Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
0
Helpful
0
Replies

Nexus Version of "Undertermined Transport" for IPv6 RA Guard

weylin.piegorsch
Beginner
Beginner

‎12-20-2021 06:58 AM

Cisco LIVE! mentions RA attacks as the single largest IPv6-related attack pattern seen in a local LAN.  RA Guard is intended to protect against this, and while it works well its also not fragment-friendly.  To protect against fragments sneaking things by RA Guard, IOS and IOS XE recommend implementing an inbound PACL that denies all IPv6 packets that don't have enough information to validate Router Advertisements:

 

ipv6 access-list RAGUARD-PACL
 deny ipv6 any any undetermined-transport
 permit ipv6 any any

However, NX-OS command syntax (OS version 9.3(7) on a 9372PX-E) does not seem to have this.  What is the Nexus recommendation to protect against fragments bypassing RA Guard?

 

weylin

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents