Difference between revisions of "First-hop security IPv6 Cisco IOS"

From Teknologisk videncenter
Jump to: navigation, search
m (Unicast Reverse Path Forwarding)
m (IPv6 RA Guard)
Line 1: Line 1:
 
{{in progress}}
 
{{in progress}}
 
=IPv6 RA Guard=
 
=IPv6 RA Guard=
IPv6 Router Advertisement Guard. See {{rfc|rfc=draft-ietf-v6ops-ra-guard-04}}
+
IPv6 Router Advertisement Guard. <ref>http://tools.ietf.org/html/rfcdraft-ietf-v6ops-ra-guard-04</ref>
 +
 
 +
IPv6 RA guard provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link.
 +
 
 +
==From IOS 12.2(33)SXI4 to 12.2(54)SG==
 +
<source lang=cli>
 +
R1(config)#<input>int fa0/1</input>
 +
R1(config-if)<input>ipv6 nd raguard</input>
 +
</source>
 +
==From IOS 12.2(54)SG==
 +
<source lang=cli>
 +
R1(config)#<input>int fa0/1</input>
 +
R1(config-if)<input>ipv6 nd raguard policy policy1</input>
 +
R1(config-ra-guard)#
 +
</source>
  
IPv6 RA guard provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link.
 
 
=Unicast Reverse Path Forwarding=
 
=Unicast Reverse Path Forwarding=
 
To avoid spoofed packets passing a Router. Could be DoS attack. With RPF - reverse Path Forwarding - the router checks that the sending hosts source IP address matches the routing table on the receiving interface.
 
To avoid spoofed packets passing a Router. Could be DoS attack. With RPF - reverse Path Forwarding - the router checks that the sending hosts source IP address matches the routing table on the receiving interface.

Revision as of 07:42, 19 December 2011

IPv6 RA Guard

IPv6 Router Advertisement Guard. [1]

IPv6 RA guard provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link.

From IOS 12.2(33)SXI4 to 12.2(54)SG

R1(config)#<input>int fa0/1</input>
R1(config-if)<input>ipv6 nd raguard</input>

From IOS 12.2(54)SG

R1(config)#<input>int fa0/1</input>
R1(config-if)<input>ipv6 nd raguard policy policy1</input>
R1(config-ra-guard)#

Unicast Reverse Path Forwarding

To avoid spoofed packets passing a Router. Could be DoS attack. With RPF - reverse Path Forwarding - the router checks that the sending hosts source IP address matches the routing table on the receiving interface.

Example
An access-list can be used as an option to this command
R1(config)#<input>interface fa0/1</input>
R1(config-if)#<input>ipv6 verify unicast reverse-path</input>

Links

  • http://tools.ietf.org/html/rfcdraft-ietf-v6ops-ra-guard-04