¿First-hop security support on 3750/4500/7600 platforms?

rogelioalvez · ‎01-19-2013

Hello team:

I am helping in the "IPv6 readiness assessment" of an infrastructure.

I checked on Feature Navigator for First-hop Security support (ND Inspection, RA Guard, Device Tracking, ..) and found that only the CAT6K supports it.

¿Do you know if platforms like 3750, 4500 or even 7600 (the customer uses it like a Layer 2 switch in some segments) have the same support or if at least there is a plan for them?

Your kind answers will be greatly appreciated.

Best regards, Rogelio

WSLH OIS NOC - OIS Infrastructure · ‎01-22-2013

You can at least use inbound layer 3 ACL's to limit clients on 3750 switches, e.g.

sdm prefer dual-ipv4-and-ipv6

reload

ipv6 access-list v6client

deny udp any eq 547 any eq 546

deny icmp any any router-advertisement

deny icmp any any redirect

permit ipv6 any any

interface Gi1/0/20

ipv6 traffic-filter v6client in

Abusive clients who deliberately fragment ICMPv6 packets containing long chains of next header options which don't occur in the first packet might be able to evade these ACL's, at least until Cisco starts rejecting fragmented ICMPv6 in line with current RFC recommendations.

-- Jim Leinweber, WI State Lab of Hygiene

rogelioalvez · ‎01-22-2013

Thank you very much Jim!

Best regards, Rogelio