Router Advertisement (RA) Guard on Cisco IOS

During the IPv6 Security webinar Eric Vyncke described various mechanisms you can use to implement RA Guard on Cisco IOS, including private VLANs, port ACLs, RA Guard Lite and full-blown RA Guard available in recent Cisco IOS releases.

2 comments:

  1. Sadly it doesn´t help against http://www.thc.org/thc-ipv6/
    HP and other vendors haven´t any working solution for that on, either.

    ReplyDelete
  2. Chris,
    For sake of time, I was unable to cover all details.

    Using 'deny ip any any undetermined-transport' (where applicable) will actually prevent the fragmented attack.

    Using the ra-guard in the latest software release, you can combine this with an ACL to allow only a specific prefix to be advertized, also blocking the flooding attack.

    :-)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.