Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2590
Views
5
Helpful
2
Replies

¿First-hop security support on 3750/4500/7600 platforms?

rogelioalvez
Level 1
Level 1

‎01-19-2013 07:01 AM - edited ‎03-01-2019 05:38 PM

Hello team:

I am helping in the "IPv6 readiness assessment" of an infrastructure.

I checked on Feature Navigator for First-hop Security support (ND Inspection, RA Guard, Device Tracking, ..) and found that only the CAT6K supports it.

¿Do you know if platforms like 3750, 4500 or even 7600 (the customer uses it like a Layer 2 switch in some segments) have the same support or if at least there is a plan for them?

Your kind answers will be greatly appreciated.

Best regards, Rogelio

Labels:
0 Helpful
2 Replies 2

WSLH OIS NOC - OIS Infrastructure
Level 1
Level 1

‎01-22-2013 08:04 AM

You can at least use inbound layer 3 ACL's to limit clients on 3750 switches, e.g.

   sdm prefer dual-ipv4-and-ipv6

   reload 

   ipv6 access-list v6client

   deny udp any eq 547 any eq 546

   deny icmp any any router-advertisement

   deny icmp any any redirect

   permit ipv6 any any

   interface Gi1/0/20

   ipv6 traffic-filter v6client in

Abusive clients who deliberately fragment ICMPv6 packets containing long chains of next header options which don't occur in the first packet might be able to evade these ACL's, at least until Cisco starts rejecting fragmented ICMPv6 in line with current RFC recommendations.

-- Jim Leinweber, WI State Lab of Hygiene

rogelioalvez
Level 1
Level 1
In response to WSLH OIS NOC - OIS Infrastructure

‎01-22-2013 03:40 PM

Thank you very much Jim!

Best regards, Rogelio

0 Helpful
Customers Also Viewed These Support Documents