12-31-2017 03:58 AM - edited 03-01-2019 05:55 PM
Hi Dear All,
I want to filter the RA packets by using IPv6 nd raguard feature, when I try to create a policy with this command "ipv6 nd raguard policy TEST" it gives me this message: "Service not enabled"
does anyone know which feature or service exactly must be enabled?
Device: Nexus7700
Software
BIOS: version 3.1.0
kickstart: version 8.2(1)
system: version 8.2(1)
BIOS compile time: 02/27/2013
kickstart image file is: bootflash:///n7700-s2-kickstart.8.2.1.bin
kickstart compile time: 8/30/2017 23:00:00 [09/27/2017 15:07:16]
system image file is: bootflash:///n7700-s2-dk9.8.2.1.bin
system compile time: 8/30/2017 23:00:00 [09/27/2017 18:37:07]
Many thanks
Milad
Solved! Go to Solution.
12-31-2017 02:48 PM
Hi Milad,
Can you try enabling feature fhs? The FHS stands for First Hop Security and encompasses RA Guard, DHCPv6 Guard, and IPv6 Snooping:
Best regards,
Peter
01-01-2018 02:25 AM
Hi Milad,
Thank you for the clarification.
Unfortunately, in this design, the RA Guard would not be of much use, either. Think of this: You have a bunch of host servers connected to N5K, and one of them starts sending unauthorized IPv6 RAs. Even if you could filter them out on the vPC toward the N7K, the RAs would still be flooded across the ports of the same VLAN on the N5K, and possibly cause harm. Remember: To a switch, IPv6 RAs are just multicast frames, and are flooded within their VLAN. The RA Guard drops unauthorized RAs before they get flooded, but an SVI has nothing to do with this flooding, and that is why you cannot even apply the RA Guard to an SVI.
The IPv6 RA is an access layer protection mechanism, and to have any sensible effect, it must be activated on the access ports closest to the attached hosts. Activating it at any higher layer in the network will leave the lower network layers unprotected and still vulnerable.
Unfortunately, Nexus 5000 series switches do not support the IPv6 RA Guard, so the only remaining option I can see is to use VACLs (vlan access-map, vlan filter) where you would drop all RAs except those sourced from your legitimate IPv6 routers, applied on the N5K to the entire VLANs with your host servers. It is not an ideal solution but likely the closest one to the RA Guard you can get.
Best regards,
Peter
12-31-2017 02:48 PM
Hi Milad,
Can you try enabling feature fhs? The FHS stands for First Hop Security and encompasses RA Guard, DHCPv6 Guard, and IPv6 Snooping:
Best regards,
Peter
12-31-2017 09:54 PM
Hello Peter,
Thanks for your quick response, I enabled the fhs feature and created the policy but it's seems there is no chance to assign the policy under interface vlan, according to our topology I need to filter RA packets on the vdc except vdc admin and also under interface vlan.
Is there any chance?
Many thanks
Milad
01-01-2018 12:55 AM
Hi Milad,
Applying the RA Guard to an SVI (an "interface Vlan") does not make much sense. The RA Guard is supposed to prevent unauthorized IPv6 RAs from untrusted hosts to leak into your network, and that is done on the switchport level.
Why do you believe you need to apply the RA Guard to an SVI?
Best regards,
Peter
01-01-2018 02:03 AM
Our host servers are connected to a Nexus 5K and we have a VPC link between 5K and 7K, AFAIK it's not possible to attach raguard policy under vpc link and also I couldn't find any document regarding filtering RA packets on NEXUS 5K so I decided to filter RAs under the SVI on 7K.
01-01-2018 02:25 AM
Hi Milad,
Thank you for the clarification.
Unfortunately, in this design, the RA Guard would not be of much use, either. Think of this: You have a bunch of host servers connected to N5K, and one of them starts sending unauthorized IPv6 RAs. Even if you could filter them out on the vPC toward the N7K, the RAs would still be flooded across the ports of the same VLAN on the N5K, and possibly cause harm. Remember: To a switch, IPv6 RAs are just multicast frames, and are flooded within their VLAN. The RA Guard drops unauthorized RAs before they get flooded, but an SVI has nothing to do with this flooding, and that is why you cannot even apply the RA Guard to an SVI.
The IPv6 RA is an access layer protection mechanism, and to have any sensible effect, it must be activated on the access ports closest to the attached hosts. Activating it at any higher layer in the network will leave the lower network layers unprotected and still vulnerable.
Unfortunately, Nexus 5000 series switches do not support the IPv6 RA Guard, so the only remaining option I can see is to use VACLs (vlan access-map, vlan filter) where you would drop all RAs except those sourced from your legitimate IPv6 routers, applied on the N5K to the entire VLANs with your host servers. It is not an ideal solution but likely the closest one to the RA Guard you can get.
Best regards,
Peter
01-01-2018 02:53 AM - edited 01-01-2018 02:54 AM
Thanks for your help Peter :)
Merry Christmas!
01-01-2018 03:41 AM
Milad,
You are very much welcome! Thank you - merry Christmas / nice holidays to you, too, and all the very best in 2018! :)
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide