cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1899
Views
30
Helpful
7
Replies
Beginner

IPv6 nd raguard policy

Hi Dear All,

I want to filter the RA packets by using IPv6 nd raguard feature, when I try to create a policy with this command "ipv6 nd raguard policy TEST" it gives me this message: "Service not enabled"

does anyone know which feature or service exactly must be enabled?

 

Device: Nexus7700
Software
BIOS: version 3.1.0
kickstart: version 8.2(1)
system: version 8.2(1)
BIOS compile time: 02/27/2013
kickstart image file is: bootflash:///n7700-s2-kickstart.8.2.1.bin
kickstart compile time: 8/30/2017 23:00:00 [09/27/2017 15:07:16]
system image file is: bootflash:///n7700-s2-dk9.8.2.1.bin
system compile time: 8/30/2017 23:00:00 [09/27/2017 18:37:07]

 

 

Many thanks

Milad

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Cisco Employee

Re: IPv6 nd raguard policy

Hi Milad,

Can you try enabling feature fhs? The FHS stands for First Hop Security and encompasses RA Guard, DHCPv6 Guard, and IPv6 Snooping:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/security/config/cisco_nexus7000_security_config_guide_8x/configuring_ipv6_first_hop_security.html

Best regards,
Peter

View solution in original post

Highlighted
Hall of Fame Cisco Employee

Re: IPv6 nd raguard policy

Hi Milad,

Thank you for the clarification.

Unfortunately, in this design, the RA Guard would not be of much use, either. Think of this: You have a bunch of host servers connected to N5K, and one of them starts sending unauthorized IPv6 RAs. Even if you could filter them out on the vPC toward the N7K, the RAs would still be flooded across the ports of the same VLAN on the N5K, and possibly cause harm. Remember: To a switch, IPv6 RAs are just multicast frames, and are flooded within their VLAN. The RA Guard drops unauthorized RAs before they get flooded, but an SVI has nothing to do with this flooding, and that is why you cannot even apply the RA Guard to an SVI.

The IPv6 RA is an access layer protection mechanism, and to have any sensible effect, it must be activated on the access ports closest to the attached hosts. Activating it at any higher layer in the network will leave the lower network layers unprotected and still vulnerable.

Unfortunately, Nexus 5000 series switches do not support the IPv6 RA Guard, so the only remaining option I can see is to use VACLs (vlan access-map, vlan filter) where you would drop all RAs except those sourced from your legitimate IPv6 routers, applied on the N5K to the entire VLANs with your host servers. It is not an ideal solution but likely the closest one to the RA Guard you can get.

Best regards,
Peter

View solution in original post

7 REPLIES 7
Hall of Fame Cisco Employee

Re: IPv6 nd raguard policy

Hi Milad,

Can you try enabling feature fhs? The FHS stands for First Hop Security and encompasses RA Guard, DHCPv6 Guard, and IPv6 Snooping:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/security/config/cisco_nexus7000_security_config_guide_8x/configuring_ipv6_first_hop_security.html

Best regards,
Peter

View solution in original post

Beginner

Re: IPv6 nd raguard policy

Hello Peter,

Thanks for your quick response, I enabled the fhs feature and created the policy but it's seems there is no chance to assign the policy under interface vlan, according to our topology I need to filter RA packets on the vdc except vdc admin and also under interface vlan. 

Is there any chance?

Many thanks

Milad

Hall of Fame Cisco Employee

Re: IPv6 nd raguard policy

Hi Milad,

Applying the RA Guard to an SVI (an "interface Vlan") does not make much sense. The RA Guard is supposed to prevent unauthorized IPv6 RAs from untrusted hosts to leak into your network, and that is done on the switchport level.

Why do you believe you need to apply the RA Guard to an SVI?

Best regards,
Peter

Beginner

Re: IPv6 nd raguard policy

 

Our host servers are connected to a Nexus 5K and we have a VPC link between 5K and 7K, AFAIK it's not possible to attach raguard policy under vpc link and also I couldn't find any document regarding filtering RA packets on NEXUS 5K so I decided to filter RAs under the SVI on 7K.

 

Highlighted
Hall of Fame Cisco Employee

Re: IPv6 nd raguard policy

Hi Milad,

Thank you for the clarification.

Unfortunately, in this design, the RA Guard would not be of much use, either. Think of this: You have a bunch of host servers connected to N5K, and one of them starts sending unauthorized IPv6 RAs. Even if you could filter them out on the vPC toward the N7K, the RAs would still be flooded across the ports of the same VLAN on the N5K, and possibly cause harm. Remember: To a switch, IPv6 RAs are just multicast frames, and are flooded within their VLAN. The RA Guard drops unauthorized RAs before they get flooded, but an SVI has nothing to do with this flooding, and that is why you cannot even apply the RA Guard to an SVI.

The IPv6 RA is an access layer protection mechanism, and to have any sensible effect, it must be activated on the access ports closest to the attached hosts. Activating it at any higher layer in the network will leave the lower network layers unprotected and still vulnerable.

Unfortunately, Nexus 5000 series switches do not support the IPv6 RA Guard, so the only remaining option I can see is to use VACLs (vlan access-map, vlan filter) where you would drop all RAs except those sourced from your legitimate IPv6 routers, applied on the N5K to the entire VLANs with your host servers. It is not an ideal solution but likely the closest one to the RA Guard you can get.

Best regards,
Peter

View solution in original post

Beginner

Re: IPv6 nd raguard policy

Thanks for your help Peter :)
Merry Christmas!

Hall of Fame Cisco Employee

Re: IPv6 nd raguard policy

Milad,

You are very much welcome! Thank you - merry Christmas / nice holidays to you, too, and all the very best in 2018! :)

Best regards,
Peter

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards