High neighbor discovery (ND) cache usage for Palo Alto Networks


Palo Alto Networks


Indeni will alert when the number of neighbor discovery entries stored by a device is nearing the allowed limit.

Remediation Steps

Identify the cause of the large neighbor discovery table. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, please contact your technical support provider.

How does this work?

This alert uses the Palo Alto Networks API to retrieve the current utilization of the ND cache - number of entries in it vs the total limit.

Why is this important?

A network device which forwards traffic needs to know the MAC addresses of devices it is directly connected to, so it can send traffic on layer 2. With IPv6, it uses neighbor discovery (ND) requests. The ND replys are stored in a cache which allows the device to avoid doing ND requests again and again for the same destination IP. The ND cache has a finite size to avoid using up all of the available memory. If the ND cache fills up with entries, some traffic may be dropped or drastically slowed down.

Without Indeni how would you find this?

An administrator could write a script to leverage the Palo Alto Networks API to collect this data periodically and alert appropriately. Alternatively, wait for an issue to occur and check the ND cache status by running "show neighbor all".

View Source Code