How to setup RA Guard?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-30-2014 02:03 PM
Is there a guide to setting up RA Guard? I thought I saw one once, but I can't find it now. It doesn't seem to be covered in the 15.3 concepts guide, and I can't find a newer concepts guide (getting 404 page not found errors).
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-02-2014 06:57 AM
The below example would help prevent RA attacks:
entry disallow_and_log_RA_attacks {if {protocol icmpv6;icmp-type 134;} then { deny; mirror-cpu; log; count RA_attack;}}
entry allow_tcp { if {protocol tcp; first-fragments;} then {permit;}}
entry allow_udp { if {protocol udp; first-fragments;} then {permit;}}
entry allow_icmp { if {protocol icmpv6; first-fragments;} then {permit;}}
entry allow_xyz…
entry denyall { if {first-fragments; } then {deny;}}
The allow_icmp rule can be a security exposure on certain hardware (I believe x480 is such). So you may want to make a more specific icmp rule looking for specific icmp_type that are authorized, and drop IPv6 icmp with extension headers.
entry disallow_and_log_RA_attacks {if {protocol icmpv6;icmp-type 134;} then { deny; mirror-cpu; log; count RA_attack;}}
entry allow_tcp { if {protocol tcp; first-fragments;} then {permit;}}
entry allow_udp { if {protocol udp; first-fragments;} then {permit;}}
entry allow_icmp { if {protocol icmpv6; first-fragments;} then {permit;}}
entry allow_xyz…
entry denyall { if {first-fragments; } then {deny;}}
The allow_icmp rule can be a security exposure on certain hardware (I believe x480 is such). So you may want to make a more specific icmp rule looking for specific icmp_type that are authorized, and drop IPv6 icmp with extension headers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-01-2014 06:20 PM
Summit 460 and 480
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-01-2014 05:10 AM
Hi,
you need to create an ingress ACL with the "icmp-type" match criteria. If you plan to look at both L2 and L3 headers, you need double-wide ACL, which are not supported on every platforms.On which platform do you plan to use it?
Edit:
btw, you will find the EXOS documentations at the following link
http://www.extremenetworks.com/support/extreme-support/documentation/
you need to create an ingress ACL with the "icmp-type" match criteria. If you plan to look at both L2 and L3 headers, you need double-wide ACL, which are not supported on every platforms.On which platform do you plan to use it?
Edit:
btw, you will find the EXOS documentations at the following link
http://www.extremenetworks.com/support/extreme-support/documentation/
