IPv6 subnets have a large number of addresses that can be assigned. When performing Neighbor Discovery on a IPv6 subnet, there is a distinct possibility that there will be a large number of unassigned addresses. These unassigned addresses can be used by a malicious entity to advertise a very large number of hosts in the same subnet to fill up the available IPv6 neighbor discovery table. This a potential DoS attack in a IPv6 scenario.
By limiting the number of discovered neighbors that can be stored in the Neighbor Discovery table, this potential DoS attack can be mitigated.
This configuration overrides the Global Neighbor Discovery Cache Limit configuration.
Note
ND Cache Limit cannot be configured on Tunnel interfaces. It is supported on the ethernet, port-channel, and virtual-ethernet interfaces.To configure the Neighbor Discovery Cache Limit on each interface:
SLX # configure terminal SLX (config) #
SLX (config)# interface ethernet 3/5
SLX (config-eth-3/5)# ipv6 nd cache interface-limit 100
This is the configuration for Neighbor Discovery cache limit value on a port-channel interface.
SLX (config-if-Port-channel-1)# ipv6 nd cache interface-limit 100
This is the configuration for Neighbor Discovery cache limit on a VE interface.
SLX (config-if-Ve-1)# ipv6 nd cache interface-limit 100