cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1125
Views
0
Helpful
0
Replies

Nexus Version of "Undertermined Transport" for IPv6 RA Guard

Cisco LIVE! mentions RA attacks as the single largest IPv6-related attack pattern seen in a local LAN.  RA Guard is intended to protect against this, and while it works well its also not fragment-friendly.  To protect against fragments sneaking things by RA Guard, IOS and IOS XE recommend implementing an inbound PACL that denies all IPv6 packets that don't have enough information to validate Router Advertisements:

 

ipv6 access-list RAGUARD-PACL
 deny ipv6 any any undetermined-transport
 permit ipv6 any any

However, NX-OS command syntax (OS version 9.3(7) on a 9372PX-E) does not seem to have this.  What is the Nexus recommendation to protect against fragments bypassing RA Guard?

 

weylin

0 Replies 0