Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1153
Views
0
Helpful
0
Replies

Nexus Version of "Undertermined Transport" for IPv6 RA Guard

weylin.piegorsch
Level 1
Level 1

‎12-20-2021 06:58 AM

Cisco LIVE! mentions RA attacks as the single largest IPv6-related attack pattern seen in a local LAN.  RA Guard is intended to protect against this, and while it works well its also not fragment-friendly.  To protect against fragments sneaking things by RA Guard, IOS and IOS XE recommend implementing an inbound PACL that denies all IPv6 packets that don't have enough information to validate Router Advertisements:

 

ipv6 access-list RAGUARD-PACL
 deny ipv6 any any undetermined-transport
 permit ipv6 any any

However, NX-OS command syntax (OS version 9.3(7) on a 9372PX-E) does not seem to have this.  What is the Nexus recommendation to protect against fragments bypassing RA Guard?

 

weylin

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents