This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to setup RA Guard?

How to setup RA Guard?

Dave_E_Martin
New Contributor

‎06-30-2014 02:03 PM

Is there a guide to setting up RA Guard? I thought I saw one once, but I can't find it now. It doesn't seem to be covered in the 15.3 concepts guide, and I can't find a newer concepts guide (getting 404 page not found errors).
0 Kudos
3 REPLIES 3

Stephane_Grosje
Contributor

‎07-02-2014 06:57 AM

The below example would help prevent RA attacks:

entry disallow_and_log_RA_attacks {if {protocol icmpv6;icmp-type 134;} then { deny; mirror-cpu; log; count RA_attack;}}

entry allow_tcp { if {protocol tcp; first-fragments;} then {permit;}}

entry allow_udp { if {protocol udp; first-fragments;} then {permit;}}

entry allow_icmp { if {protocol icmpv6; first-fragments;} then {permit;}}

entry allow_xyz…

entry denyall { if {first-fragments; } then {deny;}}

The allow_icmp rule can be a security exposure on certain hardware (I believe x480 is such). So you may want to make a more specific icmp rule looking for specific icmp_type that are authorized, and drop IPv6 icmp with extension headers.

0 Kudos

Dave_E_Martin
New Contributor

‎07-01-2014 06:20 PM

Summit 460 and 480
0 Kudos

Stephane_Grosje
Contributor

‎07-01-2014 05:10 AM

Hi,

you need to create an ingress ACL with the "icmp-type" match criteria. If you plan to look at both L2 and L3 headers, you need double-wide ACL, which are not supported on every platforms.On which platform do you plan to use it?

Edit:
btw, you will find the EXOS documentations at the following link
http://www.extremenetworks.com/support/extreme-support/documentation/

0 Kudos
GTM-P2G8KFN