The Cisco perimeter switch must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.
An XCCDF Rule
Description
<VulnDiscussion>Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways must be configured to suppress router advertisements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-237760r999764_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the switch to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below.
SW1(config)# interface e1/1
SW1(config-if-range)# ipv6 nd suppress-ra
SW1(config-if-range)# end