch; the “no ip address [<ip-address>
<mask>] [secondary]” command deletes the IP address configuration.
Parameter: <ip-address> is IP address, dotted decimal notation; <mask> is subnet
mask, dotted decimal notation; [secondary] indicates that the IP address is configured
as secondary IP address.
Command Mode: VLAN interface configuration mode
Default: The system default is no IP address configuration.
Usage Guide: This command configures IP address on VLAN interface manually. If
optional parameter secondary is not configured, then it is configured as the primary IP
address of VLAN interface; if optional parameter secondary is configured, then that
means the IP address is the secondary IP address of VLAN. One VLAN interface can
only have one primary IP address and more than one secondary IP addresses. Primary
IP and Secondary IP all can be used on SNMP/Web/Telnet management. Furthermore,
the switch also provides BOOTP/DHCP manner to get IP address.
Example: The IP address of switch VLAN1 interface is set to 192.168.1.10/24.
Switch(Config-if-Vlan1)#ip address 192.168.1.10 255.255.255.0
1.2.7 ipv6 address

Command: ipv6 address <ipv6-address|prefix-length> [eui-64]
no ipv6 address <ipv6-address|prefix-length> [eui-64]
Function: Configure aggregately global unicast address, site-local address and link-local
address for the interface.
Parameter: Parameter <ipv6-address> is the prefix of IPv6 address, parameter <prefix-
length> is the prefix length of IPv6 address, which is between 3-128, eui-64 means IPv6
4
address is generated automatically based on eui64 interface identifier of the interface.

Command Mode: Interface Configuration Mode.
Default: None.
Usage Guide: IPv6 address prefix can not be multicast address or any other specific
IPv6 address, and different layer 3 interfaces can not configure the same address prefix.
For global unicast address, the prefix must be in the range from 2000:: to 3fff::, and the
length of the prefix must be greater than or equal to 3. For site-local address and link-
local address, the length of the prefix must be greater than or equal to 3. For interface
loopback port, the length of the prefix must be equaled to 128.
Example: Configure an IPv6 address on VLAN1 Layer 3 interface: the prefix is
2001:3f:ed8::99 and the length of the prefix is 64.
Switch(Config-if-Vlan1)#ipv6 address 2001:3f:ed8::99/64
1.2.8 ipv6 nd dad attempts

Command: ipv6 nd dad attempts <value>
no ipv6 nd dad attempts
Function: Set Neighbor Solicitation Message number sent in succession by interface
when setting Duplicate Address Detection.
Parameter: <value> is the Neighbor Solicitation Message number sent in succession by
Duplicate Address Detection, and the value of <value> must be in 0-10, NO command
restores to default value 1.
Command Mode: Interface Configuration Mode
Default: The default request message number is 1.
Usage Guide: When configuring an IPv6 address, it is required to process IPv6
Duplicate Address Detection, this command is used to configure the ND message
number of Duplicate Address Detection to be sent, value being 0 means no Duplicate
Address Detection is executed.
Example: The Neighbor Solicitation Message number sent in succession by interface
when setting Duplicate Address Detection is 3.
Switch(Config-if-Vlan1)# ipv6 nd dad attempts 3
1.2.9 ipv6 nd ns-interval

Command: ipv6 nd ns-interval <seconds>
no ipv6 nd ns-interval
Function: Set the time interval of Neighbor Solicitation Message sent by the interface.
Parameter: parameter <seconds> is the time interval of sending Neighbor Solicitation
Message, <seconds> value must be between 1-3600 seconds, no command restores
the default value 1 second.
Default: The default Request Message time interval is 1 second.
Default: The value to be set will include the situation in all routing announcement on the
5
interface. Generally, very short time interval is not recommended.

Example: Set Vlan1 interface to send out Neighbor Solicitation Message time interval to
be 8 seconds.
Switch(Config-if-Vlan1)#ipv6 nd ns-interval 8
1.2.10 ipv6 neighbor

Command: ipv6 neighbor <ipv6-address> <hardware-address> interface
<interface-type interface-name>
no ipv6 neighbor <ipv6-address>
Function: Set static neighbor table entry.
Parameters: Parameter ipv6-address is static neighbor IPv6 address, parameter
hardware-address is static neighbor hardware address, interface-type is Ethernet type,
interface-name is Layer 2 interface name.
Default Situation: There is not static neighbor table entry.
Usage Guide: IPv6 address and multicast address for specific purpose and local
address can not be set as neighbor.
Example: Set static neighbor 2001:1:2::4 on port E0/0/1, and the hardware MAC address
is 00-03-0f-89-44-bc.
Switch(Config-if-Vlan1)#ipv6 neighbor 2001:1:2::4 00-03-0f-89-44-bc interface Ethernet
0/0/1
1.2.11 show ip traffic

Command: show ip traffic
Function: Display statistics for IP packets.
Usage Guide: Display statistics for IP, ICMP, TCP, UDP packets received/sent.
Example:
Switch#show ip traffic
IP statistics:
Rcvd: 3249810 total, 3180 local destination
0 header errors, 0 address errors
0 unknown protocol, 0 discards
Frags: 0 reassembled, 0 timeouts
0 fragment rcvd, 0 fragment dropped
0 fragmented, 0 couldn't fragment, 0 fragment sent
Sent: 0 generated, 3230439 forwarded
0 dropped, 0 no route
ICMP statistics:
Rcvd: 0 total 0 errors 0 time exceeded
0 redirects, 0 unreachable, 0 echo, 0 echo replies
6
0 mask requests, 0 mask replies, 0 quench

0 parameter, 0 timestamp, 0 timestamp replies
Sent: 0 total 0 errors 0 time exceeded
0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 timestamp replies
TCP statistics:
TcpActiveOpens 0, TcpAttemptFails 0
TcpCurrEstab 0, TcpEstabResets 0
TcpInErrs 0, TcpInSegs 3180
TcpMaxConn 0, TcpOutRsts 3
TcpOutSegs 0, TcpPassiveOpens 8
TcpRetransSegs 0, TcpRtoAlgorithm 0
TcpRtoMax 0, TcpRtoMin 0
UDP statics:
UdpInDatagrams 0, UdpInErrors 0
UdpNoPorts 0, UdpOutDatagrams 0
IP statistics： IP packet statistics.
Rcvd: 3249810 total, 3180 local destination Statistics of total packets received,
0 header errors, 0 address errors number of packets reached local
0 unknown protocol, 0 discards destination, number of packets
have header errors, number of
erroneous addresses, number of
packets of unknown protocols;
number of packets dropped.
Frags： 0 reassembled, 0 timeouts Fragmentation statistics: number of
0 fragment rcvd, 0 fragment dropped packets reassembled, timeouts,
0 fragmented, 0 couldn't fragment, 0 fragments received, fragments
fragment sent discarded, packets that cannot be
fragmented, number of fragments
sent, etc.
Sent： 0 generated, 0 forwarded Statistics for total packets sent,
0 dropped, 0 no route including number of local packets,
forwarded packets, dropped
packets and packets without route.
ICMP statistics： ICMP packet statistics.
Rcvd： 0 total 0 errors 0 time exceeded Statistics of total ICMP packets
0 redirects, 0 unreachable, 0 echo, 0 received and classified information
echo replies
0 mask requests, 0 mask replies, 0
quench
0 parameter, 0 timestamp, 0 timestamp
7
replies
Sent： 0 total 0 errors 0 time exceeded Statistics of total ICMP packets sent
0 redirects, 0 unreachable, 0 echo, 0 and classified information
echo replies
0 mask requests, 0 mask replies, 0
quench
0 parameter, 0 timestamp, 0 timestamp
replies
TCP statistics: TCP packet statistics.
UDP statistics: UDP packet statistics.
1.2.12 show ipv6 interface

Command: show ipv6 interface {brief|<interface-name>}
Function: Show interface IPv6 parameters.
Parameter: Parameter brief is the brief summarization of IPv6 status and configuration,
and parameter interface-name is Layer 3 interface name.
Default: None
Command Mode: Admin and Configuration Mode
Usage Guide: If only brief is specified, then information of all L3 is displayed, and you
can also specify a specific Layer 3 interface.
Example:
Switch#show ipv6 interface Vlan1
Vlan1 is up, line protocol is up, dev index is 2004
Device flag 0x1203(UP BROADCAST ALLMULTI MULTICAST)
IPv6 is enabled
Link-local address(es):
fe80::203:fff:fe00:10 PERMANENT
Global unicast address(es):
3001::1 subnet is 3001::1/64 PERMANENT
Joined group address(es):
ff02::1
ff02::16
ff02::2
ff02::5
ff02::6
ff02::9
ff02::d
ff02::1:ff00:10
ff02::1:ff00:1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts is 1
8
ND managed_config_flag is unset
ND other_config_flag is unset
ND NS interval is 1 second(s)
ND router advertisements is disabled
ND RA min-interval is 200 second(s)
ND RA max-interval is 600 second(s)
ND RA hoplimit is 64
ND RA lifetime is 1800 second(s)
ND RA MTU is 0
ND advertised reachable time is 0 millisecond(s)
ND advertised retransmit time is 0 millisecond(s)

Vlan1 Layer 3 interface name
[up/up] Layer 3 interface status
dev index Internal index No.
fe80::203:fff:fe00:10 Automatically configured IPv6 address of Layer
3 interface
3001::1 Configured IPv6 address of Layer 3 interface
1.2.13 show ipv6 route

Command: show ipv6 route [ <destination> | <destination> / <length> | database|
fib [local statistics | vrf] | nsm [connected | database] | process-detail | statistics]
Function: Display IPv6 routing table.
Parameter: <destination> is destination network address; <destination> / <length> is
destination network address plus prefix length; connected is directly connected router;
database is router database; process-detail shows the detail router information..
Default Situation: None.
Command Mode: Admin and Configuration Mode.
Usage Guide: show ipv6 route only shows IPv6 kernal routing table (routing table in
tcpip), database shows all routers except the local router, fib local shows the local router,
statistics shows router statistics information.
Example:
Switch#show ipv6 route
Codes: C - connected, L - Local, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
C ::/0 via ::, tunnel3 256
S 2001:2::/32 via fe80::789, Vlan2 1024
S 2001:2:3:4::/64 via fe80::123, Vlan2 1024
O 2002:ca60:c801:1::/64 via ::, Vlan1 1024
C 2002:ca60:c802:1::/64 via ::, tunnel49 256
9
C 2003:1::/64 via ::, Vlan4 256

C 2003:1::5efe:0:0/96 via ::, tunnel26 256
S 2004:1:2:3::/64 via fe80:1::88, Vlan2 1024
O 2006:1::/64 via ::, Vlan1 1024
S 2008:1:2:3::/64 via fe80::250:baff:fef2:a4f4, Vlan1 1024
C 2008:2005:5:8::/64 via ::, Ethernet0 256
S 2009:1::/64 via fe80::250:baff:fef2:a4f4, Vlan1 1024
C 2022:1::/64 via ::, Ethernet0 256
O 3333:1:2:3::/64 via fe80::20c:ceff:fe13:eac1, Vlan12 1024
C 3ffe:501:ffff:1::/64 via ::, Vlan4 256
O 3ffe:501:ffff:100::/64 via ::, Vlan5 1024
O 3ffe:3240:800d:1::/64 via ::, Vlan1 1024
O 3ffe:3240:800d:2::/64 via ::, Vlan2 1024
O 3ffe:3240:800d:10::/64 via ::, Vlan12 1024
O 3ffe:3240:800d:20::/64 via fe80::20c:ceff:fe13:eac1, Vlan12 1024
C fe80::/64 via ::, Vlan1 256
C fe80::5efe:0:0/96 via ::, tunnel26 256
C ff00::/8 via ::, Vlan1 256

IPv6 Routing Table IPv6 routing table status
Codes: K - kernel route, C -
connected, S - static, R - RIP,
O - OSPF,I - IS-IS, B - BGP > Abbreviation display sign of every entry
- selected route, * - FIB route,
p - stale info
The static router in FIB table, of which the
S 2009:1::/64 via destination network segment is 2002::/64, via
fe80::250:baff:fef2:a4f4, means passing fe80::250:baff:fef2:a4f4 is the next
Vlan1 1024 hop, VLAN1 is the exit interface name, 1024 is
router weight.
1.2.14 show ipv6 neighbors

Command: show ipv6 neighbors[{vlan|ethernet|tunnel}interface-number| interface-
name | address <ipv6address>]
Function: Display neighbor table entry information.
Parameter: Parameter {vlan|ethernet|tunnel}interface-number|interface-name
specify the lookup based on interface. Parameter ipv6-address specifies the lookup
based on IPv6 address. It displays the whole neighbor table entry if without parameter.
Default Situation: None
10
Usage Guide:
Example:
Switch#show ipv6 neighbors
IPv6 neighbour unicast items: 14, valid: 11, matched: 11, incomplete: 0, delayed: 0,
manage items 5
IPv6 Address Hardware Addr Interface Port State
2002:ca60:c801:1:250:baff:fef2:a4f4 00-50-ba-f2-a4-f4 Vlan1 Ethernet0/0/2
reachable
3ffe:3240:800d:1::100 00-03-0f-01-27-86 Vlan1 Ethernet 0/0/3
reachable
3ffe:3240:800d:1::8888 00-02-01-00-00-00 Vlan1 Ethernet 0/0/1
permanent
3ffe:3240:800d:1:250:baff:fef2:a4f4 00-50-ba-f2-a4-f4 Vlan1 Ethernet0/0/4
reachable
3ffe:3240:800d:2::8888 00-02-01-00-01-01 Vlan2 Ethernet 0/0/16
permanent
3ffe:3240:800d:2:203:fff:fefe:3045 00-03-0f-fe-30-45 Vlan2 Ethernet0/0/15
reachable
fe80::203:fff:fe01:2786 00-03-0f-01-27-86 Vlan1 Ethernet 0/0/5
reachable
fe80::203:fff:fefe:3045 00-03-0f-fe-30-45 Vlan2 Ethernet 0/0/17
reachable
fe80::20c:ceff:fe13:eac1 00-0c-ce-13-ea-c1 Vlan12 Ethernet 0/0/20
reachable
fe80::250:baff:fef2:a4f4 00-50-ba-f2-a4-f4 Vlan1 Ethernet 0/0/6
reachable
IPv6 neighbour table: 11 entries

IPv6 Addres Neighbor IPv6 address
Link-layer Addr. Neighbor MAC address
Interface Exit interface name
Port Exit interface name
State Neighbor status
(reachable、statle、delay、probe、permanent
、incomplete、unknow)
1.2.15 show ipv6 traffic

Command: show ipv6 traffic
Function: Display IPv6 transmission data packets statistics information.
Parameter: None
11
Default: None
Example:
Switch#show ipv6 traffic
IP statistics:
Rcvd: 90 total, 17 local destination
0 header errors, 0 address errors
0 unknown protocol, 13 discards
Frags: 0 reassembled, 0 timeouts
0 fragment rcvd, 0 fragment dropped
0 fragmented, 0 couldn't fragment, 0 fragment sent
Sent: 110 generated, 0 forwarded
ICMP statistics:
Rcvd: 0 total 0 errors 0 time exceeded

IP statistics IPv6 data report statistics
Rcvd: 90 total, 17 local destination0 IPv6 received packets statistics
header errors, 0 address errors0
unknown protocol, 13 discards
Frags: 0 reassembled, 0 timeouts IPv6 fragmenting statistics
0 fragment rcvd, 0 fragment
dropped0 fragmented, 0 couldn't
fragment, 0 fragment sent
Sent: 110 generated, 0 forwarded IPv6 sent packets statistics
1.2.16 show ipv6 enable

Command: show ipv6 enable
Function: Display IPv6 transmission function on/off status.
Parameter: None
Default: None
Example:
Switch#show ipv6 enable
ipv6 enable has been on
ipv6 enable has been on IPv6 transmission switch is at on status
12
1.3 Commands for ARP Configuration
1.3.1 arp
Command: arp <ip_address> <mac_address> {interface [ethernet] <portName>}
no arp <ip_address>
Function: Configures a static ARP entry; the “no arp <ip_address>” command deletes a
ARP entry of the specified IP address.
Parameters: <ip_address> is the IP address; <mac_address> is the MAC address;
ethernet stands for Ethernet port; <portName> for the name of layer2 port.
Default: No static ARP entry is set by default.
Command mode: VLAN Interface Mode
Usage Guide: Static ARP entries can be configured in the switch.
Example: Configuring static ARP for interface VLAN1.
Switch(Config-if-Vlan1)#arp 1.1.1.1 00-03-0f-f0-12-34 eth 0/0/2
1.3.2 clear arp-cache

Command: clear arp-cache
Function: Clears ARP table.
Usage Guide: Clears the content of current ARP table, but it does not clear the current
static ARP table.
Example:
Switch#clear arp-cache
1.3.3 clear arp traffic

Command: clear arp traffic
Function: Clear the statistic information of ARP messages of the switch. For box
switches, this command will only clear statistics of APP messages received and sent from
the current boardcard.
Example:
Switch#clear arp traffic
1.3.4 debug arp

Command: debug arp {receive|send|state}
no debug arp {receive|send|state}
Function: Enables the ARP debugging function; the “no debug arp {receive|send|
13
state}” command disables this debugging function.

Parameter: receive the debugging-switch of receiving ARP packets of the switch; send
the debugging-switch of sending ARP packets of the switch; state the debugging-switch
of APR state changing of the switch.
Default: ARP debug is disabled by default.
Command mode: Admin Mode.
Usage Guide: Display contents for ARP packets received/sent, including type, source
and destination address, etc.
Example: Enabling ARP debugging.
Switch#debug arp receive
%Jan 01 01:05:53 2006 IP ARP: rcvd, type REQUEST, src 172.16.1.251, 00-e0-4c-88-
ad-bc, dst 172.16.1.110, 00-00-00-00-00-00 flag 0x0, pkt type 1, intf Vlan100.
e%Jan 01 01:05:53 2006 IP ARP: rcvd, type REQUEST, src 172.16.1.251, 00-e0-4c-88-
ad-bc, dst172.16.1.110, 00-00-00-00-00-00 flag 0x0, pkt type 1, intf Vlan100.
1.3.5 show arp

Command: show arp [<ipaddress>] [<vlan-id>] [<hw-addr>] [type {static |
dynamic}] [count] [vrf word]
Function: Displays the ARP table.
Parameters: <ipaddress> is a specified IP address; <vlan-id> stands for the entry for
the identifier of specified VLAN; <hw-addr> for entry of specified MAC address; static for
static ARP entry; dynamic for dynamic ARP entry; count displays number of ARP
entries; word is the specified vrf name.
Usage Guide: Displays the content of current ARP table such as IP address, MAC
address, hardware type, interface name, etc.
Example:
Switch#show arp
ARP Unicast Items: 7, Valid: 7, Matched: 7, Verifying: 0, Incomplete: 0, Failed: 0, None: 0
Address Hardware Addr Interface Port Flag
50.1.1.6 00-0a-eb-51-51-38 Vlan50 Ethernet0/0/11 Dynamic
50.1.1.9 00-00-00-00-00-09 Vlan50 Ethernet0/0/1 Static
150.1.1.2 00-00-58-fc-48-9f Vlan150 Ethernet0/0/4 Dynamic

Total arp items Total number of ARP entries.
Valid ARP entry number matching the filter conditions
14
and attributing the legality states.

Matched ARP entry number matching the filter conditions.
Verifying ARP entry number at verifying again validity for
ARP.
InCompleted ARP entry number have ARP request sent without
ARP reply.
Failed ARP entry number at failed state.
None ARP entry number at begin-found state.
Address IP address of ARP entries.
Hardware Address MAC address of ARP entries.
Interface Layer 3 interface corresponding to the ARP entry.
Port Physical (Layer2) port corresponding to the ARP
entry.
Flag Describes whether ARP entry is dynamic or static.
1.3.6 show arp traffic

Command: show arp traffic
Function: Display the statistic information of ARP messages of the switch. For box
switches, this command will only show statistics of APP messages received and sent
from the current boardcard.
Command mode: Admin and Config Mode
Usage Guide: Display statistics information of received and sent APP messages.
Example:
Switch#show arp traffic
ARP statistics:
Rcvd: 10 request, 5 response
Sent: 5 request, 10 response
15
Commands for Layer 3 Chapter 2 Commands for ARP
Forward and ARP, ND Scanning Prevention
Chapter 2 Commands for ARP

Scanning Prevention
2.1 anti-arpscan enable
Command: anti-arpscan enable

no anti-arpscan enable
Function: Globally enable ARP scanning prevention function; “no anti-arpscan enable”
command globally disables ARP scanning prevention function.
Parameters: None.
Default Settings: Disable ARP scanning prevention function.
Command Mode: Global configuration mode
User Guide: When remotely managing a switch with a method like telnet, users should
set the uplink port as a Super Trust port before enabling anti-ARP-scan function,
preventing the port from being shutdown because of receiving too many ARP messages.
After the anti-ARP-scan function is disabled, this port will be reset to its default attribute,
that is, Untrust port.
Example: Enable the ARP scanning prevention function of the switch.
Switch(config)#anti-arpscan enable
2.2 anti-arpscan port-based threshold
Command: anti-arpscan port-based threshold <threshold-value>

no anti-arpscan port-based threshold
Function: Set the threshold of received messages of the port-based ARP scanning
prevention. If the rate of received ARP messages exceeds the threshold, the port will be
closed. The unit is packet/second. The “no anti-arpscan port-based threshold” command
will reset the default value, 10 packets/second.
Parameters: rate threshold, ranging from 2 to 200.
Default Settings: 10 packets /second.
Command Mode: Global Configuration Mode.
User Guide: the threshold of port-based ARP scanning prevention should be larger than
the threshold of IP-based ARP scanning prevention, or, the IP-based ARP scanning
prevention will fail.
Example: Set the threshold of port-based ARP scanning prevention as 10 packets
/second.
Switch(config)#anti-arpscan port-based threshold 10
1
2.3 anti-arpscan ip-based threshold
Command: anti-arpscan ip-based threshold <threshold-value>

no anti-arpscan ip-based threshold
Function: Set the threshold of received messages of the IP-based ARP scanning
prevention. If the rate of received ARP messages exceeds the threshold, the IP
messages from this IP will be blocked. The unit is packet/second. The “no anti-arpscan
ip-based threshold” command will reset the default value, 3 packets/second.
Parameters: rate threshold, ranging from 1 to 200.
Default Settings: 3 packets/second.
User Guide: The threshold of port-based ARP scanning prevention should be larger than
the threshold of IP-based ARP scanning prevention, or, the IP-based ARP scanning
prevention will fail.
Example: Set the threshold of IP-based ARP scanning prevention as 6 packets/second.
Switch(config)#anti-arpscan ip-based threshold 6
2.4 anti-arpscan trust
Command: anti-arpscan trust [port | supertrust-port]

no anti-arpscan trust [port | supertrust-port]
Function: Configure a port as a trusted port or a super trusted port;” no anti-arpscan
trust <port | supertrust-port>”command will reset the port as an untrusted port.
Parameters: None.
Default Settings: By default all the ports are non- trustful.
Command Mode: Port configuration mode
User Guide: If a port is configured as a trusted port, then the ARP scanning prevention
function will not deal with this port, even if the rate of received ARP messages exceeds
the set threshold, this port will not be closed, but the non- trustful IP of this port will still be
checked. If a port is set as a super non- trustful port, then neither the port nor the IP of
the port will be dealt with. If the port is already closed by ARP scanning prevention, it will
be opened right after being set as a trusted port.
When remotely managing a switch with a method like telnet, users should set the uplink
port as a Super Trust port before enabling anti-ARP-scan function, preventing the port
from being shutdown because of receiving too many ARP messages. After the anti-ARP-
scan function is disabled, this port will be reset to its default attribute, that is, Untrust port.
Example: Set port ethernet 0/0/5 of the switch as a trusted port.
Switch(config)#in e0/0/5
Switch(Config-If-Ethernet0/0/5)# anti-arpscan trust port
2
2.5 anti-arpscan trust ip
Command: anti-arpscan trust ip <ip-address> [<netmask>]

no anti-arpscan trust ip <ip-address> [<netmask>]
Function: Configure trusted IP;” no anti-arpscan trust ip <ip-address>
[<netmask>]”command reset the IP to non-trustful IP.
Parameters: <ip-address>: Configure trusted IP address; <netmask>: Net mask of the
IP.
Default Settings: By default all the IP are non-trustful. Default mask is 255.255.255.255
User Guide: If a port is configured as a trusted port, then the ARP scanning prevention
function will not deal with this port, even if the rate of received ARP messages exceeds
the set threshold, this port will not be closed. If the port is already closed by ARP
scanning prevention, its traffic will be recovered right immediately.
Example: Set 192.168.1.0/24 as trusted IP.
Switch(config)#anti-arpscan trust ip 192.168.1.0 255.255.255.0
2.6 anti-arpscan recovery enable
Command: anti-arpscan recovery enable

no anti-arpscan recovery enable
Function: Enable the automatic recovery function, “no anti-arpscan recovery enable”
command will disable the function.
Parameters: None
Default Settings: Enable the automatic recovery function
User Guide: If the users want the normal state to be recovered after a while the port is
closed or the IP is disabled, they can configure this function.
Example: Enable the automatic recovery function of the switch.
Switch(config)#anti-arpscan recovery enable
2.7 anti-arpscan recovery time
Command: anti-arpscan recovery time <seconds>

no anti-arpscan recovery time
Function: Configure automatic recovery time; “no anti-arpscan recovery time”
command resets the automatic recovery time to default value.
Parameters: Automatic recovery time, in second ranging from 5 to 86400.
Default Settings: 300 seconds.
User Guide: Automatic recovery function should be enabled first.
3
Example: Set the automatic recovery time as 3600 seconds.

Switch(config)#anti-arpscan recovery time 3600
2.8 anti-arpscan log enable
Command: anti-arpscan log enable

no anti-arpscan log enable
Function: Enable ARP scanning prevention log function; ”no anti-arpscan log enable”
command will disable this function.
Parameters: None.
Default Settings: Enable ARP scanning prevention log function.
User Guide: After enabling ARP scanning prevention log function, users can check the
detailed information of ports being closed or automatically recovered by ARP scanning
prevention or IP being disabled and recovered by ARP scanning prevention. The level of
the log is “Warning”.
Example: Enable ARP scanning prevention log function of the switch.
Switch(config)#anti-arpscan log enable
2.9 anti-arpscan trap enable
Command: anti-arpscan trap enable

no anti-arpscan trap enable
Function: Enable ARP scanning prevention SNMP Trap function; ”no anti-arpscan trap
enable” command disable ARP scanning prevention SNMP Trap function.
Parameters: None.
Default Settings: Disable ARP scanning prevention SNMP Trap function.
User Guide: After enabling ARP scanning prevention SNMP Trap function, users will
receive Trap message whenever a port is closed or recovered by ARP scanning
prevention, and whenever IP t is closed or recovered by ARP scanning prevention.
Example: Enable ARP scanning prevention SNMP Trap function of the switch.
Switch(config)#anti-arpscan trap enable
2.10 show anti-arpscan
Command: show anti-arpscan [trust [ip | port | supertrust-port] |prohibited [ip |

port]]
Function: Display the operation information of ARP scanning prevention function.
Parameters: None.
Default Settings: Display every port to tell whether it is a trusted port and whether it is
4
closed. If the port is closed, then display how long it has been closed. Display all the
trusted IP and disabled IP.
User Guide: Use “show anti-arpscan trust port” if users only want to check trusted
ports. The reset follow the same rule.
Example: Check the operating state of ARP scanning prevention function after enabling
it.
Switch(config)#show anti-arpscan
Total port: 28
Name Port-property beShut shutTime(seconds)
Ethernet0/0/1 untrust N 0
Ethernet0/0/16 trust N 0
Ethernet0/0/18 supertrust N 0
Ethernet0/0/19 untrust Y 30
Ethernet0/0/20 trust N 0
Prohibited IP:
IP shutTime(seconds)
1.1.1.2 132
Trust IP:
5
192.168.99.5 255.255.255.255
192.168.99.6 255.255.255.255
2.11 debug anti-arpscan
Command: debug anti-arpscan [port | ip]

no debug anti-arpscan [port | ip]
Function: Enable the debug switch of ARP scanning prevention; ”no debug anti-
arpscan [port | ip]” command disables the switch.
Parameters: None.
Default Settings: Disable the debug switch of ARP scanning prevention
User Guide: After enabling debug switch of ARP scanning prevention users can check
corresponding debug information or enable the port-based or IP-based debug switch
separately whenever a port is closed by ARP scanning prevention or recovered
automatically, and whenever IP t is closed or recovered .
Example: Enable the debug function for ARP scanning prevention of the switch.
Switch(config)#debug anti-arpscan
6
Commands for Layer 3 Chapter 3 Commands for Preventing
Forward and ARP, ND ARP, ND Spoofing
Chapter 3 Commands for Preventing

ARP, ND Spoofing
3.1 ip arp-security updateprotect
Command: ip arp-security updateprotect

no ip arp-security updateprotect
Function: Forbid ARP table automatic update. The "no ip arp-security updateprotect”
command re-enables ARP table automatic update.
Parameter: None.
Default: ARP table automatic update.
Command Mode: Global Mode/ Interface configuration.
User Guide: Forbid ARP table automatic update, the ARP packets conflicting with current
ARP item (e.g. with same IP but different MAC or port) will be droped, the others will be
received to update aging timer or create a new item; so, the current ARP item keep
unchanged and the new item can still be learned.
Example:
Switch(Config-if-Vlan1)#ip arp-security updateprotect.
Switch(config)#ip arp-security updateprotect
3.2 ipv6 nd-security updateprotect
Command: ipv6 nd-security updateprotect

no ipv6 nd-security updateprotect
Function: Forbid ND automatic update function of IPv6 Version, the “no ipv6 nd-
security updateprotect” command re-enables ND automatic update function.
Parameter: None
Default: ND update normally.
Command Mode: Global Mode/ Interface configuration
User Guide: Forbid ND table automatic update, the ND packets conflicting with current
ND item (e.g. with same IP but different MAC or port) will be droped, the others will be
received to update aging timer or create a new item; so, the current ND item keep
unchanged and the new item can still be learned.
Example:
Switch(Config-if-Vlan1)#ipv6 nd -security updateprotect
Switch(config)#ipv6 nd -security updateprotect
1
3.3 ip arp-security learnprotect
Command: ip arp-security learnprotect

no ip arp-security learnprotect
Function: Forbid ARP learning function of IPv4 Version, the “no ip arp-security
learnprotect” command re-enables ARP learning function.
Parameter: None.
Default: ARP learning enabled.
Command Mode: Global Mode/ Interface Configuration.
Usage Guide: This command is for preventing the automatic learning and updating of
ARP. Unlike ip arp-security updateprotect, once this command implemented, there will
still be timeout even if the switch keeps sending Request/Reply messages.
Example:
Switch(Config-if-Vlan1)# ip arp-security learnprotect
Switch(config)# ip arp-security learnprotect
3.4 ipv6 nd-security learnprotect
Command: ipv6 nd-security learnprotect

no ipv6 nd-security learnprotect
Function: Forbid ND learning function of IPv6 Version, the “no ipv6 nd-security
learnprotect” command re-enables ND learning function.
Parameter: None.
Default: ND learning enabled.
Command Mode: Global Mode/ Interface Configuration.
Usage Guide: This command is for preventing the automatic learning and updating of
ND. Unlike ip nd-security updateprotect, once this command implemented, there will still
be timeout even if the switch keeps sending Request/Reply messages.
Example:
Switch(Config-if-Vlan1)#ipv6 nd -security learnprotect
Switch(config)#ipv6 nd -security learnprotect
3.5 ip arp-security convert
Command: ip arp-security convert

Function: Change all of dynamic ARP to static ARP.
Parameter: None
Command Mode: Global Mode/ Interface configuration
Usage Guide: This command will convert the dynamic ARP entries to static ones, which,
2
in combination with disabling automatic learning, can prevent ARP binding. Once
implemented, this command will lose its effect.
Example:
Switch(Config-if-Vlan1)#ip arp -security convert
Switch(config)#ip arp -security convert
3.6 ipv6 nd-security convert
Command: ipv6 nd-security convert

Function: Change all of dynamic ND to static ND.
Parameter: None
Command Mode: Global Mode/ Interface Configuration
Usage Guide: This command will convert the dynamic ND entries to static ones, which,
in combination with disabling automatic learning, can prevent ND binding. Once
Example:
Switch(Config-if-Vlan1)#ipv6 nd -security convert
Switch(config)#ipv6 nd -security conver
3.7 clear ip arp dynamic
Command: clear ip arp dynamic

Function: Clear all of dynamic ARP on interface.
Parameter: None
Command Mode: Interface Configuration
Usage Guide: This command will clear dynamic entries before binding ARP. Once
Example:
Switch(Config-if-Vlan1)#clear ip arp dynamic
3.8 clear ipv6 nd dynamic
Command: clear ipv6 nd dynamic

Function: Clear all of dynamic ND on interface.
Parameter: None
Command mode: Interface Configuration
Usage Guide: This command will clear dynamic entries before binding ND. Once
3
Example:
Switch(Config-if-Vlan1)#clear ipv6 nd dynamic
4
Forward and ARP, ND Chapter 4 Command for ARP GUARD
Chapter 4 Command for ARP GUARD
4.1 arp-guard ip
Command: arp-guard ip <addr>

no arp-guard ip <addr>
Function: Add a ARP GUARD address, the no command deletes ARP GUARD address.
Parameters: <addr> is the protected IP address, in dotted decimal notation.
Default: There is no ARP GUARD address by default.
Command Mode: Port configuration mode
Usage Guide: After configuring the ARP GUARD address, the configuration will be
effective for all ports with ARP GUARD enabled. The ARP messages received from the
ports configured ARP GUARD will be filtered. If the source IP addresses of the ARP
messagse match the ARP GUARD address configured on this port, these messages will
be judged as ARP cheating messages, which will be directly dropped, but ARP broadcast
messages is sending to the CPU of the switch. 16 ARP GUARD addresses can be
configured on each port.
Example:
Configure the ARP GUARD address on port ethernet0/0/1 as 100.1.1.1.
switch(config)#interface ethernet0/0/1
switch(Config-If-Ethernet 0/0/1)#arp-guard ip 100.1.1.1
Delete the ARP GUARD address on port ethernet0/0/1 as 100.1.1.1.
switch(config)#interface ethernet0/0/1
switch(Config-If-Ethernet 0/0/1)#no arp-guard ip 100.1.1.1
1
Forward and ARP, ND Chapter 5 Commands for Gratuitous ARP Configuration
Chapter 5 Commands for Gratuitous

ARP Configuration
5.1 ip gratuitous-arp
Command: ip gratuitous-arp [<interval-time>]

no ip gratuitous-arp
Function: To enabled gratuitous ARP, and specify update interval for gratuitous ARP. The
no form of this command will disable the gratuitous ARP configuration.
Parameters: <interval-time> is the update interval for gratuitous ARP with its value
limited between 5 and 1200 seconds and with default value as 300 seconds.
Command Mode: Global Configuration Mode and Interface Configuration Mode.
Default: Gratuitous ARP is disabled by default.
Usage Guide: When configuring gratuitous ARP in global configuration mode, all the
Layer 3 interfaces in the switch will be enabled to send gratuitous ARP request. If
gratuitous ARP is configured in interface configuration mode, then only the specified
interface is able to send gratuitous ARP requests. When configuring the gratuitous ARP,
the update interval configuration from interface configuration mode has higher preference
than that from the global configuration mode.
Example:
1) To enable gratuitous ARP in global configuration mode, and set the update interval to
be 400 seconds.
Switch>enable
Switch#config
Switch(config)#ip gratuitous-arp 400
2) To enable gratuitous ARP for interface VLAN 10 and set the update interval to be
350 seconds.
Switch(config)#interface vlan 10
Switch(Config-if-Vlan10)#ip gratuitous-arp 350
5.2 show ip gratuitous-arp
Command: show ip gratuitous-arp [interface vlan <vlan-id>]

Function: To display configuration information about gratuitous ARP.
Parameters: <vlan-id> is the VLAN ID. The valid range for <vlan-id> is between 1 and
4094.
Command Mode: All the Configuration Modes.
Usage Guide: In all the configuration modes, the command show ip gratuitous arp will
display information about the gratuitous ARP configuration in global and interface
1
Forward and ARP, ND Chapter 5 Commands for Gratuitous ARP Configuration
configuration mode. The command show ip gratuitous-arp interface vlan <vlan-id>

will display information about the gratuitous ARP configuration about the specified VLAN
interface.
Example:
1) To display information about gratuitous ARP configuration in both global and
interface configuration modes.
Switch#show ip gratuitous-arp
Gratuitous ARP send is Global enabled, Interval-Time is 300(s)
Gratuitous ARP send enabled interface vlan information:

Name Interval-Time(seconds)
Vlan1 400
Vlan10 350
2) To display gratuitous ARP configuration information about interface VLAN 10.

Switch#show ip gratuitous-arp interface vlan 10
Gratuitous ARP send interface Vlan10 information:
Name Interval-Time(seconds)
Vlan10 350
2
Forward and ARP, ND Chapter 6 Commands for ND Snooping
Chapter 6 Commands for ND Snooping
6.1 clear ipv6 nd snooping binding
Command: clear ipv6 nd snooping binding [<interface-name>]

Function: Clear all dynamic binding of ND Snooping.
Parameter: <interface-name> the name of an ethernet port.
Default: None.
Usage Guide: Clear all ND Snooping binding table or binding entries of a port, the
entries of the corresponding FFP hardware drive will also be cleared.
Example:
Switch(config)#ipv6 nd snooping enable
Switch# clear ipv6 nd snooping binding
6.2 debug ipv6 nd snooping
Command: debug ipv6 nd snooping {packet | event | binding}

no debug ipv6 nd snooping {packet | event | binding}
Function: Open/close the debug of ND Snooping.
Parameter: packet shows debug information of received and sent ND packets, event
shows debug information that ND snooping processes the packets and the timer event,
binding shows the debug information of ND Snooping managing the binding table.
Default: Disable the debug information.
Command mode: Port Mode.
Usage Guide: Open the debug information switch of ND Snooping.
Example: Show the debug information of ND Snooping.
Switch#debug ipv6 nd snooping packet
Receive packet, smac 00-21-27-aa-0f-46, dmac 00-03-0f-00-de-01,
saddr fe80::221:27ff:feaa:f46, daddr 2001::1,
interface Ethernet0/0/17(portID 0x1000011), vid 1, length 90,
type 135, opcode 0, target address 2001::1
6.3 ipv6 nd snooping enable (Global mode)
Command: ipv6 nd snooping enable

no ipv6 nd snooping enable
Function: Enable/disable the monitoring function of ND Snooping globally.
Parameter: None.
1
Command mode: Global Mode.

Default: Disable the global function of ND Snooping.
Usage Guide: Only after ND Snooping enabled globally, the port configuration of ND
Snooping is allowed, NA/NS packets of all ports are not forwarded, but are copied to cpu.
After being processed by ND Snooping, these packets are forwarded according to the set
rules.
Example: Enable the ND Snooping globally.
Switch(config)#ipv6 enable
6.4 ipv6 nd snooping mac-binding-limit
Command: ipv6 nd snooping mac-binding-limit <number>

no ipv6 nd snooping mac-binding-limit
Function: Configure the max number of IPv6 addresses that can be bound to the same
MAC address.
Parameter: <number> is the max value. It only includes the dynamic binding number,
the corresponding static binding number is not limited, the range from 1 to 10.
Default: 10.
Usage Guide:
a) After receiving this configuration command, set globally the max number of dynamic
binding which relate to the same MAC address.
b) Account the binding value which corresponds with each MAC address globally. If the
corresponding dynamic binding number of one MAC address exceeds the
configuration value, then delete some dynamic binding which have a high age until
the number of the dynamic binding equals this configuration value, and stop the
binding corresponding with this MAC address. If the numberr of binding is less than
the configuration value, the new dynamic binding can still be created.
Example: Set the max number of the corresponding dynamic binding for the same MAC
address.
Switch(config)# ipv6 nd snooping mac-binding-limit 10
6.5 ipv6 nd snooping max-dad-delay
Command: ipv6 nd snooping max-dad-delay <max-dad-delay>

no ipv6 nd snooping max-dad-delay
Function: Set the lifetime of SAC_START state for a binding.
Parameter: <max-dad-delay> is the lifetime of SAC_START state, the range from 1 to
10, the unit is second.
2
Default: SAC_START state binds the lifetime as 1 second.

Usage Guide: Reset the binding lifetime of SAC_START state as <max-dad-delay> or 1
second.
Example: Configure the lifetime as 10 seconds.
Switch(config)#ipv6 nd snooping max-dad-delay 10
6.6 ipv6 nd snooping max-dad-prepare-delay
Command: ipv6 nd snooping max-dad-prepare-delay <max-dad-prepare-delay>

no ipv6 nd snooping max-dad-prepare-delay
Function: Set the lifetime of SAC_QUERY state for a binding.
Parameter: <max-dad-prepare-delay> is the lifetime of SAC_QUERY state, the range
from 1 to 10, the unit is second.
Default: SAC_QUERY state binds the lifetime as half a second.
Usage Guide: Reset the binding lifetime of SAC_QUERY state as <max-dad-prepare-
delay> or half a second.
Switch(config)#ipv6 nd snooping max-dad-prepare-delay 10
6.7 ipv6 nd snooping max-sac-lifetime
Command: ipv6 nd snooping max-sac-lifetime <max-sac-lifetime>

no ipv6 nd snooping max-sac-lifetime
Function: Set the lifetime of SAC_BOUND state for a binding.
Parameter: <max-sac-lifetime> is the lifetime of SAC_BOUND state, the range from 1
to 31536000, the unit is second.
Default Configuration: SAC_BOUND state binds the lifetime as 2 hours (7200
seconds).
Default: SAC_BOUND state binds the lifetime as 2 hours. (7200 seconds)
Usage Guide: Change the lifetime of SAC_BOUND state.
Switch(config)#ipv6 nd snooping max-sac-lifetime 36000
6.8 ipv6 nd snooping policy
Command: ipv6 nd snooping policy {bind-eui64-address | bind-non-eui64-address}
3
no ipv6 nd snooping policy

Function: Configure the dynamic binding policy of ND Snooping addresses.
Parameter: bind-eui64-address means only the address of the global unicast EUI-64 is
bound, bind-non-eui64-address means the global unicast address of non EUI-64 is
bound, default means the global unicast address is bound.
Default: Bind any global unicast addresses by default.
Usage Guide: After the policy is configured, only bind the IPv6 addresses which are
specified by the policy, a message is displayed for a non policy specifies the global
unicast address to report the conflict.
Example: Configure binding the global unicast EUI-64.
Switch(config)#ipv6 nd snooping policy bind-eui64-address
6.9 ipv6 nd snooping port-binding-limit
Command: ipv6 nd snooping port-binding-limit <binding-number>

no ipv6 nd snooping port-binding-limit
Function: Configure the binding number of the port. This binding number only limits the
dynamic binding number of the port, but do not limit the number of the static binding.
Parameter: binding-limit is the max number which can be bound for each port, the range
from 1 to 100.
Default: 100
Usage Guide:
a) After receiving this configuration command, set the max value of the dynamic binding
for this port.
b) Check the dynamic binding of this port and account the number of the dynamic
binding. If the number exceeds this configuration value, then delete some dynamic
binding which have a high age until the number of the dynamic binding equals this
configuration value, and stop creating new dynamic binding of this port. If the number
of the dynamic binding is less than this configuration value, new dynamic binding can
still be created.
Example: Configure the number which can be bound by the port.
Switch(config-if-ethernet0/0/1)#ipv6 nd snooping port-binding-limit 100
6.10 ipv6 nd snooping static-binding
Command: ipv6 nd snooping static-binding <ipv6-address> hardware-address
<hardware-address> interface <interface-name >
4
no ipv6 nd snooping static-binding <ipv6-address>

