ipv6 nd anti-attack rate-limit source-ip all maximum

Function

The ipv6 nd anti-attack rate-limit source-ip all maximum command sets the rate limit value for ND packets based on every source IP.

The undo ipv6 nd anti-attack rate-limit source-ip all maximum command deletes the rate limit value for ND packets based on every source IP.

The default rate limit for sending ND messages to the CPU based on any source IP address is 0.45 times the rate limit for sending ND messages to the CPU that is configured in the system view.

Format

ipv6 nd { ns | na | rs | ra } anti-attack rate-limit source-ip all maximum max-value

undo ipv6 nd { ns | na | rs | ra } anti-attack rate-limit source-ip all maximum max-value

Parameters

Parameter Description Value
ns

Indicates the rate at which NS messages are sent.

-
na

Indicates the rate at which NA messages are sent.

-
rs

Indicates the rate at which RS messages are sent.

-
ra

Indicates the rate at which RA messages are sent.

-
maximum max-value

Specify the rate limit value for ND packets based on every source IP.

The value is an integer ranging from 0 to 5000, in pps.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
nd write

Usage Guidelines

Usage Scenario

If users send a large number of ND packets to a device. Many resources are diverted into processing these ND packets, and the processing of other services is affected. To resolve this problem, run the ipv6 nd anti-attack rate-limit source-ip all (system view) command to set the rate limit value for ND packets based on any source IP, avoid the waste of equipment on processing ND packets to ensure the normal operation of other services.

Configuration Impact

After set the rate limit value for ND packets based on any interface source IP, the device counts the number of received ND packets. If the number of ND packets received in a specified period exceeds the upper limit, the device discards the excess ND packets. As a result, the device may fail to process some valid ND packets, causing service interruptions.

Precautions

If the rate limit is too low and the login through Telnet fails because the device receives a large number of attack packets, you can log in to the device through the Console port to increase the rate limit.

Example

# Set the value of NA packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd na anti-attack rate-limit source-ip all maximum 550
# Set the value of NS packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd ns anti-attack rate-limit source-ip all maximum 550
# Set the value of RA packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd ra anti-attack rate-limit source-ip all maximum 550
# Set the value of RS packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd rs anti-attack rate-limit source-ip all maximum 550
Parent Topic: IPv6 ND Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >