ipv6 destination-unreachable drop

Usage Scenario

Generally, the device sends the IPv6 packets that do not match routing entries to the CPU for processing. If many IPv6 packets do not match routing entries because of an attack or improper network configurations, the CPU is busy. To prevent this situation, run the ipv6 destination-unreachable drop command to configure the switch to discard these packets.

Precautions

If the ipv6 destination-unreachable drop command is used and a traffic policy with the redirect action is configured, both the drop action and the redirect action take effect. Because the drop action has a higher priority than the redirect action, ICMPv6 Redirect packets are discarded. This leads to a redirection failure. To make the redirect action take effect, run the undo ipv6 destination-unreachable drop command to disable the drop action. However, disabling the drop action will degrade the attack defense performance of the system. You must configure the two actions properly according to network requirements.

After the ipv6 destination-unreachable drop command is used, the switch does not respond to the ICMPv6 Error packets caused when IPv6 packets do not match routing entries until the drop action is disabled.

For the S6720-EI and S6720S-EI, if the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command, the ipv6 destination-unreachable drop command does not take effect.