IPv6 subnets have a large number of addresses that can be assigned. When performing Neighbor Discovery on a IPv6 subnet, there is a distinct possibility that there will be a large number of unassigned addresses. These unassigned addresses can be used by a malicious entity to advertise a very large number of hosts in the same subnet to fill up the available IPv6 neighbor discovery table. This a potential DoS attack in a IPv6 scenario.
By limiting the number of discovered neighbors that can be stored in the Global Neighbor Discovery table, this potential DoS attack can be mitigated.
Note
ND Cache Limit cannot be configured on Tunnel interfaces. It is supported on the ethernet, port-channel, and virtual-ethernet interfaces.To configure the Global Neighbor Discovery Cache Limit:
SLX (config)# ipv6 nd cache interface-limit 100
Note
This configuration will be overridden by the interface's Neighbor Discovery cache value when configured for that specific interface.