H3C Technologies H3C SecPath F1000-E User Manual
Page 724
699
Enabling sending of ICMPv6 destination unreachable
messages
If the firewall fails to forward a received IPv6 packet due to one of the following reasons, it drops the
packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.
•
If no route is available for forwarding the packet, the firewall sends a "no route to destination"
ICMPv6 error message to the source.
•
If the firewall fails to forward the packet due to administrative prohibition (such as a firewall filter or
an ACL), the firewall sends the source a "destination network administratively prohibited" ICMPv6
error message.
•
If the firewall fails to deliver the packet because the destination is beyond the scope of the source
IPv6 address (for example, the source IPv6 address of the packet is a link-local address whereas the
destination IPv6 address of the packet is a global unicast address), the firewall sends the source a
"beyond scope of source address" ICMPv6 error message.
•
If the firewall fails to resolve the corresponding link layer address of the destination IPv6 address,
the firewall sends the source an "address unreachable" ICMPv6 error message.
•
If the packet with the destination being local and transport layer protocol being UDP and the
packet's destination port number does not match the running process, the firewall sends the source
a "port unreachable" ICMPv6 error message.
If an attacker sends abnormal traffic that causes the firewall to generate ICMPv6 destination unreachable
messages, end users may be affected. To prevent such attacks, you can disable the firewall from sending
ICMPv6 destination unreachable messages.
To enable sending of ICMPv6 destination unreachable messages:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable sending of ICMPv6 destination
unreachable messages.
ipv6 unreachables enable
Disabled by default
Displaying and maintaining IPv6 basics
configuration
Task Command
Remarks
Display the IPv6 FIB entries.
display ipv6 fib [ vpn-instance
vpn-instance-name ] [ acl6 acl6-number |
ipv6-prefix ipv6-prefix-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display the IPv6 FIB entry of a
specified destination IPv6
address.
display ipv6 fib [ vpn-instance
vpn-instance-name ] ipv6-address
[ prefix-length ] [ | { begin | exclude | include }
regular-expression ]
Available in any view
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer