The ipv6 nd anti-attack rate-limit source-ip command sets the rate limit value for ND packets based on interface source IP.
The undo ipv6 nd anti-attack rate-limit source-ip command deletes the rate limit value for ND packets based on interface source IP.
By default, the ND interface source IP rate anti-attack function is disabled.
| Parameter | Description | Value |
|---|---|---|
| ns |
Indicates the rate at which NS messages are sent. |
- |
| na |
Indicates the rate at which NA messages are sent. |
- |
| rs |
Indicates the rate at which RS messages are sent. |
- |
| ra |
Indicates the rate at which RA messages are sent. |
- |
| source-ip ipv6-address |
Specify the source IP address. |
The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| maximum max-value |
Specify the rate limit value for ND packets based on the source IP. |
The value is an integer ranging from 0 to 5000, in pps. |
100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, PW-VE sub-interface view, PW-VE interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view, Management interface view
Usage Scenario
If users send a large number of ND packets to a device. Many resources are diverted into processing these ND packets, and the processing of other services is affected. To resolve this problem, run the ipv6 nd anti-attack rate-limit source-ip (interface view) command to set the rate limit value for ND packets based on interface source IP, avoid the waste of equipment on processing ND packets to ensure the normal operation of other services.
Configuration Impact
After set the rate limit value for ND packets based on interface source IP, the device counts the number of received ND packets. If the number of ND packets received in a specified period exceeds the upper limit, the device discards the excess ND packets. As a result, the device may fail to process some valid ND packets, causing service interruptions.
Precautions
If the rate limit is too low and the login through Telnet fails because the device receives a large number of attack packets, you can log in to the device through the Console port to increase the rate limit.
<HUAWEI> system-view [~HUAWEI] interface GigabitEthernet 0/1/0 [~HUAWEI-GigabitEthernet0/1/0] ipv6 enable [*HUAWEI-GigabitEthernet0/1/0] ipv6 nd ra anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550
<HUAWEI> system-view [~HUAWEI] interface GigabitEthernet 0/1/0 [~HUAWEI-GigabitEthernet0/1/0] ipv6 enable [*HUAWEI-GigabitEthernet0/1/0] ipv6 nd rs anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550
<HUAWEI> system-view [~HUAWEI] interface GigabitEthernet 0/1/0 [~HUAWEI-GigabitEthernet0/1/0] ipv6 enable [*HUAWEI-GigabitEthernet0/1/0] ipv6 nd na anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550
<HUAWEI> system-view [~HUAWEI] interface GigabitEthernet 0/1/0 [~HUAWEI-GigabitEthernet0/1/0] ipv6 enable [*HUAWEI-GigabitEthernet0/1/0] ipv6 nd ns anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550