Mailing List Archive

MLX IPv6 NCE
Hello,



We sometimes encounter neighbor cache exhaustion attacks on our network. A
remote IP beings scanning large portions of our customer IPv6 ranges, the
IPv6 neighbor table on our router (MLX/XMR) fills up with INCOMP status
entries, and connectivity remains impacted until the neighbor table is
manually cleared.



What settings should we use to prevent the table from filling up with and
maintaining so many INCOMP entries?

Regards,

Nick
Re: MLX IPv6 NCE [ In reply to ]
Hi Nick,

does

> show ipv6 | include host drop cam
(config)#ipv6 max-host-drop-cam 256

resolve this issue?

Doc says:
To limit the usage of CAM by IPV6 hosts with unresolved ND, enter the
ipv6 max-host-drop-cam
command.

Jörg


On 16 Feb 2019, at 20:42, nick@ramnode.com wrote:

> Hello,
>
>
>
> We sometimes encounter neighbor cache exhaustion attacks on our
> network. A
> remote IP beings scanning large portions of our customer IPv6 ranges,
> the
> IPv6 neighbor table on our router (MLX/XMR) fills up with INCOMP
> status
> entries, and connectivity remains impacted until the neighbor table is
> manually cleared.
>
>
>
> What settings should we use to prevent the table from filling up with
> and
> maintaining so many INCOMP entries?
>
> Regards,
>
> Nick


> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
Re: MLX IPv6 NCE [ In reply to ]
I tweaked “nd ns-interval” and the problem hasn’t returned yet. I will try your recommendation if it comes back. Thank you.



Regards,

Nick



From: Jörg Kost <jk@ip-clear.de>
Sent: Friday, March 15, 2019 4:53 PM
To: nick@ramnode.com
Cc: foundry-nsp@puck.nether.net
Subject: Re: [f-nsp] MLX IPv6 NCE



Hi Nick,

does

show ipv6 | include host drop cam

(config)#ipv6 max-host-drop-cam 256

resolve this issue?

Doc says:
To limit the usage of CAM by IPV6 hosts with unresolved ND, enter the ipv6 max-host-drop-cam
command.

Jörg



On 16 Feb 2019, at 20:42, nick@ramnode.com <mailto:nick@ramnode.com> wrote:

Hello,



We sometimes encounter neighbor cache exhaustion attacks on our network. A remote IP beings scanning large portions of our customer IPv6 ranges, the IPv6 neighbor table on our router (MLX/XMR) fills up with INCOMP status entries, and connectivity remains impacted until the neighbor table is manually cleared.



What settings should we use to prevent the table from filling up with and maintaining so many INCOMP entries?

Regards,

Nick

_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net <mailto:foundry-nsp@puck.nether.net>
<http://puck.nether.net/mailman/listinfo/foundry-nsp> http://puck.nether.net/mailman/listinfo/foundry-nsp