The ipv6 nd anti-attack rate-limit source-mac command configures a rate limit for sending ND messages to the CPU based on a specified source MAC address, that is, the number of ND messages that can be processed per second based on a specified source MAC address.
The undo ipv6 nd anti-attack rate-limit source-mac command restores the default configuration.
By default, no rate limit for sending ND messages to the CPU based on a specified source MAC address is configured.
| Parameter | Description | Value |
|---|---|---|
| ns |
Indicates the rate at which NS messages are sent. |
- |
| na |
Indicates the rate at which NA messages are sent. |
- |
| rs |
Indicates the rate at which RS messages are sent. |
- |
| ra |
Indicates the rate at which RA messages are sent. |
- |
| source-mac mac-address |
Specifies a source MAC address. |
The value is a 12-digit hexadecimal number, in the format of H-H-H. Each H is 4 digits. For example, the MAC address is 00e0-fc12-3456. |
| maximum max-value |
Specifies a rate limit for sending ND messages to the CPU based on a specified source MAC address. |
The value is an integer ranging from 0 to 5000, in pps. |
Usage Scenario
If a device is attacked, it receives a large number of ND messages within a short period. As a result, the device consumes many CPU resources to learn and respond to peer entries, affecting processing of other services. To resolve this issue, configure a rate limit for sending ND messages to the CPU based on a specified source MAC address. After the configuration is complete, the device counts the number of ND messages received per period based on a specified source MAC address. If the number of ND messages exceeds the configured limit, the device does not process excess ND messages.
Configuration Impact
After a rate limit for sending ND messages to the CPU based on a specified source MAC address is configured, the device counts the number of ND messages received per period based on a specified source MAC address. If the number of ND messages exceeds the configured limit, the device does not process excess ND messages. As a result, the device may fail to process valid ND messages, causing user service interruptions.
Precautions
If a low rate limit is configured and the login through Telnet fails because the device receives a large number of attack packets, you can log in to the device through the console port to increase the rate limit.
<HUAWEI> system-view [~HUAWEI] ipv6 nd ra anti-attack rate-limit source-mac 00e0-fc12-3456 maximum 550
<HUAWEI> system-view [~HUAWEI] ipv6 nd rs anti-attack rate-limit source-mac 00e0-fc12-3456 maximum 550
<HUAWEI> system-view [~HUAWEI] ipv6 nd na anti-attack rate-limit source-mac 00e0-fc12-3456 maximum 550
<HUAWEI> system-view [~HUAWEI] ipv6 nd ns anti-attack rate-limit source-mac 00e0-fc12-3456 maximum 550