Message: 1
Date: Wed, 27 Apr 2011 22:21:31 +0200
From: martin papik <pa...@utia.cas.cz>
To: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] juniper-nsp Digest, Vol 101, Issue 46
Message-ID: <4db87acb.7010...@utia.cas.cz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi,
can I block (drop) router advertisemet (RA) only on specific ports in
EX2400 (EX2200) configuration.
The problem is in security, because when any station (PC, notebook)
connected to LAN, starts own (but not official!!!) RA, I thing that this
unoffical RA
will pass throught switch. RA is using icmpv6 port 134. For example some PCs
with
Windows OS should generate own unoffical RA.Maybe I can use firewall filter,
but this
will generate CPU higher load :-(. Is possible to use another specific conf.
command?
Did anyone solve this type of problem in past?
Thanks
Martin Papik
Martin,
If you've got workstations sending RAs then you've probably got bigger
problems than just rogue RAs. They're probably doing automatic v6-to-v4
tunneling (eiter 6-to-4 or teredo), so you've got uncontrolled v6
traffic on your net. Given the exhaustion of v4 addrs, v6 is only going
to increase in use.
You need to either do a proper v6 deployment or take strong steps to
quash it, the half-baked environment only leads to misery.
In general, if workstations hear "official" RAs then they tend to
become just clients and don't try to do 6-to-4 tunnels (or configure
each workstation to completely disable its v6 stack).
Find a good source of IPv6 information and learn about the things that you
need to know, both as a network engineer & system-administrator.
Good place to start:
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
