Shulou(Shulou.com)06/01 Report--

1.RA stifling

Router Advertisement Throttling

Router Advertisement (RA) throttling allows the controller to enforce rate limiting of RAs headed towards the wireless network. By enabling RA throttling, routers that are configured to send RAs frequently (every 3 seconds) can be trimmed back to a minimum frequency that will still maintain IPv6 client connectivity. This allows airtime to be optimized by reducing the number of multicast packets that must be sent. In all cases, if a client sends a Router Solicitation (RS), then an RA will be allowed through the controller and unicast to the requesting client. This is to ensure that new clients or roaming clients are not negatively impacted by RA throttling.

Note: When RA throttling occurs, only the first IPv6 capable router are allowed through. For networks that have multiple IPv6 prefixes being served by different routers, RA throttling must be disabled.

Kill RA (router advertisement)

RA strangulation causes wireless controllers to increase the speed limit of RA packets to wireless networks. By enabling RA strangulation, the sending frequency of router RA (sent every 3 seconds) can be reduced to a minimum, while maintaining the connectivity of IPv6 clients. Airtime can be optimized by reducing the number of multicast packets sent. In all scenarios, if a client sends a RS message, a RA message can be sent to the requesting client by directly using unicast. This ensures that new clients or roaming clients are not affected by RA strangulation

2.IPv6 Source Guard

The IPv6 source guard feature prevents a wireless client spoofing an IPv6 address of another client. This feature is analogous to IPv4 source guard. IPv6 source guard is enabled by default

IPv6 source protection is a feature that prevents a wireless client from posing as another IPv6 client, which is similar to IPv4's source protection.

3.IPv6 Access Control Lists

In order to restrict access to certain upstream wired resources or block certain applications, IPv6 Access Control lists can be used to identify traffic and permit or deny it. IPv6 Access Lists support the same options as IPv4 Access Lists including source, destination, source port, and destination port (port ranges are also supported). The wireless controller supports up to 64 unique IPv6 ACLs each with 64 unique rules in each. The wireless controller continues to support an additional 64 unique IPv4 ACLs with 64 unique rules in each for a total of 128 ACLs for a dual-stack client

IPv6 access Control list

In order to connect to specific upstream wired network resources or to circumvent specific applications, IPv6 acl can be used to identify traffic and then allow or deny it. Similar to IPv4's ACL, it can include options such as source destination address, source destination port, and so on. Wireless controllers support up to 64 acl, and each acl can contain up to 64 rules

4.DHCPv6 Server Guard

The DHCPv6 Server guard feature prevents wireless clients from handing out IPv6 addresses to other wireless clients or wired clients upstream. To prevent DHCPv6 addresses from being handed out, all DHCPv6 advertise packets from wireless clients are dropped. This feature operates on the controller, requires no configuration and is enabled automatically.

The DHCPv6 server protection feature prevents wireless clients from distributing IPv6 addresses to other wireless clients or upstream wired clients. In order to prevent DHCPv6 addresses from being distributed, all DHCPv6 advertisement messages from wireless clients are discarded

5.Router Advertisement Guard

The RA Guard feature increases the security of the IPv6 network by dropping router advertisements coming from wireless clients. Without this feature, misconfigured or malicious IPv6 clients could announce themselves as a router for the network, often with a high priority, which could take precedence over legitimate IPv6 routers.

By default, RA guard is enabled at the AP (but can be disabled) and is always enabled on the controller. Dropping RAs at the AP is preferred as it is a more scalable solution and provides enhanced per-client RA drop counters. In all cases, the IPv6 RA is dropped at some point, protecting other wireless clients and upstream wired network from malicious or misconfigured IPv6 clients.

RA protection, which enhances the security of IPv6 networks by dropping RA messages from wireless clients. Without this feature, misconfigured or malicious IPv6 clients may advertise themselves as routers with a higher priority, which will cause it to replace the correct legitimate IPv6 router

6.AAA Override for IPv6 ACLs

In order to support centralized access control through a centralized AAA server such as Cisco's Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. To use this feature, the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature enabled. The actual named AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name similar to the Airespace-ACL-Name attribute used for provisioning an IPv4-based ACL. The AAA attribute contents must be equal to the name of the IPv6 ACL as configured in the controller

AAA overrides IPv6 access control list

In order to achieve centralized access control, a centralized AAA server such as Cisco's ISE or ACS is usually used. By using the AAA override attribute, IPv6 acl is applied to each client.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.