cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1045
Views
0
Helpful
0
Replies

Nexus Version of "Undertermined Transport" for IPv6 RA Guard

weylin.piegorsch
Beginner
Beginner

Cisco LIVE! mentions RA attacks as the single largest IPv6-related attack pattern seen in a local LAN.  RA Guard is intended to protect against this, and while it works well its also not fragment-friendly.  To protect against fragments sneaking things by RA Guard, IOS and IOS XE recommend implementing an inbound PACL that denies all IPv6 packets that don't have enough information to validate Router Advertisements:

 

ipv6 access-list RAGUARD-PACL
 deny ipv6 any any undetermined-transport
 permit ipv6 any any

However, NX-OS command syntax (OS version 9.3(7) on a 9372PX-E) does not seem to have this.  What is the Nexus recommendation to protect against fragments bypassing RA Guard?

 

weylin

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers