Solved: IPv6 RA ... On or Off For Firewall External Interface

timway001 · ‎01-13-2016

Hi, I am curious what you folks think I should do in this situation. I have a pair of ASR routers running BGP multi-homed to a single ISP. Among other connections I have a pair of VLANs on the back side of the ASR routers where my global unicast addressing lives. It looks like:

isp <<< >>> asr1 <<< >>> core1 (vlan 2967)

isp <<< >>> asr2 <<< >>> core2 (vlan 2967)

>>> firewall <<< corporate lan >>>

>>> vpn server

>>> a load balancer

>>> etc ...

Obviously some of these are "host" devices for the ones that are "router" devices (the firewall, possibly the vpn server and load balancer) is it ideal to turn RA on? My only reservation about doing it is I do not want them to become next-hop routers and end up somehow as a hop on the same /64 just to eventually get over to my ASR routers. Another way to word it would be ... should I only run RA on my ASR routers?

I wouldn't get too caught up in the fact that I have some other edge devices not behind a dedicated firewall. That is a different issue entirely. This more about the role of RA when a segment has multiple routers that don't all share the same upstream routing.

What I don't want to happen is have a device on vlan 2967 use neighbor discovery to discover a next hop router only to find that traffic needs to go through the ASR routers to get out.

device >>> firewall >>> asr >>> internet

vs

device >>> asr >>> internet

I of course can play devils advocate and see that if traffic was actually headed towards hosts behind the firewall it would be advantageous to go right to the firewall for networks behind it. Without the "host" or device running a dynamic routing protocol their is no way to tell it that though.

Last thing the firewall does not seem to support the redirect option.

All that said my perception is that I should run RA on the external interface and just lower the priority. If a host or device on vlan 2967 does primarily communicate with devices behind the firewall I can add a local route to force it to prefer the firewall over the ASRs or run a dynamic routing protocol. Is that the best practice?

Peter Paluch · ‎01-13-2016

Hello,

In my personal opinion, you should not be needing to run RAs anywhere between the devices you have indicated in your diagram.

RAs facilitate stateless address autoconfiguration and are also necessary for end hosts using DHCPv6, as DHCPv6 does not convey the address of default gateway. However, if the IPv6 settings on a device are configured statically (address, prefix length, default gateway) then RAs are not necessary at all. I assume that all the devices shown in your diagram (ASRs, core switches, firewall, VPN servers, load balancers) are configured with static IPv6 settings, and that there are no end hosts depending on either SLAAC or DHCPv6 on the network segment directly behind the ASRs.

Formulated in other words, if you have a network segment or a VLAN that directly reaches the ASRs and at the same time this network segment or a VLAN contains end hosts using SLAAC/DHCPv6, then you need to run RAs on the ASRs. If, however, all LANs/VLANs attached to the ASRs only contain network infrastructure devices that are configured statically, then there is no need to run RAs on the ASRs nor the devices on the network that connects ASRs and these devices together.

Would this make sense? Feel welcome to ask further!

Best regards,
Peter

View solution in original post

Peter Paluch · ‎01-13-2016

Hello,

In my personal opinion, you should not be needing to run RAs anywhere between the devices you have indicated in your diagram.

RAs facilitate stateless address autoconfiguration and are also necessary for end hosts using DHCPv6, as DHCPv6 does not convey the address of default gateway. However, if the IPv6 settings on a device are configured statically (address, prefix length, default gateway) then RAs are not necessary at all. I assume that all the devices shown in your diagram (ASRs, core switches, firewall, VPN servers, load balancers) are configured with static IPv6 settings, and that there are no end hosts depending on either SLAAC or DHCPv6 on the network segment directly behind the ASRs.

Formulated in other words, if you have a network segment or a VLAN that directly reaches the ASRs and at the same time this network segment or a VLAN contains end hosts using SLAAC/DHCPv6, then you need to run RAs on the ASRs. If, however, all LANs/VLANs attached to the ASRs only contain network infrastructure devices that are configured statically, then there is no need to run RAs on the ASRs nor the devices on the network that connects ASRs and these devices together.

Would this make sense? Feel welcome to ask further!

Best regards,
Peter

timway001 · ‎01-13-2016

Peter, really appreciate the time and detailed response. You and I are thinking along the same track. I don't have a need for SLAAC on that segment and therefore was tempted to disable it entirely like you mentioned. That said, I was getting the feeling that some person smarter than me we would come along and chastise me for disabling. The documentation I was reading it made it sound like the best practice was to leave it on (except in situations where RA can cause MITM attacks). Which then led me to ask the question here.

Really appreciate the detailed response and unless I get any additional feedback I will proceed with disabling RA at least on the firewall side on that segment.

Tim