You are here: Home > CLI Commands > Just_CLI_Topics > ipv6 firewall

ipv6 firewall

ipv6 firewall

attack-rate {ping <number>|session <number>|tcp-syn <number>}
deny-inter-user-bridging |
drop-ip-fragments |
enable-per-packet-logging |

enable-stateful-icmp |
enforce-tcp-handshake |

ext-hdr-parse-len |

no
prohibit-ip-spoofing |
prohibit-rst-replay |
session-idle-timeout <seconds>

Description

This command configures firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. options on the Mobility Master for IPv6 traffic.

Syntax

Parameter

Description

Range

Default

attack-rate

Sets rates which, if exceeded, can indicate a denial of service attack.

 

 

ping

Number of ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. pings per 30 seconds, which if exceeded, can indicate a denial of service attack. Recommended value is 120.

1-16384

session

Number of TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. or UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. connection requests per 30 seconds, which if exceeded, can indicate a denial of service attack. Recommended value is 960.

1-16384

tcp-syn

Number of TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. SYN messages per 30 seconds, which if exceeded, can indicate a denial of service attack. Recommended value is 960.

1-16384

deny-inter-user-bridging

Prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic. This option can be used to prevent Appletalk or IPX traffic from being forwarded.

disabled

drop-ip-fragments

When enabled, all IP fragments are dropped. You should not enable this option unless instructed to do so by a customer support representative.

disabled

enable-per-pac
ket-logging

Enables logging of every packet if logging is enabled for the corresponding session rule. Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by a customer support representative, as doing so may create unnecessary overhead on the Mobility Master.

disabled

enforce-stateful-icmp

Enables stateful ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. processing and create sessions for ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. errors and denies unidirectional response.

disabled

enforce-tcp-
handshake

Prevents data from passing between two clients until the three-way TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.

disabled

ext-hdr-parse-len

Set the threshold value beyond which the IPv6 header will not be parsed and the packet will be dropped.

100 bytes

prohibit-ip-
spoofing

Detects IP spoofing (where an intruder sends messages using the IP address of a trusted client). When this option is enabled, IP and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses are checked; possible IP spoofing attacks are logged and an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent.

disabled

prohibit-rst-re
play

Closes a TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. connection in both directions if a TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. RST is received from either direction. You should not enable this option unless instructed to do so by a customer support representative.

disabled

session-idle-
timeout

Time, in seconds, that a non-TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. session can be idle before it is removed from the session table. You should not modify this option unless instructed to do so by a customer support representative.

16-300

16 seconds

Usage Guidelines

This command configures global firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. options on the Mobility Master for IPv6 traffic.

Example

The following command does not allow forwarding of non-IP frames between IPv6 clients:

(host) [/md] (config) #ipv6 firewall deny-inter-user-bridging

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

Available on all platforms

Available in the base operating system, except for noted parameters.

Config mode on Mobility Master.

/*]]>*/