The ipv6 nd miss anti-attack rate-limit source-ip command configures a rate limit for receiving ND Miss messages based on a specified source IPv6 address, that is, the number of ND Miss messages that can be processed per second based on a specified source IPv6 address.
The undo ipv6 nd miss anti-attack rate-limit source-ip command restores the default configuration.
By default, no rate limit for receiving ND Miss messages based on a specified source IPv6 address is configured.
| Parameter | Description | Value |
|---|---|---|
| maximum max-value |
Specifies a rate limit for receiving ND Miss messages based on a specified source IPv6 address. |
The value is an integer ranging from 0 to 5000, in messages per second. |
| miss |
Sets a rate limit for receiving ND Miss messages. |
- |
| source-ip ipv6-address |
Specifies a source IPv6 address. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, PW-VE sub-interface view, PW-VE interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view, Management interface view
Usage Scenario
If a device is attacked, it receives a large number of ND Miss messages within a short period. As a result, the device consumes many CPU resources to learn and respond to ND entries, affecting the processing of other services. To resolve this issue, configure a rate limit for receiving ND Miss messages based on a specified source IPv6 address. After the configuration is complete, the device counts the number of ND Miss messages received per period based on the specified source IPv6 address. If the number exceeds the configured limit, the device does not process excess ND Miss messages.
Configuration Impact
After a rate limit for receiving ND Miss messages based on a specified source IPv6 address is configured, the device counts the number of ND Miss messages received per period based on the specified source IPv6 address. If the number of ND Miss messages exceeds the configured limit, the device does not process excess ND Miss messages. As a result, the device may fail to process valid ND Miss messages, causing user service interruptions.
Precautions
If a low rate limit is configured and the login through Telnet fails because the device receives a large number of attack packets, you can log in to the device through the console port to increase the rate limit.
<HUAWEI> system-view [~HUAWEI] interface GigabitEthernet 0/1/0 [~HUAWEI-GigabitEthernet0/1/0] ipv6 enable [*HUAWEI-GigabitEthernet0/1/0] ipv6 nd miss anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550