The ipv6 nd anti-attack rate-limit destination-ip command configures a rate limit for receiving ND messages based on a specified destination IPv6 address, that is, the number of ND messages that can be processed per second based on a specified destination IPv6 address.
The undo ipv6 nd anti-attack rate-limit destination-ip command restores the default configuration.
By default, no rate limit for receiving ND messages based on a specified destination IPv6 address is configured.
| Parameter | Description | Value |
|---|---|---|
| ns |
Sets a rate limit for receiving NS messages. |
- |
| na |
Sets a rate limit for receiving NA messages. |
- |
| rs |
Sets a rate limit for receiving RS messages. |
- |
| ra |
Sets a rate limit for receiving RA messages. |
- |
| destination-ip ipv6-address |
Specifies a destination IPv6 address. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| maximum max-value |
Specifies a rate limit for receiving ND messages based on a specified destination IPv6 address. |
The value is an integer ranging from 0 to 5000, in messages per second. |
Usage Scenario
If a device is attacked, it receives a large number of ND messages within a short period. As a result, the device consumes many CPU resources to learn and respond to ND entries, affecting the processing of other services. To resolve this issue, configure a rate limit for receiving ND messages based on a specified destination IPv6 address. After the configuration is complete, the device counts the number of ND messages received per period based on the specified destination IPv6 address. If the number of ND messages exceeds the configured limit, the device does not process excess ND messages.
Configuration Impact
After a rate limit for receiving ND messages based on a specified destination IPv6 address is configured, the device counts the number of ND messages received per period based on the specified destination IPv6 address. If the number of ND messages exceeds the configured limit, the device does not process excess ND messages. As a result, the device may fail to process valid ND messages, causing user service interruptions.
Precautions
If a low rate limit is configured and the login through Telnet fails because the device receives a large number of attack packets, you can log in to the device through the console port to increase the rate limit.