[c-nsp] ipv6 nd raguard

Peter Rathlev peter at rathlev.dk
Sun Mar 4 15:16:32 EST 2012


On Sun, 2012-03-04 at 20:25 +0100, Niccolò Belli wrote:
> Il 04/03/2012 18:07, Peter Rathlev ha scritto:
> > That would be never, since that's not an E or X model.
> 
> Oh that sounds bad, I didn't think Cisco considered the WS-C3560-24PS-E 
> as a low end device :(

I wouldn't call it low end, at least not among (user) access switches
which is where RA Guard would make most sense. But the "original" 3560
has more or less been superseded by the -E and -X models.

It's probably a priority thing for Cisco. But since we have no real hard
facts, someone need to ask their AM what status really is.

You can always use a manual traffic-filter:

 ipv6 access-list Deny-RA
  deny icmp any any router-advertisement
  permit ipv6 any any
  exit
 !
 interface GigabitEthernet0/1
  ipv6 traffic-filter Deny-RA in
 !

That should work just as well as RA Guard. (Beware that neither this nor
"RA Guard" probably solves draft-gont-v6ops-ra-guard-evasion.)

-- 
Peter




More information about the cisco-nsp mailing list