Automatic IPv6 due to broadcast
mysidia at gmail.com
Mon Apr 23 00:30:09 CDT 2012
On 4/22/12, Grant Ridder <shortdudey123 at gmail.com> wrote:
> Most switches nowadays have dhcpv4 detection that can be enabled for port
Yes. Many L2 switches have DHCPv4 "Snooping", where some port(s) can
be so designated as trusted DHCP server ports, for certain Virtual
LANs; and dhcp messages can be detected and suppressed from
unauthorized edge ports. Particularly good L2 switches also have
DAI or "IP Source guard" IPv4 functions, which when properly
enabled, can foil certain L2 ARP and IPv4 source address spoofing
e.g. Source IP address of packet does not match one of the DHCP leases
issued to that port -- then drop the packet.
As for IPv6; rfc6105; you have
ipv6 nd raguard
and IOS NDP inspection.
However, there are caveats that should be noted. RA guard
implementations can be trivially fooled by the use of crafted packets.
These are potentially good protections against accidental
configuration errors, but not malicious attack from a general purpose
Currently, IPv4 seems to win at L2 easily in regards to the level of
hardware security features commonly available on L2 switches that
pertain to IP.
More information about the NANOG