How to setup RA Guard?

Is there a guide to setting up RA Guard? I thought I saw one once, but I can't find it now. It doesn't seem to be covered in the 15.3 concepts guide, and I can't find a newer concepts guide (getting 404 page not found errors).

3 replies

Userlevel 2

you need to create an ingress ACL with the "icmp-type" match criteria. If you plan to look at both L2 and L3 headers, you need double-wide ACL, which are not supported on every platforms.On which platform do you plan to use it?

btw, you will find the EXOS documentations at the following link
Summit 460 and 480
Userlevel 2
The below example would help prevent RA attacks:

entry disallow_and_log_RA_attacks {if {protocol icmpv6;icmp-type 134;} then { deny; mirror-cpu; log; count RA_attack;}}

entry allow_tcp { if {protocol tcp; first-fragments;} then {permit;}}

entry allow_udp { if {protocol udp; first-fragments;} then {permit;}}

entry allow_icmp { if {protocol icmpv6; first-fragments;} then {permit;}}

entry allow_xyz…

entry denyall { if {first-fragments; } then {deny;}}

The allow_icmp rule can be a security exposure on certain hardware (I believe x480 is such). So you may want to make a more specific icmp rule looking for specific icmp_type that are authorized, and drop IPv6 icmp with extension headers.