cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

IPv6 RA Guard

13993
Views
45
Helpful
8
Comments

 

Introduction:

 

In a typical share layer-2 IPv6 network, there is always the risk of facing operational problems as all connected devices operates without Complete Secure Neighbor Discovery (SEND) and it may lead to Rogue Router Advertisements (RA's). This RA's can be rouge router advertisements that are generated maliciously or unintentionally by unauthorized or improperly configured routers connecting to that segment. The RA Guard feature analyzes these RAs and filters out bogus RAs sent by unauthorized routers.

 

Prerequisite:

 

Understanding of IPv6 neighbor Discovery process.

 

Configuration Steps

 

 

A) IPv6 global policies: IPv6 RA guard is IPv6 global policies features, When RA guard is configured globally, attributes of the policy are stored in the software policy database. The policy is then applied to an interface.

  

SW1(config)#ipv6 nd inspection policy policy-name

 

 

B) Device role need to be set on the device:

There are generally two modes:

 

1) In host mode (default), all router advertisement and router redirect messages are disallowed on the port.

 

2) In router mode, all messages (router solicitation [RS], router advertisement [RA], or redirect) are allowed on this port.

    

SW1(config-nd-inspection)#device-role{host | router}

 

 

C) Applying IPv6 RA Guard on a Specified Interface:

    

SW1(config)#interface type number

    

SW1(config-if)#ipv6 nd raguard attach-policy [policy-name]

 

 

 

D) Optional:

 

1) You can also match ipv6 access-list or Prefix-list command enables verification of the sender's IPv6 address in inspected messages from the configured authorized router source access list. If the matchipv6 access-list or prefix-list command is not configured, this authorization is bypassed.

 

 

SW1(config-ra-guard)#match ipv6 access-list ipv6-access-list-name

    

SW1(config-ra-guard)#match ra prefix-list ipv6-prefix-list-name

 

 

2) The router-preference maximum command limit is high, medium, or low. If, for example, this value is set to medium and the advertised default router preference is set to high in the received packet, then the packet is dropped. If the command option is set to medium or low in the received packet, then the packet is not dropped.

 


SW1(config-ra-guard)#router-preference maximum {high | low | medium}

 

Configuration Example

 

In this Example we will go to see how Ipv6 RAGuards work on the L2 network segment.

R1 Gig0/0 is directly connected to L2 port Gig0/1 of Switch SW1 Configured in Vlan 5.

We have also configured interface Vlan 5 in autoconfig mode on the switch SW1 and it is acquiring IPv6 address from R1.

Initially R1 will be advertising RAs on to its Lan Segment, so that interface vlan 5 of SW1 will get IPv6 address.

 

Link-local IPV6address R1 :fe80::1

                       SW1:fe80::2

 

 

Network Diagram

 

nw diag.jpg

 

 

Base Initial configuration

 

 

SW1R1

hostname SW1
sdm prefer dual-ipv4-and-ipv6
ipv6 unicast-routing

vlan 5

name RA
interface GigabitEthernet0/1
switchport mode access
switchport access vlan5
duplex auto
speed auto
interface vlan5
ipv6 address FE80::2 link-local
ipv6 address autoconfig

hostname R1
ipv6 unicast-routing
interface GigabitEthernet0/0

no ip address
duplex auto
speed auto
ipv6 address FE80::1 link-local
ipv6 address 2001::1/64

 

 

 

 

 

 

configuring ipv6 Ragaurd on the Sw1 in Host mode:

 

SW1(config)#ipv6 nd raguard policy RAGUARD

SW1(config-nd-raguard)#device-role host

SW1(config-nd-raguard)#exit

SW1(config)#int gig0/1

SW1(config-if)#ipv6 nd raguard attach-policy RAGUARD

 

Verification of RAguard policy in host mode:

 

SW1#sh ipv6 nd raguard policy RAGUARD

Policy RAGUARD configuration:

device-role host

Policy RAGUARD is applied on the following targets:

Target               Type Policy               Feature       Target range

Gi0/1               PORT RAGUARD            RA guard       vlan all

 

To verify this policy more closely we are debugging the ND messages on the switch and collecting those logs into system buffer. From the below output we can see that sw1 is not accepting RA received on the interface gig0/1 so that’s why interface vlan 5 will not get ipv6 address.

 

SW1#sh logging | in RA

*Mar 1 00:59:50.995: ICMPv6-ND: Created RA context for FE80::2/Vlan5

*Mar 1 00:59:50.995: ICMPv6-ND: Request to send RA for FE80::2

*Mar 1 00:59:50.995: ICMPv6-ND: Setup RA from FE80::2 to FF02::1 on Vlan5

*Mar 1 01:00:07.051: ICMPv6-ND: Request to send RA for FE80::2

*Mar 1 01:00:07.051: ICMPv6-ND: Setup RA from FE80::2 to FF02::1 on Vlan5

*Mar 1 01:00:23.098: ICMPv6-ND: Request to send RA for FE80::2

*Mar 1 01:00:23.098: ICMPv6-ND: Setup RA from FE80::2 to FF02::1 on Vlan5

SW1#sh ipv6 interface vlan 5

Vlan5 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::2

No Virtual link-local address(es):

Stateless address autoconfig enabled

No global unicast address is configured

Joined group address(es):

   FF02::1

   FF02::2

   FF02::1:FF00:2

MTU is 1500 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ICMP unreachables are sent

Output features: Check hwidb

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds (using 30000)

ND advertised reachable time is 0 (unspecified)

ND advertised retransmit interval is 0 (unspecified)

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

ND advertised default router preference is Medium

Hosts use stateless autoconfig for addresses.

 

Configuring ipv6 Ragaurd on the Sw1 in router mode, additionally we will configure ipv6 access-list to enables verification of the sender's IPv6 address.

 

SW1(config)#ipv6 access-list RAGUARD

SW1(config-ipv6-acl)#permit ipv6 host fe80::1 any

SW1(config-ipv6-acl)#exit

SW1(config)#ipv6 nd raguard policy RAGUARD

SW1(config-nd-raguard)#device-role router

SW1(config-nd-raguard)#match ipv6 access-list RAGUARD

 

The below output shows, packets are matched on the applied access-list, also shows that interface vlan 5 is getting ipv6 address due to RA is verified by the policy applied on the interface gig0/1.We can also able to see in buffer logs that RA is accepted by switch.

 

SW1#sh ipv6 access-list

IPv6 access list RAGUARD

permit ipv6 host FE80::1 any (1 match) sequence 10

SW1#sh ipv6 interface vlan 5

Vlan5 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::2

No Virtual link-local address(es):

Stateless address autoconfig enabled

Global unicast address(es):

2001::2, subnet is 2001::/64 [EUI/CAL/PRE]

valid lifetime 2591969 preferred lifetime 604769

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF00:2

MTU is 1500 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ICMP unreachables are sent

Output features: Check hwidb

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds (using 30000)

SW1(config-if)#do sh logging | in RA

*Mar 1 00:59:50.995: ICMPv6-ND: Created RA context for FE80::2/Vlan5

*Mar 1 00:59:50.995: ICMPv6-ND: Request to send RA for FE80::2

*Mar 1 03:09:45.035: ICMPv6-ND: Received RA from FE80::1 on Vlan5

 

Verification commands

 

1) Use "Show ipv6 nd ragaurd policy" command to verify Policy.

 

SW1#sh ipv6 nd raguard policy RAGUARD

Policy RAGUARD configuration:

device-role router

match ipv6 access-list RAGUARD

Policy RAGUARD is applied on the following targets:

Target               Type Policy               Feature       Target range

Gi0/1                PORT RAGUARD             RA guard       vlan all

 

 

2) To Displays all RA Guard installed capture rules use "show ipv6 snooping capture-policy int <interface-no>" command.

 

3) For Troublshooting you can use "debug ipv6 snooping raguard" command under exec mode.

 

4) To display dropped packets by RA guard use "show ipv6 snooping counters int <name>" command.

Related Information

 

IPv6 RA Guard

IPv6 Router Advertisement Guard

Rogue IPv6 Router Advertisement Problem Statement

 

                                   

Base Initial configuration:

 

 

Comments
Beginner

Document is very good...

But I am unable to see diagram....

Community Member

Good and informative document... Understanding is made easy with help of captures, especially with debug capture.

Rising star

Dear sunish,

Thanks for your feedback.

Regards,

Ashish Shirkar

Beginner

Good explanation Ashish.

Rising star

Dear Nirav,

"Thank you!  I appreciate the positive feedback."

Regards,

Ashish Shirkar

Technical community manager(Network Infrastructure)

Rising star

Which switching platform are these commands available on?  I have a 3560G in the lab running the latest IP Services image (15.0(2)SE3) and I can't see these commands.  I have tried the three SDM dual-ipv4-and-ipv6 templates and none have the guard feature.  The release notes for 15.0(2)SE3 specifically state that this is a new feature in this release:

IPv6 Router Advertisement (RA) Guard provides support for allowing the network administrator to

block or reject unwanted or rogue RA Guards messages arriving at the network switch platform.

These are the options I get:

cat-3560G(config)#ipv6 nd ?

  cache           Cache entry

  dad             Duplicate Address Detection

  host            Host

  nsf             NSF

  nud             NUD

  reachable-time  Set advertised reachability time

  resolution      resolution

  route-owner     ND as route owner

Andy

Rising star

Hello Andrew,

This feature is available on 12.2(33)SXI4,12.2(50)SY,12.2(54)SG,15.0(2)SG,15.2(4)S,15.2(4)M and Cisco IOS XE Release 3.2SG

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Regards,

Ashish Shirkar

Beginner

Hi Andrew,

 

first of all thx for your post on ra guardI just configured RA Guard on a 2960 Cat / Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)SE4. Using fake_router6  all works fine ... raguard works as expected... but using flood_router6 ...  my subnet crashes ping fail etc., I see lots of drops on the interface (should be, I think) but also 99% CPU load. This behavoir seems to me strange  .... because its not a problem of extension headers / fragmentation etc. Stopping flood_router6 all is fine again ....Any ideas?

Thanks in advance

 

Peter