Rate Limiting on ND Messages

Related Concepts

Rate limiting on ND messages helps reduce CPU resource consumption by ND messages, protecting other services. ND messages include Router Solicitation (RS), Router Advertisement (RA), Neighbor Solicitation (NS), and Neighbor Advertisement (NA) messages. The rate of ND messages can be limited in the following modes:

Limiting the rate of sending ND messages. Table 1 describes how to limit the rate of sending ND messages in different views.

**Table 1** Limiting the rate of sending ND messages
View	Rate Limiting Type	Description
System view	ND message type-based rate limiting on ND messages. Rate limiting on ND multicast messages.	If a device is attacked, it receives a large number of ND or ND Miss messages within a short period. As a result, the device consumes many CPU resources to learn and respond to ND entries, affecting the processing of other services. To resolve this issue, configure a rate limit for sending ND messages on the device. After the configuration is complete, the device counts the number of ND messages sent per period. If the number exceeds the configured limit, the device delays scheduling or ignores excess ND messages. This reduces the CPU resources allocated for responding to ND entries and protects other services.
Interface view	ND message type-based rate limiting on ND messages. Rate limiting on ND multicast messages.	If a device is attacked, it receives a large number of ND or ND Miss messages within a short period. As a result, the device consumes many CPU resources to learn and respond to ND entries, affecting the processing of other services. To resolve this issue, configure a rate limit for sending ND messages on the corresponding interface. After the configuration is complete, the device counts the number of ND messages sent per period. If the number exceeds the configured limit, the device delays scheduling or ignores excess ND messages. This reduces the CPU resources allocated for responding to ND entries and protects other services. The configuration on an interface does not affect IPv6 packet forwarding on other interfaces. The rate limit for sending ND messages configured in the interface view takes precedence over that configured in the system view.

The priorities of rate limits for sending ND messages are as follows: rate limit for sending ND multicast messages configured in the interface view > rate limit for sending ND messages configured in the interface view > rate limit for sending ND multicast messages configured in the system view > rate limit for sending ND messages configured in the system view

Limiting the rate of receiving ND messages. Table 2 describes how to limit the rate of receiving ND messages in different views.

**Table 2** Limiting the rate of receiving ND messages
View	Rate Limiting Type	Description
System view	ND message type-based rate limiting on ND messages. Specified source MAC address-based rate limiting on ND messages: limits the rate of ND messages with a specified source MAC address. Specified source IPv6 address-based rate limiting on ND messages: limits the rate of ND messages with a specified source IPv6 address. Specified destination IPv6 address-based rate limiting on ND messages: limits the rate of ND messages with a specified destination IPv6 address. Specified target IPv6 address-based rate limiting on ND messages: limits the rate of ND messages with a specified target IPv6 address. Any source MAC address-based rate limiting on ND messages: limits the rate of ND messages with any source MAC address. Any source IPv6 address-based rate limiting on ND messages: limits the rate of ND messages with any source IPv6 address. Any destination IPv6 address-based rate limiting on ND messages: limits the rate of ND messages with any destination IPv6 address. Any target IPv6 address-based rate limiting on ND messages: limits the rate of ND messages with any target IPv6 address.	Limiting the number of ND messages to be processed globally if ND message attacks occur on a device: If a device is attacked, it receives a large number of ND messages within a short period. As a result, the device consumes many CPU resources to learn and respond to ND entries, affecting the processing of other services. To resolve this issue, configure a rate limit based on an ND message type, ND message type+MAC address, ND message type+IPv6 address, or other modes in the system view. After the configuration is complete, the device counts the number of ND messages received per period. If the number of ND messages exceeds the configured limit, the device does not process excess ND messages.
Interface view	ND message type-based rate limiting on ND messages. Specified source IPv6 address-based rate limiting on ND messages: limits the rate of ND messages with a specified source IPv6 address.	Limiting the number of ND messages to be processed on an interface if ND message attacks occur on the interface (the configuration on an interface does not affect ND entry learning on other interfaces): If an interface is attacked, it receives a large number of ND messages within a short period. As a result, the device consumes many CPU resources to learn and respond to ND entries, affecting the processing of other services. To resolve this issue, configure a rate limit based on an ND message type or ND message type+source IPv6 address in the interface view. After the configuration is complete, the device counts the number of ND messages received on the interface per period. If the number of ND messages exceeds the configured limit, the device does not process excess ND messages. The configuration on an interface does not affect IPv6 packet forwarding on other interfaces. The rate limit for receiving ND messages configured in the interface view takes precedence over that configured in the system view.

Benefits

Rate limiting on ND messages helps reduce CPU resource consumption by ND messages, protecting other services.