Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
0
Helpful
1
Replies

Port Security IPv6

ivan.martin
Level 1
Level 1

‎02-21-2015 06:30 PM - edited ‎03-10-2019 12:22 AM

Hello my name is Ivan, I have a question:

A week ago, an analysis of Ethical Hacking Internal our entire network platform, which had the following observation was made:
 
Note: We identified that may have different communication devices such as servers using the IPv6 protocol. Thus it is possible to jump control network access, instead of using IPv6 IPv4 is used.
 
The above observation was given because in the CISCO 2960 our institution switches have active security settings Port Security, which as indicated could be baipaseada assigning an address IPV6 his team, finally obtaining feedback from our servers since in the was active adapters box IPV6, 

Question: Is it really possible to skip the security of port security in cisco switches, using IPV6 addresses ?, if so, what actions could make or should make settings on the switches to avoid this potential gap?

Labels:
0 Helpful
1 Reply 1

Seb Rupik
VIP Alumni
VIP Alumni

‎02-25-2015 03:13 AM

Hi Ivan,

port-security is concered with Layer2 controls to limit the number of devices that can appear on a single switchport. These controls will apply to both IPv4 and IPv6 since they are encapsulated in Layer2 frames.

If you use switchport access-group ACLs and these have been configured with just IPv4 addresses then yes, IPv6 traffic will pass by these. It is worth noting that the IPv6 traffic will be limited to the local-link (fe80:: addresses) so will only be able to communicate with other devices on the VLAN. Depending on your network topology these communications could span your entire network.

There is however no risk to the traffic leaving the link, unless you have configured ipv6 unicast routing on your VLANs router with corresponding IPv6 address on the SVI and are using either DHCPv6 or SLAAC to offer global unicast IPv6 addresses.

If you are concerned about IPv6 on your network, then I recommend you look at any material regarding First Hop Security:

http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html

This is very good read too:

http://docwiki.cisco.com/wiki/FHS

 

cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents