net.fail

A blog about building and running a larger network, with an IPv6-first mentality. And unrelated video/audio/tech-stuff.

Impressum

RA Guard on Extreme Summit / Enterasys C3/C5 Switches

2019-03-14

Recently, I researched how to implement RA Guard on Enterasys/Extreme switches. The Summit X460-G2 and Enterasys C5G Series were in my Lab for testing the implementation.
Unfortunately, they do not provide a simple "switch-on" feature for ra guard, instead requiring a custom implementation using policy rules or ACL entries. It seems they do not protect against attacks with extensions headers in front of the icmpv6 header of the rogue ra. This does need testing, though.

RA Guard on Extreme Summit X460-G2

Create a file with the ACL named raguard.pol containing this ACL:

entry block_ra {
 if {protocol icmpv6;icmp-type 134;}
 then {deny; count RA_attack;}
}
then upload it to the switch and apply it to a port:
configure access-list raguard ports 48 ingress

https://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/IPUnicastv6/c_ipv6-router-advertisement-filtering.shtml

The counters are accessible with:

X460G2-48p-10G4.28 # show access-list counter 
Policy Name       Vlan Name        Port   Direction  
Counter Name                   Packet Count         Byte Count           
==================================================================
raguard           *                1      ingress   
    RA_attack                      0                                         
raguard           *                48     ingress   
    RA_attack                      3                                         

Enterasys C5G

This Switch series requires a fairly modern software version and policy support.

set policy profile 1 name raguard
set policy rule 1 icmp6type 134.000  mask 16 drop
set policy port ge.1.1 1

Both of these are the simplest versions, and they can be combined into larger policies / acls. I have also verified the effectiveness of the Enterasys policy on a trunk port for tagged vlans.