Configuring ICMPv6 Error Packet Control

Context

Configuring ICMPv6 error packet control reduces network traffic and prevents malicious attacks. Network congestion may occur when a large number of ICMPv6 error packets are sent on the network within a short period of time. To prevent network congestion, you can limit the maximum number of ICMPv6 error packets sent in a specified period using the token bucket algorithm.

You can set the bucket size and interval for placing tokens into the bucket. The bucket size indicates the maximum number of tokens that a bucket can hold. One token represents one ICMPv6 error packet. When an ICMPv6 error packet is sent, one token is taken out of the token bucket. When there are no tokens, ICMPv6 error packets cannot be sent until new tokens are placed into the token bucket.

If transmission of too many ICMPv6 error packets causes network congestion or the network is attacked by forged ICMPv6 error packets, you can disable the system from receiving ICMPv6 error packets, Host Unreachable packets, and Port Unreachable packets.

Pre-configuration Tasks

Before setting rate limit for sending ICMPv6 error packets, perform the task of Configuring IPv6 Addresses for Interfaces.

Procedure

Control ICMPv6 error messages in the system view.
1. Run system-view
  The system view is displayed.
2. Run ipv6
  IPv6 packet forwarding is enabled.
  
  By default, a device is disabled from forwarding IPv6 unicast packets.
3. Run ipv6 icmp-error { bucket bucket-size | ratelimit interval } ^*
  Rate limit for sending ICMPv6 error packets is set.
  
  By default, a token bucket can hold a maximum of 10 tokens and the interval for placing tokens into the bucket is 100 ms.
  
  If transmission of too many ICMPv6 error packets causes network congestion or the network is attacked by forged ICMPv6 error packets, you can also run the undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } receive command to disable the system from receiving ICMPv6 error packets, Host Unreachable packets, and Port Unreachable packets with the local address as the destination address.
4. Run ipv6 icmp too-big-rate-limit
  The device is enabled to reject oversized ICMPv6 error messages.
  
  By default, the device rejects oversized ICMPv6 error messages.
5. Run undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } receive
  The system is disabled from receiving ICMPv6 messages.
  
  By default, the system is enabled to receive ICMPv6 messages.
6. Run undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } send
  The system is disabled from sending ICMPv6 messages.
  
  By default, the system is enabled to send ICMPv6 messages.
7. Run ipv6 icmp blackhole unreachable send
  The Broadband Remote Access Server (BRAS) is enabled to send a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv6 blackhole route.
  
  By default, the BRAS is disabled from sending a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv6 blackhole route.
Control ICMPv6 messages in the interface view.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The specified interface view is displayed.
3. (Optional) On an Ethernet interface, run undo portswitch
  The interface is switched to Layer 3 mode.
  
  By default, an Ethernet interface works in Layer 2 mode.
  
  Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
4. Run ipv6 enable
  The IPv6 function is enabled on the interface.
  
  By default, the IPv6 function is disabled on an interface.
5. Run undo ipv6 icmp port-unreachable send
  The interface is disabled from sending ICMPv6 Port Unreachable messages.
  
  By default, the function of sending ICMPv6 Port Unreachable messages configured globally also takes effect on an interface.
6. Run undo ipv6 icmp hop-limit-exceeded send
  The interface is disabled from sending ICMPv6 Hop Limit Exceeded messages.
  
  By default, the function of sending ICMPv6 Hop Limit Exceeded messages configured globally also takes effect on an interface.

Verifying the Configuration

Run the display ipv6 interface [ interface-type interface-number | brief ] command to check IPv6 information about a specified interface.
Run the display icmpv6 statistics command to check ICMPv6 traffic statistics.