23 Dec
2011
23 Dec
'11
4:36 p.m.
On Fri, 23 Dec 2011, Jeff Wheeler wrote:
On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos <mohacsi@niif.hu> wrote:
If you can limit number of ARP/NDP entries per interfaces and you complement RAGuard and DHCPv4 snooping your are done.
That depends on how ARP/ND gleaning works on the box. In short, Cisco already has a knob to limit the number of ND entries per interface on some of their kit, and it is not a solution, only a damage mitigation measure. http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
The solution is that you monitor your device: if limits reached then you get notified and you can resolve the problem. Best Regards, Janos Mohacsi
-- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts