ICMP rate-limiting

ICMP rate-limiting controls the rate at which ICMPv6 generates error and informational messages for features such as:

  • neighbor solicitations

  • neighbor advertisements

  • multicast listener discovery (MLD)

  • path MTU discovery (PMTU)

  • duplicate address discovery (DAD)

  • neighbor unreachability detection (NUD)

  • router discovery

  • neighbor discovery (NDP)

ICMPv6 error message generation is enabled by default. The rate of message generation can be adjusted, or message generation can be disabled.

Controlling the frequency of ICMPv6 error messages can help to prevent DoS attacks. With IPv6 enabled on the switch, you can control the allowable frequency of these messages with ICMPv6 rate-limiting.

Syntax:

ipv6 icmp error–interval <0–2147483647> [bucket–size <1–200>]

Syntax:

no ipv6 icmp error–interval

This command is executed from the global configuration level, and uses a “token bucket” method for limiting the rate of ICMP error and informational messages. Using this method, each ICMP message uses one token, and a message can be sent only if there is a token available. In the default configuration, a new token can be added every 100 milliseconds, and a maximum of 10 tokens are allowed in the token bucket. If the token bucket is full, a new token cannot be added until an existing token is used to enable sending an ICMP message. You can increase or decrease both the frequency with which used tokens can be replaced and (optionally) the number of tokens allowed to exist.

error–interval : Specifies the time interval in milliseconds between successive token adds. Increasing this value decreases the rate at which tokens can be added. A setting of 0 disables ICMP messaging. Default : 100; Range: 0–2147483647.

[bucket–size] : This optional keyword specifies the maximum number of tokens allowed in the token bucket at any time. Decreasing this value decreases the maximum number of tokens that may be available at any time. Default : 10; Range: 1–200.

You can change the rate at which ICMP messages are allowed by changing the error-interval with or without a corresponding change in the bucket-size.

The no ipv6 icmp error–interval command resets both the error–interval and the bucket–size values to their defaults.

Use the show run command to view the current ICMP error interval settings.

For example, the following command limits ICMP error and informational messages to no more than 20 every 1 second:

Switch(config)# ipv6 icmp error–interval 1000000 bucket–size 20