RA Guard on Extreme Summit / Enterasys C3/C5 Switches
2019-03-14
Recently, I researched how to implement RA Guard on Enterasys/Extreme switches. The Summit X460-G2 and Enterasys C5G Series were in my Lab for testing the implementation.
Unfortunately, they do not provide a simple "switch-on" feature for ra guard, instead requiring a custom implementation using policy rules or ACL entries. It seems they do not protect against attacks with extensions headers in front of the icmpv6 header of the rogue ra. This does need testing, though.
RA Guard on Extreme Summit X460-G2
Create a file with the ACL named raguard.pol containing this ACL:
entry block_ra { if {protocol icmpv6;icmp-type 134;} then {deny; count RA_attack;} }then upload it to the switch and apply it to a port:
configure access-list raguard ports 48 ingress
The counters are accessible with:
X460G2-48p-10G4.28 # show access-list counter Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count ================================================================== raguard * 1 ingress RA_attack 0 raguard * 48 ingress RA_attack 3
Enterasys C5G
This Switch series requires a fairly modern software version and policy support.
set policy profile 1 name raguard set policy rule 1 icmp6type 134.000 mask 16 drop set policy port ge.1.1 1
Both of these are the simplest versions, and they can be combined into larger policies / acls. I have also verified the effectiveness of the Enterasys policy on a trunk port for tagged vlans.