Function: Add a static binding.
Parameter: ipv6-address can bind the global unicast address only, can not bind the link
local address , the unspecific address and the loopback address, hardware-address is
the MAC address of IEEE802 hardware, interface-name is the corresponding port ID.
Default: None.
Usage Guide:
a) Check the configured IPv6 addresses, if the configured addresses are the multicast
address of the nodes, the local address of the link, the unspecific address and the
loopback address, then show the error information and return.
b) According to the IPv6 address and the MAC address of the configuration command
to check the static binding table. If the IPv6 address binding exists, then give the
binding information of this IPv6 address and return. If there is no IPv6 address
binding, then create new static binding. If ND Snooping has been enabled in the
binding port, then send the binding entries to FFP hardware drive.
c) Checking the dynamic binding table, if exist the dynamic binding for matching the
static binding completely, then delete this dynamic binding and keep the entries in
FFP hardware drive. If exist the binding corresponding with the IPv6 address, and the
anchor information is different, then delete this dynamic binding and the entries in
FFP hardware drive.
Example: Add a new type of the binding table in the static binding table.
Switch(config)#ipv6 nd snooping static-binding 2001::2:1 hardware-address 00-11-22-33-
44-55
interface ethernet0/0/1
6.11 ipv6 nd snooping trust
Command: ipv6 nd snooping trust

no ipv6 nd snooping trust
Function: Set the trust port of the switch.
Parameter: None.
Default: un-trusted port.
Usage Guide: This command sets a port or a group of ports as the trust port and deletes
all dynamic binding corresponding with the port or ports, stop creating new binding of port
or ports, and accessing of packets is also allowed.
Example: Set a port or a group of ports as the trust ports.
Switch(config)#interface ethernet 0/0/1
Swithc(config-if-ethernet0/0/1)# ipv6 nd snooping trust
5
6.12 ipv6 nd snooping user-control
Command: ipv6 nd snooping user-control

no ipv6 nd snooping user-control
Function: Enable the control function of the ports for ND Snooping.
Parameter: None.
Default: Disable the control function of ND Snooping.
Usage Guide: After the control function of ND Snooping is disabled, clear all FFP drive
entries which are sent by ND Snooping for this port, but the binding information is not
deleted.
Example: Configure ND Snooping function on the port.
Switch(config)#interface ethernet 0/0/1
Swithc(config-if-ethernet0/0/1)# ipv6 nd snooping user-control
6.13 show ipv6 nd snooping binding
Command: show ipv6 nd snooping binding [<ipv6-address> | <hardware-address>

| <interface-name> | <all>]
Function: Show the global configuration and all binding information of ND Snooping, or
the configuration and the binding information of a port.
Parameter: ipv6-address: Show the binding information according to the specified IPv6
address.
hardware-address: Show the binding information according to the specified
MAC address.
interface-name: Show the binding information according to the specified port.
all: Show all information.
Default: None.
Usage Guide: Show the configuration and the binding information of ND Snooping.
Example:
Switch#show ipv6 nd snooping binding all
ND Snooping is enabled
ND Snooping max-dad-delay: 1 s
ND Snooping max-sac-lifetime:7200 s
ND Snooping max-dad-prepare-delay: 0.5 s
ND Snooping max-mac-binding-num: 10
ND snooping binding count 1, static binding 0

MAC IPv6 address interface vlan ID State
00-19-ef-d1-23-a4 2001::219:e0ff:fe3f:d183 Ethernet0/0/27 1 SAC_BOUND
6

06-Commands For Layer 3 Interface and ARP, ND - Word

Uploaded by

Copyright:

Available Formats

06-Commands For Layer 3 Interface and ARP, ND - Word

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06-Commands For Layer 3 Interface and ARP, ND - Word

Uploaded by

Copyright:

Available Formats

Commands for Layer 3

Forward and ARP, ND Content

CHAPTER 1 COMMANDS FOR LAYER 3 MANAGEMENT......1-1

1.1 COMMANDS FOR LAYER 3 INTERFACE..................................................1-1

1.2 COMMANDS FOR IPV4/V6 CONFIGURATION...........................................1-2

1.3 COMMANDS FOR ARP CONFIGURATION.............................................1-14

CHAPTER 2 COMMANDS FOR ARP SCANNING PREVENTION

2.1 ANTI-ARPSCAN ENABLE.......................................................................2-1

2.3 ANTI-ARPSCAN IP-BASED THRESHOLD..................................................2-2

CHAPTER 3 COMMANDS FOR PREVENTING ARP, ND

3.1 IP ARP-SECURITY UPDATEPROTECT......................................................3-1

CHAPTER 4 COMMAND FOR ARP GUARD.............................4-1

4.1 ARP-GUARD IP.....................................................................................4-1

CHAPTER 5 COMMANDS FOR GRATUITOUS ARP

CHAPTER 6 COMMANDS FOR ND SNOOPING.......................6-1

6.1 CLEAR IPV6 ND SNOOPING BINDING......................................................6-1

6.3 IPV6 ND SNOOPING ENABLE (GLOBAL MODE).......................................6-2

Chapter 1 Commands for Layer 3

1.1 Commands for Layer 3 Interface

1.1.2 interface vlan

1.2 Commands for IPv4/v6 configuration

1.2.1 clear ipv6 neighbor

1.2.2 debug ip packet

1.2.3 debug ipv6 packet

IPv6 PACKET: rcvd Receive IPv6 data report

proto <58> Protocol field in IPv6 header

1.2.4 debug ipv6 icmp

from Vlan1 Layer 3 port being sent

1.2.5 debug ipv6 nd

messages is disabled by default.

1.2.7 ipv6 address

address is generated automatically based on eui64 interface identifier of the interface.

1.2.8 ipv6 nd dad attempts

1.2.9 ipv6 nd ns-interval

interface. Generally, very short time interval is not recommended.

1.2.10 ipv6 neighbor

1.2.11 show ip traffic

0 mask requests, 0 mask replies, 0 quench

1.2.12 show ipv6 interface

Displayed information Explanation

1.2.13 show ipv6 route

C 2003:1::/64 via ::, Vlan4 256

Displayed information Explanation

1.2.14 show ipv6 neighbors

IPv6 neighbour table: 11 entries

1.2.15 show ipv6 traffic

Displayed information Explanation

1.2.16 show ipv6 enable

1.3 Commands for ARP Configuration

1.3.2 clear arp-cache

1.3.3 clear arp traffic

1.3.4 debug arp

state}” command disables this debugging function.

1.3.5 show arp

Displayed information Explanation

and attributing the legality states.

1.3.6 show arp traffic

Chapter 2 Commands for ARP