ipv6 nd anti-attack rate-limit source-ip (System view)

Function

The ipv6 nd anti-attack rate-limit source-ip command sets the rate limit value for ND packets based on the source IP.

The undo ipv6 nd anti-attack rate-limit source-ip command deletes the rate limit value for ND packets based on the source IP.

By default, the ND source IP rate anti-attack function is disabled.

Format

ipv6 nd { ns | na | rs | ra } anti-attack rate-limit source-ip ipv6-address maximum max-value

undo ipv6 nd { ns | na | rs | ra } anti-attack rate-limit source-ip ipv6-address maximum max-value

Parameters

Parameter Description Value
ns

Indicates the rate at which NS messages are sent.

-
na

Indicates the rate at which NA messages are sent.

-
rs

Indicates the rate at which RS messages are sent.

-
ra

Indicates the rate at which RA messages are sent.

-
source-ip ipv6-address

Specify the source IP address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
maximum max-value

Specify the rate limit value for ND packets based on the source IP.

The value is an integer ranging from 0 to 5000, in pps.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
nd write

Usage Guidelines

Usage Scenario

If users send a large number of ND packets to a device. Many resources are diverted into processing these ND packets, and the processing of other services is affected. To resolve this problem, run the ipv6 nd anti-attack rate-limit source-ip (system view) command to set the rate limit value for ND packets based on the source IP, avoid the waste of equipment on processing ND packets to ensure the normal operation of other services.

Configuration Impact

After set the rate limit value for ND packets based on the source IP, the device counts the number of received ND packets. If the number of ND packets received in a specified period exceeds the upper limit, the device discards the excess ND packets. As a result, the device may fail to process some valid ND packets, causing service interruptions.

Precautions

If the rate limit is too low and the login through telnet fails because the device receives a large number of attack packets, you can log in to the device through the Console port to increase the rate limit.

Example

# Set the value of RA packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd ra anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550
# Set the value of NS packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd ns anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550
# Set the value of RS packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd rs anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550
# Set the value of NA packet rate limit based on every source IP addresses to 550 pps.
<HUAWEI> system-view
[~HUAWEI] ipv6 nd na anti-attack rate-limit source-ip 2001:db8:1::1 maximum 550
Parent Topic: IPv6 ND Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >